injection spam

I’ve upgraded to v2.3.3 which closes a security hole that was permitting spammers to “inject” spammy links directly into posts via xmlrpc.php, and thereby avoid the “nofollow” attribute that is automatically applied to links in comments (ie, the usual mechanism to deprive comment spammers of the PageRank mojo they seek). The spam was surrounded by “noscript” HTML tags, which meant that they were invisible in the browser, thus hiding the links from detection and removal. However, since RSS feedreaders do not interpret javascript, the spam was revealed, and I am grateful to Dave and to Gothmog for alerting me to the problem.

If you have a WP blog you should upgrade ASAP to the latest version. FYI to all the otaku blogs I link to on my blogroll here, I have not noticed any spam links via your feeds, though I am a bit behind on my reading. You all should upgrade asap.

2 thoughts on “injection spam”

  1. Oops I just added the wrong tag above. Meant to search for that post on here about monsterID and ended up putting it in the add tag box. Anyway, I just upgraded the plugin with some nifty hand drawn monsters (kindly donated by a real artist) and was going to say it might be worth upgrading if you like the new look.

Comments are closed.