Home – New Forums Tech talk One for the WordPress guru’s

  • This topic is empty.
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #975129
    fredfarcle
    Member
    • Total posts: 181
    Up
    0
    ::

    I have a question I’m hoping the WordPress experts may be able to offer a clue on.

    I set up a WordPress site fairly recently for a client wanting a CMS, it’s not set up as a blog as such but does have news and article pages, all comments are turned off by default, there’s not even a “comments are closed” reference on the page.

    Yesterday I logged into the backend and there were about 8 spam comments waiting for moderation, they did not reference any article or news item but did reference an image on the home page, this image has a title tag “installing an edge beam”, all comments referenced this title as if it were an article.

    Anyone know what’s going on here? How the f.. did they get in, no real harm was done but there’s obviously a hole that needs closing.

    Any suggestions welcome.

    #1072544
    BrettM33
    Participant
    • Total posts: 1,372
    Up
    0
    ::

    I recently was also having trouble disabling comments globally – a little research led me to this plugin: http://rayofsolaris.net/code/disable-comments-for-wordpress

    #1072545
    fredfarcle
    Member
    • Total posts: 181
    Up
    0
    ::
    CondorCreative, post: 90857 wrote:
    I recently was also having trouble disabling comments globally – a little research led me to this plugin: http://rayofsolaris.net/code/disable-comments-for-wordpress

    Cheers for that, will give it a run but what still puzzles me is how the’re using images to access to comment system the image in question is not an attachment as such (the page it’s on is a static page), or does WordPress treat all images as attachments?

    #1072546
    John C.
    Member
    • Total posts: 439
    Up
    0
    ::

    Hi Greg,

    What options have you enabled in the “Settings | Discussion” settings page?

    Are you sure they are comments, and not pingbacks / trackbacks? There’s a separate check box for enabling pingbacks and trackbacks.

    Cheers,
    John

    #1072547
    Tony Pfitzner
    Member
    • Total posts: 213
    Up
    0
    ::
    bitsa, post: 90853 wrote:
    I have a question I’m hoping the WordPress experts may be able to offer a clue on.

    I set up a WordPress site fairly recently for a client wanting a CMS, it’s not set up as a blog as such but does have news and article pages, all comments are turned off by default, there’s not even a “comments are closed” reference on the page.

    Yesterday I logged into the backend and there were about 8 spam comments waiting for moderation, they did not reference any article or news item but did reference an image on the home page, this image has a title tag “installing an edge beam”, all comments referenced this title as if it were an article.

    Anyone know what’s going on here? How the f.. did they get in, no real harm was done but there’s obviously a hole that needs closing.

    Any suggestions welcome.
    When you load an image in WordPress it is treated just like a post and logged in the wp_posts table of the database, with the ping_status and comment_status set to whatever the settings were when you uploaded it. (The image you referred to may have been uploaded before you switched off comments and pingbacks.)
    If you want to fix it – and are handy with SQL/phpmyadmin – you can find the record for the image in wp_posts or whatever your posts table is called and reset the ping-status and comment_status to ‘closed’ . The post you are looking for will have post_title set to the image name without the prefix e.g. ‘myimage.gif’ will be ‘myimage’.

    You could also look at installing Akismet – sounds like overkill if pings and comments are turned off – and the Bad Behavior plugin.

    #1072548
    fredfarcle
    Member
    • Total posts: 181
    Up
    0
    ::
    onsiteTECHS, post: 90860 wrote:
    Hi Greg,

    What options have you enabled in the “Settings | Discussion” settings page?

    Are you sure they are comments, and not pingbacks / trackbacks? There’s a separate check box for enabling pingbacks and trackbacks.

    Cheers,
    John

    Just checked the settings, ping and trackbacks were on but these were in the comments awaiting moderation page, all had that generic “I love your article, type of wording” all were from the usual dodgy gmail addresses or similar.

    Still wondering how you access the site through an image.

    #1072549
    fredfarcle
    Member
    • Total posts: 181
    Up
    0
    ::
    Tony Pfitzner, post: 90861 wrote:
    When you load an image in WordPress it is treated just like a post and logged in the wp_posts table of the database, with the ping_status and comment_status set to whatever the settings were when you uploaded it. (The image you referred to may have been uploaded before you switched off comments and pingbacks.)
    If you want to fix it – and are handy with SQL/phpmyadmin – you can find the record for the image in wp_posts or whatever your posts table is called and reset the ping-status and comment_status to ‘closed’ . The post you are looking for will have post_title set to the image name without the prefix e.g. ‘myimage.gif’ will be ‘myimage’.

    You could also look at installing Akismet – sounds like overkill if pings and comments are turned off – and the Bad Behavior plugin.

    Comments et al were on in settings initially but never enabled at the page/post level.

    Does this mean the image is being accessed via the database? Not happy if it is.

    I run this site off my own VPS and have up till now only used the command line for DB setup, might have to do a bit of homework on my SQL skills to do what you suggest or install PHP myadmin.

    I’m a bit surprised by this vulnerability.

    #1072550
    Tony Pfitzner
    Member
    • Total posts: 213
    Up
    0
    ::
    bitsa, post: 90863 wrote:
    Comments et al were on in settings initially but never enabled at the page/post level.

    Does this mean the image is being accessed via the database? Not happy if it is.

    I run this site off my own VPS and have up till now only used the command line for DB setup, might have to do a bit of homework on my SQL skills to do what you suggest or install PHP myadmin.

    I’m a bit surprised by this vulnerability.
    It’s not really a vulnerability – any more than any content storage in a database represents a vulnerability. Just the way WordPress manages content and metadata.

    You could invoke mysql from the command line – then run this SQL statement:
    update `wp_posts` set comment_status =’closed’, ping_status = ‘closed’ WHERE post_title = ‘myimagefile'[/CODE]
    Note: myimagefile should be replaced by your image file name without the file extension.
    You could do a global ‘switch-off’ by simply doing this:
    [CODE]update `wp_posts` set comment_status =’closed’, ping_status = ‘closed'[/CODE]
    If you are going to do much development with a database driven CMS it would be a good idea to install phpMyAdmin[CODE]update `wp_posts` set comment_status =’closed’, ping_status = ‘closed’ WHERE post_title = ‘myimagefile'[/CODE]
    Note: myimagefile should be replaced by your image file name without the file extension.
    You could do a global ‘switch-off’ by simply doing this:
    update `wp_posts` set comment_status =’closed’, ping_status = ‘closed'[/CODE]
    If you are going to do much development with a database driven CMS it would be a good idea to install phpMyAdmin[CODE]update `wp_posts` set comment_status =’closed’, ping_status = ‘closed'[/CODE]
    If you are going to do much development with a database driven CMS it would be a good idea to install phpMyAdmin

    #1072551
    fredfarcle
    Member
    • Total posts: 181
    Up
    0
    ::
    Tony Pfitzner, post: 90868 wrote:
    It’s not really a vulnerability – any more than any content storage in a database represents a vulnerability. Just the way WordPress manages content and metadata.

    You could invoke mysql from the command line – then run this SQL statement:
    update `wp_posts` set comment_status =’closed’, ping_status = ‘closed’ WHERE post_title = ‘myimagefile'[/CODE]
    Note: myimagefile should be replaced by your image file name without the file extension.
    You could do a global ‘switch-off’ by simply doing this:
    [CODE]update `wp_posts` set comment_status =’closed’, ping_status = ‘closed'[/CODE]
    If you are going to do much development with a database driven CMS it would be a good idea to install phpMyAdmin

    looks like my Sunday afternoon is sorted, will install phpMyAdmin as I do get the occasional requirement for a CMS and WordPress is certainly easy for people to use but I’m not too flash on it’s inner workings, thanks for the info.

    Lately I’ve mainly been using Ruby on Rails as a Framework, admittedly not as a CMS but Rails doesn’t put images in a DB by default, they’re treated as static assets in a separate folder and encrypted at launch.[CODE]update `wp_posts` set comment_status =’closed’, ping_status = ‘closed’ WHERE post_title = ‘myimagefile'[/CODE]
    Note: myimagefile should be replaced by your image file name without the file extension.
    You could do a global ‘switch-off’ by simply doing this:
    update `wp_posts` set comment_status =’closed’, ping_status = ‘closed'[/CODE]
    If you are going to do much development with a database driven CMS it would be a good idea to install phpMyAdmin

    looks like my Sunday afternoon is sorted, will install phpMyAdmin as I do get the occasional requirement for a CMS and WordPress is certainly easy for people to use but I’m not too flash on it’s inner workings, thanks for the info.

    Lately I’ve mainly been using Ruby on Rails as a Framework, admittedly not as a CMS but Rails doesn’t put images in a DB by default, they’re treated as static assets in a separate folder and encrypted at launch.[CODE]update `wp_posts` set comment_status =’closed’, ping_status = ‘closed'[/CODE]
    If you are going to do much development with a database driven CMS it would be a good idea to install phpMyAdmin

    looks like my Sunday afternoon is sorted, will install phpMyAdmin as I do get the occasional requirement for a CMS and WordPress is certainly easy for people to use but I’m not too flash on it’s inner workings, thanks for the info.

    Lately I’ve mainly been using Ruby on Rails as a Framework, admittedly not as a CMS but Rails doesn’t put images in a DB by default, they’re treated as static assets in a separate folder and encrypted at launch.

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.