Results 1 to 12 of 12

Thread: Are non-commenting people registering on your blog? Watch out!

  1. #1
    Join Date
    Dec 2007
    Location
    Alexandria, MN USA
    Posts
    6,041

    Default Are non-commenting people registering on your blog? Watch out!

    On one of my blogs I have recently received a lot of people registering but not posting a comment. Since this was new to me I had no knowledge of why but decided I should check it out. I was able to get the answer rather quickly—an important bit of information to have in hand.

    It relates to a hacker approach to breaking into your site. Perhaps everyone but me is aware of this, but if not I thought I would point it out so that no one needlessly has their site hacked and subsequently harmed in some way.

    Most bloggers want people to register before posting comments in order to avoid being flooded with spam. Well and good. But when people register they are given a level of access to your site. It is important, actually critical to make sure that access is limited.

    On the Dashboard, go to Settings, then the General tab. You will have a checkbox saying that anyone can register so that any visitor may register (so they can then post). Immediately under that is a dropdown list titled: New User Default Role. The selection here should be Subscriber. I cannot think of any reason to allow higher levels of access as the default for just anyone who comes to your site. You can assign a different level to individuals elsewhere.

    What happens is that hackers use robots as well as individuals to register to sites with the goal of finding sites that have set the level of access, perhaps inadvertently, to a higher level that will allow them to gain a degree of control. When they do they can damage the site.

    If anyone is unsure of their settings here, it is a good idea to check it out. I am unaware of any danger of the unwanted registrations as long as this setting is correct, but I expect to delete them as I have time.
    Good Success!

    Douglas County Master Gardeners
    Making money online is not difficult. What is difficult is the discipline one needs to stay focused on the process. —Kathleen Gage

  2. #2
    Join Date
    Jul 2010
    Location
    3rd Rock from the Sun
    Posts
    1,590

    Default

    Thank you for sharing this bit of information, James.

    While I don't use blogs, I do have Facebook Groups where I noticed spammers trying to register as members in order to post spams. I moderate all new threads to ensure all spammers are immediately banned. I do notice some times that the number of people requested to join an FB group does not tally with the actual people requesting. I wonder what's lurking in the background.

  3. #3
    Join Date
    Jan 2014
    Location
    Tardis
    Posts
    481

    Default

    I let people comment without registering on my own blog. Then I use a combination of Akismet to check for comment spammers (that's been pretty solid so far) and that the 1st comment has to be approved by me. If they have one approved comment then they can comment as much as they like after that, as long as Akismet says they are good. I also have registration turned off to the blog. The can also comment through their social network of choice instead of typing it all out (courtesy of JetPack - such a great addon).

    I'm still not sure about letting people log onto my site with their WordPress credentials though. Think I'm going to leave that off for now.
    Last edited by STB; 01-07-2014 at 11:43 PM.

  4. #4
    Join Date
    Apr 2007
    Posts
    14,210

    Default

    James, this is excellent advice. Also, if you don't really have a need for people to register on your site you can also disable the registrations altogether by unchecking the box "Anyone can register." If you don't have a membership site or they don't need to register to post comments then there isn't really a reason to even use that feature.

    Also, make sure you aren't using the username "admin" for your login because if a bot can guess your password, they can get into your site and do damage. Fortunately WordPress no longer makes this the default username when you install.

  5. #5
    Join Date
    Jan 2014
    Location
    Tardis
    Posts
    481

    Default

    Quote Originally Posted by lisa View Post
    Also, make sure you aren't using the username "admin" for your login because if a bot can guess your password, they can get into your site and do damage. Fortunately WordPress no longer makes this the default username when you install.
    This just made me think of something. Its probably wise to have a main admin account. And then create a child account with less rights that actually does the posting. Because WordPress will announce the username of the poster.

  6. #6
    Join Date
    Apr 2007
    Posts
    14,210

    Default

    Quote Originally Posted by SuperTekBoy View Post
    This just made me think of something. Its probably wise to have a main admin account. And then create a child account with less rights that actually does the posting. Because WordPress will announce the username of the poster.
    True, but you can actually change this in your profile settings. There is a "nickname" field that will show that instead.

  7. #7
    Join Date
    Jan 2014
    Location
    Tardis
    Posts
    481

    Default

    Ah ok. Yea I also have my Google+ linked so that name has been showing up as the Author instead for me. Was just thinking about folks that may not having Google+ linked. But that is good to know.

  8. #8
    Join Date
    Nov 2012
    Location
    Toronto
    Posts
    229

    Default

    Security is now very important, there seems to be a destructive attitude, a morality that drives people to destroy whatever they can.
    Thanks for alerting us James.

  9. #9
    Join Date
    Jan 2009
    Location
    New Hampshire, USA
    Posts
    76

    Default

    You can also use htaccess to deny access to wp-register.php.

    I had, in the past using WP, had an issue where someone was registering multiple accounts and somehow managed to register an account that was instantly able to edit/modify template files from within the WP admin panel, injecting a base64 encoded javascript that printed out 2 dozen links to sites I didn't want to be linking to (viagra, cialis, pharmacy websites, pornography).

    I disallowed allowed registering and denied access to wp-register.php via htaccess. It's as simple as:

    <Files wp-register.php>
    Order allow,deny
    Deny from all
    </Files>

  10. #10
    Join Date
    Dec 2007
    Location
    Alexandria, MN USA
    Posts
    6,041

    Default

    I had, in the past using WP, had an issue where someone was registering multiple accounts and somehow managed to register an account that was instantly able to edit/modify template files from within the WP admin panel, injecting a base64 encoded javascript that printed out 2 dozen links to sites I didn't want to be linking to (viagra, cialis, pharmacy websites, pornography).

    That is exactly where the setting for the New User Default Role comes in. It can even be set for administrator which sounds extremely dangerous to even have as an option. I cannot even imagine an instance where that would be appropriate so it seems strange to me it is there. It only gives an opportunity for an accidental security issue.
    Good Success!

    Douglas County Master Gardeners
    Making money online is not difficult. What is difficult is the discipline one needs to stay focused on the process. —Kathleen Gage

  11. #11
    Join Date
    Jan 2009
    Location
    New Hampshire, USA
    Posts
    76

    Default

    Quote Originally Posted by James View Post
    That is exactly where the setting for the New User Default Role comes in. It can even be set for administrator which sounds extremely dangerous to even have as an option. I cannot even imagine an instance where that would be appropriate so it seems strange to me it is there. It only gives an opportunity for an accidental security issue.
    The default role is "Subscriber" and that is what I had it set at, but for some reason the person who injected the base64 code into my templates was a "Subscriber", the lowest possible user level there was.

    Once I blocked wp-login.php and wp-register.php, as well as deleting all the accounts and changing /wp-admin/ to something else only I knew it all stopped.

  12. #12
    Join Date
    Dec 2007
    Location
    Alexandria, MN USA
    Posts
    6,041

    Default

    Scary stuff, isn't it. They always seem to find a way. Block one thing and they find another.

    I am reviewing and getting more serious about my backup practices right now anyway. All this gives me some added motivation. No matter how careful we are we can never be sure of what might happen.
    Good Success!

    Douglas County Master Gardeners
    Making money online is not difficult. What is difficult is the discipline one needs to stay focused on the process. —Kathleen Gage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •