Need help? Check out our Support site, then


Security breach

  1. 5 minutes ago I got an email telling me that I posted something on my blog... Which I didn't.
    The post was title "how to please your gf" and in the post was a link to guess what... an online drug store.
    Is there any way i can see from what IP address was that posted?
    Or any other way to see what happened?

    Thanks

    The blog I need help with is iluvromania.wordpress.com.

  2. Oh, and also forgot to mention that visits went through the roof today. Since my blog is new I don't have an audience built up so i get 20 to 30 hits per day. Today I got 270 hits

  3. WordPress.com has been running advertising on our free hosted blogs since 2006. Many bloggers do not know this because despite the fact they ticked the box required to get a free blog, they did not read the ToS. Many also do not read features page, or advertising entry in the support documents after registering their username and blog(s). Also note that as the ads do not display to us when we are logged in, and as many use browsers with ad blockers when logged out, they may not realize they are there at all. The only way to get rid of all advertising on our free hosted WordPress.com blogs is to purchase an annually renewable No-Ads upgrade.

    If you feel an ad is inappropriate please take a screenshot of it and upload it into your Media Library and Staff will view it there.

  4. I have a strong password, its 8 chars, 6 letters and 2 numbers. It's all random letters, not a word. How more secure can it be. Its not a password you can guess, and I hope that if someone tried to force brute wordpress.com would have something to say...

  5. Please confirm whether or not you are referring to the blog linked to your username. If it's not that one, then please post a link to the blog in question. Then Staff will take a look at it.

  6. Do you have Post by email enabled? If so disable it and generate a new address - there have been cases where a persons email was hacked and the Post by email address was obtained.

    There have also been cases where someone got access to a computer that had log in info to a persons blog.

    Also check your dashboard >> Users and make sure you don't have an extra user.

  7. @timethief This is my blog
    @zuxclass None of the above happened. My email is secure with a different password, only this time this is generated. And the post was made using my admin user name...
    I deleted the email used to Post by email.
    And also my computer is as safe as it can get.
    I have no idea how this could have happened...

  8. That post was sent to your Post by Email email address.

    Most email spam bots just send out email to randomly generated email addresses, and sometimes they get lucky and land on your Post by Email address.

    It's not common, but it is one of the known risks.

    At this point, I recommend re-generating your Post by Email address: http://en.support.wordpress.com/post-by-email/

  9. I think I'll just stop using it.
    I had no idea that this is a meaning of advertising. I mean, if you post on someones blog, don't you think they would see?

    Anyway, thanks all for your help

  10. It's not necessarily that they meant to post on your blog, it is a bot after all, not a person.

    Really, it meant to send a normal spam email, and the email address it was sent to happened to post to your blog.

  11. I have an email subscription to my site and sites I help with so I get an email every time a Post is made so if something does happen I see it right away.

  12. So do I. I have been noticed the instant the post was made.
    But is still a security breach.

  13. It's not a security breach, just an email spam bot sending thousands of spam emails out to thousands of randomly generated email addresses. As luck would have it, one of those was your Post by Email address.

  14. I would never enable post by email. It's too big a security hole, as you can see.

  15. What? Is it possible if I write an email to a friend that supposed to be classified information but turned up to show as a new blog post?

  16. No. That is not how it works.

  17. No, when you enable Post by Email, you essentially turn your blog into another inbox which publishes every email it receives.

    This is handy for folks who are on the go with no access to one of the mobile apps or a decent web browser, but like any email inbox, it's also susceptible to spam.

    See http://en.support.wordpress.com/post-by-email/ for more details.

  18. Oh I see. Once I enable it, I would receive an email address that I should kept it secret, so no one else can use it to post a new article in my blog but me. Got it. Thank you Macmanx and Raincoaster.

  19. That's right. And that's also why your security on that email address should be ironclad. Use a more complex password than you ever thought you'd need, if you want to do this.

  20. @nandobase No one knew my Post by email address. So I guess even generated addresses are going to be spammed eventually.
    I will stop using it because of this little incident.

  21. ALL email addresses will be spammed.

  22. Spam filters do not always work. Do they?
    Perhaps WordPress.com should send confirmation email before a Post by Email being published, not just a notification. I know it works just like inbox, but maybe an extra step should be given because it's a post, not an email.

  23. Post by email is always going to be a vulnerability.

Topic Closed

This topic has been closed to new replies.

About this Topic