Spam blog posts only the default cagetory

  • This past month I’ve had a dose of spam blog posts that show up once or twice a week in bulk.

    This is not comment spam – but actual blog posts that clog up my RSS feed and automatically appear on my blog page with random images as feature images.

    They show up ONLY to the default “uncategorized” tag.

    I put new passwords on my admin access and changed the admin name – still happens.
    I have tried renaming the “uncategorized” tag – still happens.
    I have installed multiple wordpress ‘stop spam’ plugins – still happens.
    I have deleted all the plugins I wasn’t using – still happens.
    I have deleted and re-installed all the other plugins – still happens.
    I have upgraded everything to the latest version – still happens.
    I have blocked the default category from posting – stops them from appearing on the website, but they still show up in the RSS feed.

    The only connection across everything is that the posts ONLY appear in the DEFAULT category, regardless of what the category is called.

    Is there a way to completely remove (not block) wordpress from accepting ANYTHING to a default category?

    Any other suggestions?

    Thanks!

Viewing 6 replies - 1 through 6 (of 6 total)

  • Probably your site was hacked. Besides everything you already did, this checklist can guide you through additional steps. Even updating everything, you can still have an altered file that is messing with your installation.

    A good idea is installing a plugin like WordFence that automatically scans all your files. You can read more about it here and here.

    About posts only going to uncategorized tag, this is the default behavior for posts programatically published. Another clue that sadly you’ve been hacked.

    Once you have backed up your website, remove all the files and upload a new base install of WordPress and see if it continues. If it does it is likely not related to the WordPress application but rather to a server level exploit.

    In that instance there is little any addon plugin can do to assist other than catch the file injections and try to restore an original fileset. In that instance your best option is to move to a better webhost.

    Reuploading files will not solve it if database was already hacked. It will also not help if some password was discovered. Of course there is a chance of this is a host problem/server level exploit, but just reuploading files won’t prove that it’s not related to WordPress. Right?

    I do not completely disagree with @te_taipo, but maybe it has seemed easier than it really is.

    Thread Starter hockeygal28

    (@hockeygal28)

    Thanks Felipe – weird that I did try wordfence and it didn’t find anything, plus I’m running security software with my host and it keeps coming up malware free, too.

    Thank you so much for the checklist link! I’ll start going through it.

    And yes @te_taipo I was considering having to nuke the site as a last resort. I’m just hoping it doesn’t come to that but probably what will happen.

    Thanks for the assistance!

    Lets think about this…

    If they are using the admin account then it’s possible they are finding your password… maybe you need to use two-factor authentication… at least for a while.

    If they are posting as a random user then it’s possible they have access to user accounts or maybe you have ‘allow new users’ set as more than a subscriber. If the new users have the contributor or editor privileges then they can post.

    If they have somehow found the post by email authentication then they might be using that.

    If you are running any kind of syndication inbound the culprit may have found his way in via those systems. It’s also possible they are making use of the XML remote procedure calls.

    You also mentioned that the posts clutter up your RSS feeds. This may be because you have your RSS feeds set to full posts instead of Summaries. You normally want anyone using your RSS feed to receive just enough of a post to decide if they wish to see the whole post by clicking the read more link.

    Though the RSS feed isn’t the problem, If I was a spammer I’d be happy to find a site with RSS feeds set up as above.

    As to your concerns about using the uncategorized category, That’s probably used because that category exists across all WordPress installs.

    So if your site isn’t actually hacked then you need to secure things a little tighter and figure out how this user is getting in.

    @felipeelia

    but just reuploading files won’t prove that it’s not related to WordPress. Right?

    I read through the list of tests @hockeygal28 noted, and it appears on the face of it that an attacker is able to inject a post into the database unauthorised.

    The last time WordPress core was vulnerable to such a thing was version 4.7.1.

    However:

    I have upgraded everything to the latest version – still happens

    In most cases even rogue code stored in the database a.k.a a *hacked database* , has to be accessed via some insecure code inserted into Worpdress core files, or a file that is uploaded to the server, or via a faulty plugin or theme.

    By testing your website with a default set of WordPress files, even against a database that has been compromised, it eliminates a bulk of the possible entry points. Yes it is still possible for rogue code in the database to pilfer an admin’s password on entering it, its not as common though as the usual file uploads, appended code etc.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Spam blog posts only the default cagetory’ is closed to new replies.