[wp-trac] [WordPress Trac] #46883: Blog Configs being overridden by Hacker Bots

WordPress Trac noreply at wordpress.org
Thu Apr 11 15:59:11 UTC 2019

#46883: Blog Configs being overridden by Hacker Bots
 Reporter:  zsystech           |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  5.1
 Severity:  critical           |   Keywords:
  Focuses:                     |
 We consider this as a Bug since no malicious damages to Sites or Servers
 have been found.

 We have multiples of instances on sites where Robots can Auto Submit posts
 to Blog pages even though the sites are configured not to allow public
 posts/discussion. Currently we have over a dozen end users that have
 reached out to us to make sure their sites have not been hacked.

 Main configuration: Configured not to allow Posts/Discussion and not to
 allow Posts by anyone not logged in. User account creation is also turned
 off. Thankfully some of these sites are setup to be moderated and these
 malicious posts only have been caught this way, however the end users that
 are not moderating are seeing an increase in issues with this

 This is happening with sites with multiple theme types, Multiple versions
 of PHP, and also Multiple Web Server Platforms. At first I thought maybe
 it was a Theme issue working with the Core, however further research from
 dealing with other end users is showing that it looks related to the Core,
 since multiple Theme types are being used by multiple end users, However
 to try and rule out any CORE Issue we are having End Users send us their
 Web Server, PHP, and Database Logs to research this issue deeper.

Ticket URL: <https://core.trac.wordpress.org/ticket/46883>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list