I think this blog gets way more spam than your average blog. For instance, over the lifetime of this blog (a little over 4 years), it averages about 95 unique visitors per day. Pretty poor average, I know, but this blog existed for 2+ years being read only by my family. Over the last year and a half or so, my averages have been up around 150 – 200 uniques per day.
Now, comment spam wasn’t a huge deal here until about a year ago or so. When it became a real problem, I installed Spam Karma, which has stopped pretty much all of it. How many pieces of comment spam does “all of it” equal? Right about 60,000 comment spams, in nearly one year. See the little black bar at the bottom of this page? It counts the number of comment spams that Spam Karma has stopped. It currently reads “This blog is protected by Spam Karma 2: 62528 Spams eaten and counting…”.
It’ll be at 62700 or so by tomorrow morning probably. Maybe I’m way off, but I just think this is an awful lot of comment spam compared to the relatively low amount of “real” traffic this site sees. But whatever, I’m just glad to have Spam Karma.
Dr. Dave, the dude behind Spam Karma, has issued a warning to all WordPress users. A message popped up on my Spam Karma 2 dashboard warning of a potential security vulnerability in WordPress. Here’s part of the warning:
If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
Now, the WordPress development team was apparently notified a “while back”. They supposedly haven’t done anything yet to rectify this problem. Dr. Dave has received a lot of questions due to his initial post. In turn, he’s made another post in which he addresses some of those questions.
Hopefully we’ll see WordPress 2.0.4 out within a few days.
UPDATE: WordPress 2.0.4 Beta is out. It should be safe to open user registrations under WordPress 2.0.4. I’d expect to see the final 2.0.4 release next week.
[via Ryan Boren]