A new client approached me recently to help with what he suspected was a virus that had infiltrated his web server. He was being bombarded by thousands of emails per day and naturally thought that this was due to a virus of some sort. His website was based on the popular WordPress and was desperate to stop the problem.

In these sorts of cases it’s easy to jump to conclusions, so it’s essential to gather information and evidence to prevent what could ultimately be an waste of time chasing the wrong fix. At the same time it was essential that I was able to rule out any suggestion of a virus being involved in the email bombardment.

The investigation begins

I asked my client to send over as much information that he had as possible so that we could remove the comment spam:

  • Are the spam emails being sent to your mailing list – ie the sign up form on your website?
  • What was the email address that the spam appears to come from?
  • A few (say 5) example emails that had been fired out; along with any “bounceback” emails that had been returned.
  • WP login details.
  • Server login details

He sent through what he could, which was the WordPress login, 1&1 Server control panel and an example bounce back email.

Straight away, I noticed from the bounced email that it was an email to moderate a comment that had been returned to the domain owner because the WordPress admin contact could not be reached.  This made sense, but wouldn’t explain why there were such a large volumes of emails being sent to my client.

WordPress based Site

My client’s website was a pretty standard WordPress based website, using a quite decent and well used WordPress theme.   I hadn’t performed the WordPress installation or configuration so I needed to check that there hadn’t been any script or file updates made since the install date which could have indicated the presence of an alien spamming script.

After logging into the 1&1 control panel and checking the modified dates on the WordPress install files I was confident that they were all original and unmodified.

Lots of Comment Spam

I then logged into the WordPress site – there were a massive 132,000 (one hundred and thirty two thousand!!!!) comments awaiting approval and this was increasing at a rate of 2 spam comments per minute. This comment spam was being delivered by a bot or bots.

The guy/gal (we’ll call him Joe) who had installed this WordPress site had left commenting open, without any comment spam protection and then taken it on himself to moderate the comments – unfortunately Joe had disappeared so the comments were growing and growing with the notification emails being sent through to Joe for moderation.  Joe’s email address was also no longer valid and so these emails were bouncing back to my client. The mail server was queuing the failed emails for retry of 25 hours with notifications of these hitting my client – 3 thousand emails a day hitting his mobile phone!!

The fix

The actual fix to reduce and remove the comment spam was pretty straight forward:

First of all I disabled all comments from being posted on the WordPress site:

Settings -> Discussion

DISABLE (ensure UNticked):

Save changes.

I then ensured that existing posts and pages also had comments disabled. First the posts:

Posts -> All Posts

Select All posts (you may have to repeat for more than one page of posts)

Bulk Actions | Edit -> Set the Comments to Do Not Allow

Save changes

Next, the Pages:

Pages -> All Pages

Select All pages (you may have to repeat for more than one page of pages)

Bulk Actions | Edit -> Set the Comments to Do Not Allow

Save changes

I then ensured that no commenting or post manipulation could be performed remotely by Disabling the XMLRPC functionality.

Clearing the Backlog of spam comments

Once I’d done this to ensure no further spam could be submitted, it was time to clear the 132,000 comments awaiting moderation. Rather than spend my time doing it manually, I did it the sensible way be delving direct into the WordPress database.

I logged directly into the mySQL database and deleted all the spam comments (there were 3 real comments which were the 3 first ones) so a simple DELETE * from wp_comments WHERE comment_id > ’3′; did the trick.

I recommended to my client to keep comments turned off, but should he wish to use them in the future I installed and configured the Akismet plugin which comes with WordPress by default.



– Michael

Eighty : Twenty is a Business & Technology company providing digital marketing, IT support services and software development to companies and private clients in the Northwest of England.

Eighty : Twenty can provide help and support with WordPress based websites including troubleshooting, SEO and writing content. We are based in Chorley in the northwest of England and have clients in Preston, Manchester and Bolton.