WP E-Commerce Spam Registration

Feb 10, 2014 by Mark Ward in Miscellaneous

One of my clients had an issue where their site was receiving thousands of spam users registering on their site.  This caused his site to be overloaded and was eventually suspended. I initially thought the problem was a spam bot side-stepping captcha, however, that was not the case.

After going through the usual troubleshooting (disabling/enabling plugins one-by-one), I discovered that the issue was only present when WP E-Commerce (version 3.8.13.3) was activated. This issue only surface after updating from (3.8.12.1).

Apparently WP E-Commerce versions greater than 3.8.12.1 had an update in code that somehow causes thousands of fake users to be registered. It looks a lot like spam with user names all beginning with an underscore which looking something like the following  “_aDKCskas.”  It will continue adding customers non stop, ultimately using up resources on the site server.

It was a bit frustrating because the same version on other servers didn’t seem to have this problem. Something the WP E-Commerce shopping cart developers did really jacked things up. If you update WP E-Commerce and notice spam users, reverting to version 3.8.12.1 seems to fix the issue. Previous versions can be found here: http://wordpress.org/plugins/wp-e-commerce/developers/

So I would advise not to update WP E-Commerce anytime soon, unless you have some time to test it and make sure this same issue is not happening to you.

It appears the WP E-Commerce Team is aware of the issue and is working to fix it, but like any issue with major plugins like this everyone wants it resolved yesterday.

For more information have a look at this ongoing forum dialog:
http://wordpress.org/support/topic/spam-users-in-wp_users-after-wpsc-upgrade

Some words of advice:

  • Setup test sites for your clients, so you can catch these issues before they go live.
  • Always have backups of both your files and database.
  • Never update anything without backing everything up first.
  • Always check the changelog to see if the update is major.
  • Be sure and test site out post-update.
  • When everything checks out, then push the change to the the live site.

I think we all know the right way to do things, but sometimes we get busy and cut corners. Most of the time it works out just fine. And then there are those days that things blow up and you are left trying to fix an issue that could have been averted if you would have just done things right the first time.

Note: Some Premium WordPress hosts makes this process much easier.  One that I use often and have been happy with for the most part is WP Engine. They are a little on the pricey side, but it can save you a lot of time in the long run.

Life is much easier with happy clients.

Tags:

  • Patrick Coleman

    Hi, I’m having this problem with one of my sites right now also. I have about 3000 bugs users in my wp_users table. New users are being added all the time but the total number seems to be dropping bit by bit?

    I see in the forums that these people have known about this for about 2 months and still haven’t fixed it. Not a very good response.

    If I roll back to version 3.8.12.1 will the database have any problems? Did version 3.8.13.3 do anything to the database?

    Thanks.

    Pat.

    • markwarddesign

      Sorry for the late response.

      The only database change I see in the changelog (http://wordpress.org/plugins/wp-e-commerce/changelog/) is this:

      Fix: Database Upgrade Routine to rename old wpsc* product metadata array keys so they no longer include the ‘wpsc’ prefix.

      You can clone your site and test it locally just to make sure.

      • Patrick Coleman

        Thanks for that info.

        Pat.