Jump to content
Web Marketing Help Forum
Sign in to follow this  
Xarzu

How do I stop these annoying hackers?

Recommended Posts

Some "usermane" is requesting a "username" in my wordpress blog.

 

 

I did not expect this to happen with my wordpress blog. I do not know if it is just users stupidity or if it is spammers trying to break into my blog. Either way, it is something that needs fixing. Apparently people are trying to log in without registering.

 

 

I have been getting annoying email messages that say essentially:

SoAndSo (SomeEmail@somewhere.com) has requested a username at MyWebForumAndBlog

 

h t t p : / / w w w . M y S i t e . c o m

 

To approve or deny this user access to MyWebForumAndBlog go to...

 

 

That is not exactly what it says, but you get the idea. Click here to see an actual message.

 

 

So I am guessing that what is happening is that someone just clicks on "log in" and then requests a password instead of clicking on Register. But there are so many of these messages that I have to wonder if this is a spam bot.

 

 

On the other hand, the message says it is requesting a username, not a password. So this is some sort of wordpress spam and trick someone is using where they are bypassing the normal login.

 

 

And it does not make sense. Think of it. Some "usermane" is requesting a "username". How do they do that?

Share this post


Link to post
Share on other sites

How do I disable New Username Spam from my Wordpress Blog?

 

Here is a tip I found:

 

http://www.geeksdesk.com/disable-new-user-registration-in-wordpress-phpmyadmin/

 

That is a bit extreme. I want people to be able to register. I do not think the way I want my web site to be will work of there is not a registration page.

 

I was assuming that somehow there was a script that was being run in a direct sort of way that was generating these email messages. But, for now, I will go with the idea that maybe a bot is running on my register page and it is getting beyond the Captcha control.

 

I thought this way because the email messgae is saying that someone is requesting a username, not that they are trying to register.

 

My Forum/Blog is a paied web site (to keep out the riff-raff) and people have to buy a subscription to the site. But, suprisingly, this does not stop my inbox from being flooded by "requests for a username".

 

Here is what my inbox looks like:

 

http://i67.photobucket.com/albums/h292/Athono/this.jpg

 

Most of the time, the email addresses in these messages are fake. But sometimes they are not but when I email these persons back, I am ignored. So they really are just spammers looking for a way of posting ad content on my web site for free.

 

The Registration page has a CAPTCHA Code required entry field:

 

http://www.arguemax.com/wp-login.php?action=register

 

But I wonder if the bots are sophisticated enough to get past that.

 

The user has to click on the "I accept the agreements" field but the agreements field clearly tells the user that they have to buy a subscription. If they do not click on that check box they get this:

 

http://i67.photobucket.com/albums/h292/Athono/wordpress.jpg

 

One way I want to try to keep from getting all this spam is to make it such that the registration button is inactive until they click on the subscribe button

 

https://www.paypal.com/en_US/i/btn/btn_subscribeCC_LG.gif

 

How do I go about making that happen?

 

I want to do this without resulting to any ajax control. I want to set some sort of varable to false that will make the registration button inactive and then set it to true if they click on the subscribe button and then send a refresh message to the registration page.

Share this post


Link to post
Share on other sites

You can probably use javascript to do it (I don't know how myself though), but it might be easier to just not have the register button on the page normally, instead make the sub button eventually redirect to a page where the registration can take place (after paying or whatever you have set up at the moment).

 

Captcha's won't stop serious spammers, they pay people from third world countries to sit there all day breaking captchas for them, there are companies (such as deathbycaptcha) dedicated to it, who integrate their software into autoposting bots so their agents can work at it full time(thats when they don't have bots that can auto-break captchas themselves - of which there are quite a few).

 

As you said the problem is people trying to 'soft hack' your site, they are looking for sites which aren't properly locked up so they can turn it into a blog farm. Looks like they aren't getting that far with you. So to be honest you could just set it up so those specific alerts go to a designated folder in your email account so they don't bother you and then just leave it be.

Share this post


Link to post
Share on other sites

You can probably use javascript to do it (I don't know how myself though), but it might be easier to just not have the register button on the page normally, instead make the sub button eventually redirect to a page where the registration can take place (after paying or whatever you have set up at the moment).

 

Captcha's won't stop serious spammers, they pay people from third world countries to sit there all day breaking captchas for them, there are companies (such as deathbycaptcha) dedicated to it, who integrate their software into autoposting bots so their agents can work at it full time(thats when they don't have bots that can auto-break captchas themselves - of which there are quite a few).

 

As you said the problem is people trying to 'soft hack' your site, they are looking for sites which aren't properly locked up so they can turn it into a blog farm. Looks like they aren't getting that far with you. So to be honest you could just set it up so those specific alerts go to a designated folder in your email account so they don't bother you and then just leave it be.

That is incredable if what you are saying is true. Imagine people on some country who have to go home at night and explain their jobs to their families. They must think it is high-tech marketing.

 

I have a solution. I simply make my web site a paid site. Give me some money if you want to post on my web site. Not much. Just a buck or so to weed out the riff-raff. It will stop the spammers in their tracks. It is telling them to become legit advertisers. They will flee !

 

The first step towards my making my site like this was to see if I could force them to agree to something, like pay me. Making sure that they would click on an accept checkbox was my first step. To see if this would stop the spambots, I fist made my plug-in require this check box and my next step was to disable the box completely. My test was to see if this would stop the process completely.

 

But it did not.

 

So clearly the spambots are completely bypassing my plug-in on my registration by sending some sort of URL command directly to the server. I need to know how they are doing this. Any ideas?

Share this post


Link to post
Share on other sites

How Do I Fix This WordPress PlugIn Issue?

 

I am getting a ton of these automatic requests from “users” requesting username for my Wordpress forum.

 

http://i67.photobucket.com/albums/h292/Athono/this.jpg

 

I think these unwanted automatic requests are easily accomplished by this plug-in:

 

http://i67.photobucket.com/albums/h292/Athono/plug-inplugsup.jpg

 

I had thought that maybe there was something wrong with my Registration page but now I know this probably is not the problem. As a test, I commented out the registration button on my php login page and even after doing, I still get a flood of unwanted automated requests to register.

 

In fact, I found the php code in the plugin that sends me this dreaded email address:

>
function send_approval_email($user_login, $user_email, $errors) {
if (!$errors->get_error_code()) {
	/* check if already exists */
	$user_data = get_userdatabylogin($user_login);
     		if (!empty($user_data)){
		$errors->add('registration_required' , __('User name already exists', $this->localizationDomain), 'message');
  		} else {
		/* send email to admin for approval */
  			$message  = sprintf(__('%1$s (%2$s) has requested a username at %3$s', $this->localizationDomain), $user_login, $user_email, get_option('blogname')) . "\r\n\r\n";
		$message .= get_option('siteurl') . "\r\n\r\n";
		$message .= sprintf(__('To approve or deny this user access to %s go to', $this->localizationDomain), get_option('blogname')) . "\r\n\r\n";
		$message .= get_option('siteurl') . "/wp-admin/users.php?page=".basename(__FILE__)."\r\n";

		// send the mail
		@wp_mail(get_option('admin_email'), sprintf(__('[%s] User Approval', $this->localizationDomain), get_option('blogname')), $message);
		// create the user
		$user_pass = wp_generate_password();
		$user_id = wp_create_user($user_login, $user_pass, $user_email);
		update_usermeta($user_id, 'pw_user_status', 'pending');
	}
}
}

This function is mentioned in the php code as being associated with the register_post command:

>
add_action('register_post', array(&$this, 'send_approval_email'), 10, 3);

So what the heck is a "register_post" command?

 

I do not like what this function, "send_approval_email" does.

 

I do not know how this "register_post" message is triggered. Apparently, it can be triggered directly to the server through a URL. THen all the captcha elements are useless as well as any agreements that the user needs to click on are also pointless. How can I add to this function variables that check to see if other items are clicked on in the other plugin?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×