One of my clients had an issue where their site was receiving thousands of spam users registering on their site. This caused his site to be overloaded and was eventually suspended. I initially thought the problem was a spam bot side-stepping captcha, however, that was not the case.
After going through the usual troubleshooting (disabling/enabling plugins one-by-one), I discovered that the issue was only present when WP E-Commerce (version 3.8.13.3) was activated. This issue only surface after updating from (3.8.12.1).
Apparently WP E-Commerce versions greater than 3.8.12.1 had an update in code that somehow causes thousands of fake users to be registered. It looks a lot like spam with user names all beginning with an underscore which looking something like the following “_aDKCskas.” It will continue adding customers non stop, ultimately using up resources on the site server.
It was a bit frustrating because the same version on other servers didn’t seem to have this problem. Something the WP E-Commerce shopping cart developers did really jacked things up. If you update WP E-Commerce and notice spam users, reverting to version 3.8.12.1 seems to fix the issue. Previous versions can be found here: http://wordpress.org/plugins/wp-e-commerce/developers/
So I would advise not to update WP E-Commerce anytime soon, unless you have some time to test it and make sure this same issue is not happening to you.
It appears the WP E-Commerce Team is aware of the issue and is working to fix it, but like any issue with major plugins like this everyone wants it resolved yesterday.
For more information have a look at this ongoing forum dialog:
http://wordpress.org/support/topic/spam-users-in-wp_users-after-wpsc-upgrade
Some words of advice:
- Setup test sites for your clients, so you can catch these issues before they go live.
- Always have backups of both your files and database.
- Never update anything without backing everything up first.
- Always check the changelog to see if the update is major.
- Be sure and test site out post-update.
- When everything checks out, then push the change to the the live site.
I think we all know the right way to do things, but sometimes we get busy and cut corners. Most of the time it works out just fine. And then there are those days that things blow up and you are left trying to fix an issue that could have been averted if you would have just done things right the first time.
Note: Some Premium WordPress hosts makes this process much easier. One that I use often and have been happy with for the most part is WP Engine. They are a little on the pricey side, but it can save you a lot of time in the long run.
Life is much easier with happy clients.
