14

I have a wordpress blog under my own domain. It does not have special security.

For the past 1 week, my blog got spammed by someone from Russia - I think the contents of my blog somehow angered him. He posts about 20 spam comments (only links to drugs, etc..) daily at staggered hours. I just can't understand. Comments need to enter name, email and also to pass a "captcha" graphics verification. It would be extremely boring and tedious to do such spamming manually. In general comments cannot be done through automated software unless some expert hack into my site.

Does anyone know if it is likely someone is able to hack into my site?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
itsme
  • 157
  • 1
  • 3
  • Welcome! Your question needs more detail. A great place to start is to review the web server logs for you application. Also review the version of all components and modules. You want to know if something has an update available or vulnerability. Then update your question with what you've found. – user2320464 Jul 20 '17 at 17:02
  • Do you need to fill a Captcha for *every* comment on your blog? I don't often leave comments on blogs, but when I do, I am usually not asked for a Captcha after creating an account. – Shokhet Jul 21 '17 at 13:41
  • 1
    Captchas are never a defense against a pissed off human who wants to target YOU. They are only a defense against bots who assault 100,000 blogs just like yours: as the adage says, "I don't have to outrun the bear, I just have to outrun you." If he wants to be in 20,000 blogs, he won't invest any more energy cracking Captchas than he must to get into 20,000. For you, it means be better than the worst 20,000. – Harper - Reinstate Monica Jul 21 '17 at 22:03

4 Answers4

37

Posting spam doesn't require hacking in any ways.

Regarding the captcha, there is two possibilities:

  • Either the captcha is automatable (I don't know for your website, but I still encounter a lot of websites bearing completely useless captchas).
  • If the captcha is not automatable, then spammers can hire people to solve them for as low as $2 for a thousand captchas.

Your website is usually not specially targeted: they just target any random URL where comments are directly published. When possible, prefer to avoid automatically publishing visitors comments but publish them after moderation, at least ensure that the rel="nofollow" property is used for links in comments so spammers websites doesn't gain any reputation by posting links in your comments section.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • 1
    Are there any non automatable captchas left? – CodesInChaos Jul 21 '17 at 10:40
  • 1
    @CodesInChaos you mean a kind of captcha that neither computers nor humans can easily solve? There are some, but they are not very practical ;) ... (better adopt a layered protection where the captcha is only one piece of the system) – WhiteWinterWolf Jul 21 '17 at 10:52
  • I mean captchas that work as intended. i.e. humans can solve them, bots can not. I mostly see the image classification based ReCaptcha in the wild, and it seems simple enough that current computer vision should have no problem solving it. – CodesInChaos Jul 21 '17 at 11:00
  • @CodesInChaos: Yes, but such captcha falls in the second possibility in my post: just pay someone to solve them. $2 per 1000 captcha doesn't carry much weight in a spam campaign finance and allows *any* human-solvable captcha to solved large-scale. Nowadays, automatable captchas are mostly the work of people who tried to roll their own system without proper knowledge. – WhiteWinterWolf Jul 21 '17 at 11:07
  • Of course you can always go with cheap human workers. But what I'm wondering is if that's even necessary anymore or if all popular captchas can already be broken without human assistance. – CodesInChaos Jul 21 '17 at 11:14
  • 14
    @CodesInChaos Regarding Google Re-captcha image classification, I strongly think there may be other unrelated interests at play. While Google was building their Google Map service, they asked people to fill street numbers as a captcha service, now they ask to associate some semantic to random pictures or recognize special building like stores or recognize a road sign (Google-car anyone?). I think that this is not by accident that these images can be analyzed by computers, I suspect that captcha users are actually used as data source for machine-learning to improve such algorithms. – WhiteWinterWolf Jul 21 '17 at 11:17
  • @CodesInChaos Meanwhile, its always a matter of cost: as long as hiring someone costs less than renting a EC2 Cloud (+ software development), why bother? – WhiteWinterWolf Jul 21 '17 at 11:20
  • 29
    @WhiteWinterWolf That's not some weird conspiracy theory, that's the explicit point of reCAPTCHA: From [Google's page on it](https://www.google.com/recaptcha/intro/index.html): `Every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems.` –  Jul 21 '17 at 13:16
  • Yes, you could even "cheat" with text CAPTCHAs because one word is usually perfect readable, and the other word was difficult to read. You only had to be accurate with the readable word. – John Smith Jul 21 '17 at 17:41
  • 1
    Just don't use [Sony's](http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp) very [broken](https://plus.google.com/+AndrewHintz/posts/KcJXYamu12X) CAPTCHA. – jpmc26 Jul 22 '17 at 04:00
  • @jpmc26 I ***love*** this one :) ! Clicking on the first link, it reminded me of an article demonstrating that a small JavaScript code was enough to decode such weak captcha image. Reading the second link it appear this is not even an image but the captcha is actually a clear-text HTML code styled using CSS to look like a captcha. *Impressive!* – WhiteWinterWolf Jul 22 '17 at 08:33
  • What's funniest is that it's still there and still just as broken over 6 years later. You'd think they would have done something about it by now. lol. – jpmc26 Jul 22 '17 at 08:35
  • @CodesInChaos, that's not possible, as a general problem. There'd always be some way to send the captcha off to a human in some way that they can interact with. All you can do is make it harder to do that. And making things harder for bots also makes it harder for humans, usually. Especially humans with disabilities (I mean, captchas are already harder for those with vision issues). – Kat Jul 25 '17 at 20:29
  • @Kat You're misunderstanding me. Of course you can hand it off to a human in a low wage country and have them solve the captcha for a fraction of a cent. But what I'm wondering about is if all captchas are already broken by computers, or if there are some that require resorting a human (and thus work as designed). – CodesInChaos Jul 25 '17 at 20:38
17

It's unlikely he's hacked into your site. It's also unlikely he's doing this manually. If you run a Wordpress site, bots will eventually find it and spam the hell out of it. Captcha resolution can always be outsourced to someone in the third world for pennies, who literally does nothing but answer captchas all day.

Since this is a personal blog, you ought to install the Akismet plugin. It crowd-sources the detection of spam (so if he spammed some other site first, by the time he gets to yours he's already a known spammer and gets blocked accordingly).

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • I think it is as you all said. I do notice from my awstats that it is from a particular IP address from "Russian Federation" - it should not have any genuine interest in the contents of my blog. I understand my site contents do irritate some people badly. Comments to my blog is not automatic; usual comments would await my moderation. Luckily, wordpress has a blacklist function so that the spammers comments all go to trash - which could be deleted in bulk - "empty trash". Without a blacklist, it would indeed be a headache. Many thanks. – itsme Jul 20 '17 at 15:53
  • You can also set up Wordpress to not allow commenting on posts older than some specified number of days. That's certainly not perfect (it does cause some collateral damage), but it does cut down a lot on spam comments on old posts. – user Jul 20 '17 at 16:59
  • @itsme if you notice it's from a "certain IP address"... blacklist that IP address? blacklist Russia? – WernerCD Jul 21 '17 at 05:27
  • @itsme if this answer answered your question then then you should "accept" it :) – user2121 Jul 22 '17 at 10:57
1

"It does not have special security"

As you say, you do have captcha verification. Yes, it's "normal" security, not special. Do consider adding anti-spam. Akismet does a pretty decent job.

"I think the contents of my blog somehow angered him".

Most spammers (and hackers) don't care much about your content. They just want clicks to their sites. It's a constant arms race between spammers and victims - so be prepared to keep upgrading your spam defenses (and other security steps too) as you go forth. :)

Back to:

It does not have special security

While regular spamming doesn't require them to hack your site, it is possible to exploit simple vulnerabilities to bypass forms controls and post not only comment-spam but spam posts and worse, inject malicious javascript/links into your site. You wouldn't even notice this under normal circumstances. Therefore I would strongly recommend that you take steps for additional security.

As a long term security pro, I've seen even "I regularly update and patch" users get nasty surprises when Google marks them as malicious sites because hackers regularly get small windows of opportunities to even get past those normal precautions.

Most good security requires you "Go Pro", but some basic stuff can be free. e.g., I have been using BBQ Block Bad Queries. The free version is pretty good and lightweight. We liked it so much that we built similar functions into our own wordpress security plugin + mobile app - ActiFend (alert: shameless plug :| ).

Unfortunately, WordPress security advice has largely been the same for years; ignoring recent trends in hacking. I did write something applicable to recent times - Does your WordPress Security Plugin really protect?

Sas3
  • 2,638
  • 9
  • 20
0

I use https://en-gb.wordpress.org/plugins/wp-spamshield/ - used to get loads of spam but this somehow cuts it all out, no captcha needed but genuine comments get through ok - I'm not related to this plug-in in anyway, other than I've used it for a few years, it's free and works well.

Joey
  • 9
  • 1