fencepost

I just saw a note about some security issues in last week’s version (0.5.14 and older) so that may have been the source.

Note that the second part of this was because I’d failed to revise my contact-form shortcode to contact-form-7, but the first part (I believe) still applies. Will test further once I build up more spam comments.

And I’ll mark this one as resolved.

First, I’m surprised – I thought I’d changed the shortcode on the contact form quite some time ago, but I guess I failed to do so. That’s now fixed. What really made me notice this is that the Jetpack contact address goes to the primary address for the account, where the contact-form-7 address goes to a mailbox that my phone doesn’t check.

I am using Akismet, but that just flags spam – it doesn’t prevent it, so it’s still in the database to be dealt with.

I have now increased the number of item shown, but there are actually limits on how high I could make it – it tops out at 999, but since every feedback being deleted adds &post[]=7181 to the URL my web server kicks it back with a 414 Request-URI too large. After experimenting, 500 was also too large, but 300 seems to work and was reasonably snappy about the moving to trash.

I actually am planning on disabling the Jetpack contact form, but I didn’t want to do so without first doing the needed cleanup (and not by building my own MySQL deletion queries). After this, I ran through and disabled some of the Jetpack features that I’m actually not using along with some other plugins that I could actually do without.

But thanks for putting up with my grumbly posts.

And finally, with Jetpack activated, deleting spam comments times out after 30 seconds (PHP timeout) with about 10 spam deleted. Deactivate Jetpack and deleting spam works again.

Is this an attempt to break local commenting so people will use the WordPress.com service instead?

And finally the probably little-noticed Feedbacks section doesn’t include some of the features of the Comments section such as an “Empty Spam” button.

Seriously? If I were going to be deleting these through the web interface I’d be “Moving to Trash” them 20 at a time, 335 PAGES worth. At least after I did that I could Empty Trash, and at least the moving to trash and emptying trash appear to work promptly enough – I wasn’t sure since they affects both wp_posts and wp_postmeta.

And, there’s no “Empty Spam” button for Feedback spam – If you’re not able to delete it by going into the database (KNOW WHAT YOU’RE DOING FIRST THESE ARE DANGEROUS TABLES TO TOUCH) you may be stuck with trashing the spam 20 messages at a time (personally, I have 335 pages worth).

Further details on this:

This is coming from the “Contact Form” portion of Jetpack, which is ACTIVATED BY DEFAULT and targeted by automated scripts. If you haven’t noticed the new “Feedbacks” entry below “Comments” in your dashboard, take a look at it – you may have thousands of spam “feedbacks” that have been sent to you and added to wp_posts and wp_postmeta with no visual indication that there’s anything there (including on ones not marked as spam, or at least not yet marked thus).

Note that this does NOT require that you have a Jetpack-based comment form added; I have a simple contact form using Contact-Form-7 that works just fine. I’ve also verified the HTML that my site is feeding out, and there are no references to the Jetpack contact form module in my HTML.

Thinking further on this, it may be configured that way because the various hosting plans at my provider have varying numbers of “addon” domains – they aren’t able to host unlimited domains, so the wildcard may not be operating the way it would on an unrestricted hosting setup (or self-hosting).

In this configuration it may be necessary to do this kind of editing, or at least to configure each subdomain or addon/parked domain in cPanel as well.

I was just dealing with what I think is this exact thing, and I also ended up editing the URLs under Super Admin / Sites / (edit link for individual site). This is because when adding a new site, it defaults to adding newsite.masterdomain.com, but because in cPanel I added them as Parked domains with no redirection, those addresses don’t seem to exist.

This may be an issue on my end with the wildcard DNS entry I added in WHM – in theory it should be resolving *.masterdomain.com, and it does seem to be doing so, but what I was getting was the Apache/WHM/cPanel working correctly pages.

Am I missing something?

Even better, if you have it emailing notifications to you then you can see what was causing it to block you and withe whitelist it or see if it’s something that shouldn’t be blocked at all.

Redirection mostly works with the content of the URL after the domain name, so I’m not sure how you’d do it unless you’re using it to modify your .htaccess file.
This guy has a nice little writeup: https://www.trevorfitzgerald.com/2007/03/force-www-using-an-htaccess-301-redirect/
To summarize if his site goes away, you need to

RewriteEngine on
RewriteCond %{HTTP_HOST} ^trevorfitzgerald.com [NC]
RewriteRule ^(.*)$ https://www.trevorfitzgerald.com/$1 [L,R=301]

The “%{HTTP_HOST} ^” on the second line says basically “if an inbound connection starts with my domain name without www, match this rule.” The next line rewrites the incoming request by changing the inbound host name and adding the rest of the original URL onto it.