Jetpack filled postmeta table with crap?

Further details on this:

This is coming from the “Contact Form” portion of Jetpack, which is ACTIVATED BY DEFAULT and targeted by automated scripts. If you haven’t noticed the new “Feedbacks” entry below “Comments” in your dashboard, take a look at it – you may have thousands of spam “feedbacks” that have been sent to you and added to wp_posts and wp_postmeta with no visual indication that there’s anything there (including on ones not marked as spam, or at least not yet marked thus).

Note that this does NOT require that you have a Jetpack-based comment form added; I have a simple contact form using Contact-Form-7 that works just fine. I’ve also verified the HTML that my site is feeding out, and there are no references to the Jetpack contact form module in my HTML.

And finally the probably little-noticed Feedbacks section doesn’t include some of the features of the Comments section such as an “Empty Spam” button.

Seriously? If I were going to be deleting these through the web interface I’d be “Moving to Trash” them 20 at a time, 335 PAGES worth. At least after I did that I could Empty Trash, and at least the moving to trash and emptying trash appear to work promptly enough – I wasn’t sure since they affects both wp_posts and wp_postmeta.

I apologize for the hassle.

First, a couple practical things that can help:
1 – Jetpack Contact Form and Akismet work together. If you don’t already have Akismet installed, I recommend it. It should reduce both comment spam and feedback spam.
2 – You can delete more than 20 things at a time. If you go to the Feedbacks page, then click “Screen Options” in the upper right corner, you’ll see a form where you can specify how many items to show on a page. The default is 20, but you can put in whatever you want.

And yes, trashing/deleting feedbacks should remove the entries from wp_posts and the corresponding entries from wp_postmeta.

Now that those practical concerns are out of the way, on to the real problem: why did this happen in the first place.

https://www.fencepost.net/contact/ has a Jetpack Contact Form in it. I can tell because the source of that page mentions “grunion” (the name of the old plugin that was turned in to Jetpack Contact Forms). Also, you can see a jetpack/modules/contact-form/css/grunion.css stylsheet loaded on that page.

I see that you are using the latest version of Jetpack. Are you also using the latest version of Contact Form 7? There used to be an incompatibility between the two plugins, which has since been fixed. It’s possible, though, that you’ll need to edit your page’s contact form.

If you edit that page (https://www.fencepost.net/contact/), what is the shortcode you see? If you want to use Contact Form 7, the shortcode should say “[contact-form-7”. If you want to use Jetpack Contact Forms, it should say “[contact-form”. (That unfortunate similarity was the source of the incompatibility I mentioned above.)

Manually editing Jetpack Contact Form shortcodes is a pain. If you want to use them, I suggest clicking the Contact Form editing icon in your editor as seen in the first screenshot at https://jetpack.me/support/contact-form/

Manually editing Contact Form 7’s shortcodes is also a pain ?? If you want to use them, I suggest going to your admin -> Contact and copying the shortcode from the form you want to use (or creating a new one).

Also, you can disable Jetpack Contact Forms entirely by going to your admin -> Jetpack. Then find the Contact Form box and click its “Learn More” button. A “Deactivate” button will appear next to the Learn More button. Click Deactivate. (Yes, we know this is a really dumb process ?? We’re going to make it much simpler in a future release.)

Again, I’m sorry about all this pain and annoyance.

Oops. Forgot to click the subscribe checkbox. Ignore this comment ??

First, I’m surprised – I thought I’d changed the shortcode on the contact form quite some time ago, but I guess I failed to do so. That’s now fixed. What really made me notice this is that the Jetpack contact address goes to the primary address for the account, where the contact-form-7 address goes to a mailbox that my phone doesn’t check.

I am using Akismet, but that just flags spam – it doesn’t prevent it, so it’s still in the database to be dealt with.

I have now increased the number of item shown, but there are actually limits on how high I could make it – it tops out at 999, but since every feedback being deleted adds &post[]=7181 to the URL my web server kicks it back with a 414 Request-URI too large. After experimenting, 500 was also too large, but 300 seems to work and was reasonably snappy about the moving to trash.

I actually am planning on disabling the Jetpack contact form, but I didn’t want to do so without first doing the needed cleanup (and not by building my own MySQL deletion queries). After this, I ran through and disabled some of the Jetpack features that I’m actually not using along with some other plugins that I could actually do without.

But thanks for putting up with my grumbly posts.

And I’ll mark this one as resolved.

Ah, I thought they had not been flagged as spam; I misread what you meant about the Empty Spam button (you were quite clear :)).

Thanks for the feedback. We’ll look into it.

I’m glad you got everything sorted and sorry you had to.

wow. This is terrible.

I’ve been using JetPack comment form on 3 sites. All three have a combined 7,000 spams saved in Feedbacks.

Deleting them 100 at a time is possible in theory, but it overloads my VPS9 Hostgator server.

Deactivating the contact form doesn’t even get rid of this data.

This is something that needs to be fixed.

For me the odd thing about the spam that targets the Jetpack contact feature is that it happened on just one site.

I installed Jetpack on several websites, but this one site received a huge amount of spam. Eventually I had to simply turn off Jetpack’s contact form, and use another one (with CAPTCHA) instead.