Jetpack Publicize Pushed Garbage to Social Media Accounts

I have found our main website (the one my email is at) is also pushing to our facebook page daily – sometimes twice a day – 1st instance on the 14th of this month. That site does NOT have broken link checker or wordfence.

Common to all sites so far, infintewp management and yoast seo I think.

most of these posts are 2:00AM – but some are 1:00AM, others on random minutes and different times a day.

Ok disabled that plugin across all sites. Will report back what happens in the next 24 hours.

Thank you both for bearing with me, and running those tests. I’m looking on my end as well, trying to reproduce, and going through our logs to try to get more information about this.

not sure if this is relevant, but all sites are on cloudflare free service.

on our own site – it’s 02:00 – looking at the apache logs for 02:00:00 to 02:00:59 the common thing I find is a “POST /wp-cron.php?doing_wp_cron=[blah]” – where [blah] is my removing the real url details in case they’re able to be mis-used.

Looking into this a bit more, do you both happen to be WordFence Premium customers? Do you use their scheduled scan feature? Do the Publicized posts match the time of the scans?

a number of files changed in 4.3.1 > 4.3.2 which mention cron:

jetpack/class.jetpack.php
jetpack/json-endpoints/jetpack/class.jetpack-json-api-sync-endpoint.php
jetpack/json-endpoints/jetpack/json-api-jetpack-endpoints.php
jetpack/sync/class.jetpack-sync-actions.php
jetpack/sync/class.jetpack-sync-defaults.php
jetpack/sync/class.jetpack-sync-module-callables.php
jetpack/sync/class.jetpack-sync-sender.php
jetpack/sync/class.jetpack-sync-settings.php

ok – too long a list – those were files which changes in the update which contain cron at all – this is the list of files which changed and the CHANGE involved cron – based on a diff of 4.3.1 and 4.3.2 files:

jetpack/json-endpoints/jetpack/class.jetpack-json-api-sync-endpoint.php
jetpack/json-endpoints/jetpack/json-api-jetpack-endpoints.php
jetpack/sync/class.jetpack-sync-actions.php
jetpack/sync/class.jetpack-sync-defaults.php
jetpack/sync/class.jetpack-sync-settings.php

no wordfence premium. Wordfence is not on all the sites doing this.

We did indeed make changes to your posts’ synchronization to WordPress.com in 4.2, and that’s what causing these posts to be publicized.

Those posts weren’t synchronized with WordPress.com before, but because we’ve improved the way sync works, they now get synchronized, and thus publicized.

I just found those posts in our logs, and they don’t seem like regular posts; specifically, they don’t have a post status or a registered post type. We’re trying to see if we can stop these posts from being publicized from our end, but it would still be very interesting to find out what plugin or service is actually creating those posts in your site’s databases.

@jamas For example, post ID 872 is one such post on the site you mentioned earlier. Would you be able to find out more about it in your database, by looking at the wp_posts table looking for that post ID, and checking its content and meta data?

in my cases, and I’ve found at least 6 sites doing this without digging into customer/managed sites, they are all posts to the home page or / on the site. I wonder if it has anything to do with our migration method. We always develop on a subdomain and migrate using updraftplus+migrator. The vc-cycling site was a port from another cycling site for the same site owner, again, updraftplus migration, but not from a subdomain, just a totally different domain.

16 of the sites I have managed are running jetpack – and as every day goes by, the cleanup is getting more and more work. ??

We’ve just deployed a change on our end, to block those kinds of posts from being publicized, so hopefully that will help!

Let me know how it goes!

It looks like these are Infinite WP generated custom post types. For the 872 post here is the info, just in case it helps you refine the blocking.

post_title = iwp_log_58098a3893990
post_name = iwp_log_58098a3893990
post_status = published
post_type = iwp_log

_wpas_done_all = 1
iwp_log_type = plugins
iwp_log_action = update
iwp_log_activities_type = iwp_log
iwp_log_actions = plugins-updated
iwp_log_details = **removed list of plugins**

We run all out sites from IWP and have several cron items like database and file backups that run. They all happen to coincide with the same time as the posts to social media. I think this must be it.

I will also raise this with the IWP folks so they aware. Them seem to only be keeping the last 30 days of iwp_log post types.

I will leave broken link checker turned off for tonight and enable it again if nothing pops up.

@jeherve thanks for working this issue. Let me know if you want to conduct any tests from our end on the test site.

@jamas Thanks for the extra details!

Did you all see any random links to posted to your Social Media accounts this weekend?

No problems over the weekend. I had left the Broken Link checker off for the weekend. I will turn it back on but I don’t imagine this will be an issue.

I have a thread going with Infinite WP team now on this. I am not sure what the filter is that Jetpack added to stop these post from getting pushed. To me this is a hard problem for Jetpack to figure out. If I am using custom post types either coded by me or added as part of a plugin/theme and those post types are visible to users then I would want to have Jetpack push those to social medie. I am not sure if the WordPress community would suggest that plugin developers don’t use the post table in such a way. At the very least I think those “internal” post types should be marked as draft or maybe private, which would be much easier and probably already a common method for a plugin developer to filter on.