Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is about a very old site running WP 2.6.
It has not been properly maintained. There are 56000 spam comments as of today.
My job is to take care of this site, remove all spam, upgrade wordpress to newest version and add spam-control.
So I add spam-control, change admin password - and still comments keep coming in as approved!?
The site has only one administrator account, but lots of "user" accounts (it belongs to a webshop). But there are no other accounts with admin privileges, this I have checked in the database/mysql from cli.
My question number 1, to put it simple:
*How can comments be approved without admin approval*???
Question 2:
Am I doing the wrong thing here, just trying to upgrade & secure this site? Is it really possible to make a wp-site this old secure?
Maybe I should just rebuild everything from scratch - but then, the owner doesn't have the money to pay for that...
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Apologies if you've thought about this already, as I've no direct knowledge of Wordpress, but couldn't you back-up the database and files, install the latest Wordpress and restore the backup? http://codex.wordpress.org/WordPress_Backups
Yes, I could do that. It might be better/safer than just upgrading?
But if somebody succeded in hacking the old site and I just restore the old database to the new site, doesn't that mean he'll still have access?
If that's what happened?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
the benefit of re-installing is that if somebody left a rogue file around you will be removing it. It's a good point about the database though. I'm afraid, as I said, I've no experience with Wordpress but hopefully somebody who has is reading.
In your WordPress dashboard, go to Settings-->Discussion.
That's where comment settings reside. The default is to allow comments as long as user provides an email address.
On my own blog, I allow comments, but close them on a post after it is seven days old, and I use Akismet. Closing comments after seven days was a recent decision which has done wonders in reducing the number of spam comments which I receive. I also close comments on all "pages."
Akismet captures almost all spam comments and puts them in a special place where you can review and delete them. Just overnight last night, Akismet quarantined 62 spam comments (If you want to see my blog, the link is in my profile.)
In the years I've used Akismet, it's missed fewer than a dozen spams. It's so reliable that I don't even review the comments it marks as spam any more; I just delete them.
Also check the "Comment Moderation" area in the "Discussion Settings." You can create special conditions (number of links, keywords, etc.) that send comments into the moderation queue.
With judicious use of these rules, I have been able to avoid forcing all comments into moderation at my own blog.
I do not use third-party comment systems, such as Disqus. They are annoying.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.