404 Tech Support

Fighting trackback spam on your WordPress site

Changing servers, monitoring the logs, and changing configurations recently, I seemed to find a spam campaign that began targeting my website. One interesting clue was that my site’s top keyword in Google WebMaster Tools was ‘pingback’ while before the top keywords were ‘tech’ and ‘support’. In recent months I had installed Disqus to stop spam comments but as this campaign was specifically trackback spam, they were bypassing Disqus and posting directly to a WordPress function.

I think it’s fair to be angry when you and your site are targeted by bots. It’s not fair. They are using your resources – SQL queries, storage, bandwidth, and database usability – and slowing down access for the legitimate users. Unfortunately, it’s a fact of life and getting angry or upset won’t solve the problem. Instead, take action to prevent the problem and guard yourself.

While Disqus was handling my comments, it made finding the problem a little bit more obscure. Instead of the top Comments page in the WordPress admin, if you go to Comments, All Comments you will see the trackback spam. For me, I saw thousands of pages of trackback spam and comments. With 10 comments on each page, that was a lot of spam. While the server was able to handle it, it would not be pretty in the long run if it kept up at this pace of 10’s of thousands of comments a day.

The spam comments were coming from a wide variety of IP addresses, likely from malware-infected computers around the world, all spewing a few spam campaigns. The IP addresses were too numerous to count or to block.

The first thing I did was to install the Bad Behavior WordPress plugin. I had used it before but had bad luck when it and CloudFlare interacted poorly. I re-installed it and it brought the spam to a screeching halt. Instead of a flood, only a trickle of new spam would come in daily. It was definitely an improvement but I wasn’t satisfied.

The next step I took was to verify that pingbacks and trackbacks were disabled for future posts. You’ll find this to be the second setting in WordPress under Settings, Discussion. I had unchecked ‘Allow link notifications from other blogs (pingbacks and trackbacks)’ quite a while ago but still had hundreds of articles out there with the feature still turned on. While normally a good thing, it has come to be abused, as I was quickly learning.

To update all of my previous articles, it was going to take some work. I could edit each previous article and disable the option but that was going to be too time consuming and tedious. I tried using the Disable Trackbacks WordPress plugin but it didn’t seem to do anything.

To automate the task, I dived into my WordPress database using phpMyAdmin. On the wp_posts table, there is an attribute called ping_status. For my older posts, it was set to ‘open’.

Note: 1.) Using phpMyAdmin and tinkering with the database can potentially break your site. Only do so if you know what you are doing AND have a recent database backup in place.
2.) The tables for default WordPress installs have a ‘wp_’ prefix. You may have to update the queries to match your site’s database structure.

To close them in bulk, I ran the following query to update the status for all of them.

UPDATE `wp_posts` SET ping_status = ‘closed’;

This disabled trackbacks on all my previous posts. Whereas before Bad Behavior was blocking and logging thousands of malicious visitors a day (many with the status ‘Web browser attempted to send a trackback’), it has now become a handful. Finally with some breathing room, it was time to clean up.

While still in phpMyAdmin, I queried the wp_comments table to delete all previous trackbacks.

DELETE FROM `wp_comments` WHERE comment_type = ‘trackback’;

This deleted over 60,000 spam comments that had accumulated in just a few days and the previous steps stopped it from happening again.

This was a lot of unnecessary, unwelcome traffic to my site. I don’t know what made 404 Tech Support a target but I hope this article can help if you are also being targeted or you want to take steps to prevent it from happening to your site in the future.

I’m still getting these spam visitors to my site but Bad Behavior is doing a good job of blocking them and turning off trackbacks has prevented the accumulation of their junk to any that do make it through.

The WordPress Codex also has a good steps to take to combat comment spam.

Delete wp-trackback.php The ultimate end-all solution to your trackback spam troubles. This will effectively disable trackbacks and is good for stopping trackback spam floods. This will mean that no one will be able to trackback your posts, so do this after consideration.