I’ve been running websites since they existed, and WordPress-based ones for quite a while. I understand spamming and abuse from a technical and “marketing” perspective and get why spambusers do many of the things they do.
But every WP site I’ve run collects crap registrations - “BobbyMalone/fredgrated@nosepick.pl” by the dozens, especially when some security tool springs a leak. I just updated a few plugins and added a dozen bogus domains to the ban list.
The thing is, I’ve had semi-abandoned sites that collect these registrations by the hundreds. None of them ever return, post any comments, post any articles (the few times newcomers were allowed to) or in any way ever makes use of the registration. There are no links in the user profiles, no “bio” information that’s a spam message. Nothing.
What’s the point? Why are there these abusers continually cracking the low-level security stuff to post obviously bogus accounts that are then never revisited? And why has it gone on for years and years and years? It’s the online equivalent of “numbers stations,” IMHO.
Maybe, just maybe, they are trying to test security in order to crack the elusive and prized Admin log-in.
Mind you, I am utterly disillusioned with WordPress, and it’s security model, extending to a general mistrust of php.
After they pulled that admin bar crap a few years ago I totally stopped updating — having previously waited up all night to do so religiously — and I found not-updated sites accrue no greater amount of crap than updated sites. I already had extensive security, and don’t get that bothered with stuff, except for thousands of imitation registrations. Which do no harm.
There have been some bad eras, but I’ve found processing updates on a weekly basis, or a little less, keeps things plenty tight. I spend far more time working down the registration list to tick and delete the bogus ones. They do seem to come in bunches after some exploit or another is found, usually in CAPTCHA - so I make sure that’s updated, change the parameters around, and usually have a month to six months before the next uptick in the curve.
It’s a decent platform. Not perfect.
But I am still mystified at the effort put into creating these regs - even if it’s 99-100% bot-driven, someone has to keep tinkering with the algorithms - when there is none, nada, zippo further use of them, even after years.
Think of them as throwaway keys — plastic shims produced by the million for a few pence — if they had got in, you would know it. In the olden times I understood they hired poor people in developing countries to crawl through the blogosphere: now you can buy automated exploits, set them up to look for WordPress logins/comment forms without ever looking at a site.
I wouldn’t bother clearing bogus registrations unless they load a database to the point it is easier to wipe them out with a SQL enquiry.
As for WP, nobody messes with my User Interface !
I still don’t understand - so they plastic-shim their way through a door that will open to any valid username/email/password combo they care to provide, into the waiting room and/or cheap seats. And apparently continue to do so at the rate of one or two attempts a day, if I am analyzing the user data correctly.
Where is it JoeMorrow (phatphreddie237@ebola.se) hopes to shim his way into? The 1:10^100 possibility that that email belongs to an admin account?
Longer: there are several distinct groups that do this for slightly different reasons.
Some spammers will register accounts, collect millions of them across many sites, then come back months or years later to post their payload.
Some use bots that register accounts hoping for elevated access (with blog post caps), then abandon those that are too restrictive.
Some register accounts in the hope of selling them.
Some use generic bots that indiscriminately hit almost any registration/comment/post form they see. They probably sift through the results later looking for certain things.
All that makes sense. It’s odd - I’ve had two or three login sites that collected scads of such registrations in their twilight years, and nothing ever came of them even after a year or more. I’d assume that such bulk registrations have some kind of lifespan and that there’s not much reason to wait a year, or six months, or even a short time before bombing them with content.
Either my sites are terribly boring to spammers or there’s still something unexplained here.
Since many users never change the administrator username from the default ‘admin’ half the work can be done for them.
Once in you can turn the site into a bot-machine, sending out millions of log-in attempts to take over more and more sites, each sending out millions of log-in attempts ad infinitum.
I’ve seen accounts left dormant for several years then activated by spammers for no obvious reason. They keep and trade stockpiles.
It’s likely they create accounts, then check to see if they’re visible to Google or some other target. If your old sites happen to rank in searches for knee braces, then one day when a client selling knee braces comes along, maybe they’ll activate them. I can’t say for sure that’s their strategy in your case, but certainly that sort of thing happens.
Also, spammers assume a high attrition rate. It’s easier for them to create a million accounts and then find the thousand or so that turn out to be useful, than it is for them to only create those thousand in the first place.
I think Claverhouse has confused registration spam with brute-force password attempts.
Nope. Would that it were so.
**
What could be happened when spam users register on your wordpress site?**
The website could be infected with malware.
Malicious codes or shells can be uploaded on the website server.
Database can be effected with malicious codes and shells.
Malware or Other malicious attacks can destroy Database totally.
Articles can be posted on behalf of website admin.
Spam users can reach on Admin and other users account password.
The website can be hacked through uploading shells and malicious codes.*
Which page has some useful suggestions — although CAPTCHA is depreciated and generally puts off regular users.
This site discusses fake registrations as a means of creating malicious profiles on your site: Google Webmaster Central.
It happens with Joomla! too:
I have been battling robot registrations since I created my Joomla 1.7 site. They seem to be skirting the regular registration process , and I cannot figure out how. I have JomSocial, Account Expiration Control, and even recaptcha installed. The bots seem to register without me getting an email, and they don’t fill in any of the required forms.
A reply there, in re above, says: There are specialised companies, offering an API, which allow you to essentially hire humans to solve CAPTCHAs and perform spam registrations… for 1$ per 1000 CAPTCHAs or 1$ per a few dozens of registrations
A WordPress site that’s overrun with spam users is something like a den of cockroaches, especially if you’re running BuddyPress. Spam updates flood your activity stream and the dashboard slows to a crawl. The spammers’ prime objective is to seize control of your WordPress site and drain your server of resources in order to illegally promote products. As soon as you notice this happening you’ll need to find a way to quickly delete all of these spam users.
And obviously many are seeking to elevate their site privileges from subscriber or member to author or user which gives them at the least posting privileges on your blog. From back in 2007, a comment on Lorelle’s blog:
I’m pretty sure that such registrations are done for future hack attempts. From time to time new security vulnerabilities may be discovered that will allow unprivileged users to post to the blog (when they are not supposed to) – so spammers will exploit this.
Yeah, I’m familiar with most of those “toxins.” I tend to run fairly focused sites and have the luxury of vetting users individually, so even with minor software leaks I am protected against most abuse user predations. The sites that want, encourage and enable hundreds of registrations a day and tens of thousands of users are going to be weak on any protection that requires human judgment.
I’ve disabled a lot of stuff. And I can’t list the number of devices such as changing code ( on advice from the web: I am no inventive coder ) and AntiSpam Bee and .htaccess tricks etc. added until one loses interest.
Still, anyone wanting to prevent bot logins can try this Russian trick. Change one of the form fields in wp-login.php — Udar Gromov Did you notice that despite your best efforts to allow only human registrations, the ranks of your registered users keep growing? All these are dead records in your database. Each new user registration is one record in “wp_users” table and about 15 new records in “wp_usermeta” table. And none of them ever change their default password. Total waste.
You might even install a CAPTCHA plug-in to torture real human users with typing a four-digit code to confirm their humanity, but nothing helps. You monitor with dismay, and new users keep piling up in your database every day.
As for disabling the admin bar, I was told long ago on the WP - ORG forums, when a lot of people were in arms, that one had better knuckle under and do as they said, since these plugins and tricks could interfere with future upgrades.
The core WordPress philosophy so emphasised of Decisions, Not Options, meaning developers decide and users can’t have options, seemed so contrary to Open Source I abandoned WordPress a a platform. I even considered having it converted to Joomla! or a flat html site or anything; but then I realised it didn’t matter so long as I avoid WordPress in the future.
And of course, after all the tweaking and code changes, after a while one can’t begin to recall exactly what is done, and where…
