Let me explain the problem scenario first. I host some of my WordPress websites on UpCloud server with the help of Server Pilot.
I was using WPForms plugin to create advanced contact forms. While creating those forms, I didn’t use the reCAPTCHA option out of my laziness. I had to regret my clumsiness two years later when I encountered the spam attacks.
Every time someone submits an entry through the contact form, my WordPress install sends an email notification with the submitted message enclosed.
Last week, this form was used to send spam emails. I am not talking one or two emails. I am not even talking hundreds of emails. I am talking about hundreds of thousands of emails within 30 minutes.
Imagine the horror of receiving so many emails in such a short span of time.
I did a few things to battle the spam attacks through the contact form in WordPress.
- I enabled reCAPTCHA. But I kept on getting spam emails.
- I removed the embedded contact form from the page. But I still kept on getting spam emails.
- I disabled the WPForms plugin that was exploited by the bots and yet the spam emails didn’t stop.
The reason that I kept on getting those emails even after deactivating the ‘culprit’ plugin was that it wasn’t a continuous attack. The spam emails were delayed. I realized that when I viewed the ‘original email message’ that shows all the details about the origin of email.
Since the bot exploited the form to send hundreds of thousands of the contact form messages, these messages got stuck in the mailing queue. And from here these emails were sent gradually.
When I found the root cause of the issue, it was time to fix it. I checked the mailing queue on my server and deleted all the pending mails in the queue.
Let me show you how to do that.
Checking the outgoing mail queue and deleting it
The Server Pilot configured my WordPress install with Postfix as the Mail Transfer Agent. Therefore, I am going to use the commands used for managing Postfix here.
Use SSH to logon to your server first. Then list all the messages in the Postfix queue with this command:
The output should be like this:
885911CEEB1 11130 Fri Dec 14 22:25:52 [email protected] (delivery temporarily suspended: host mx.yandex.ru[188.8.131.52] refused to talk to me: 554 5.7.1 Service unavailable; Client host [94.1177.71.114] blocked using spamsource.yandex.ru; Blocked by spam statistics - see http://feedback.yandex.ru/?from=mail-rejects&subject=184.108.40.206) [email protected]
That was just one of the sample messages in my queue. I took a not so accurate guess of the number of emails stuck in the server queue with the wc command.
postqueue -p | wc -l
This showed me that there were 267000 lines in the queue.
I decided to delete all the emails from this queue so that my email box would stop receiving these messages in the queue.
While you may delete the messages one by one with their message ID, it would be a nightmare in my case. So I decided to delete all of them at once with this command:
sudo postsuper -d ALL
The output of this command was:
postsuper: Deleted: 57565 messages
So apparently, there were 57565 emails still waiting to be sent from my server. This was on top of over 90,000 emails I had already received.
Imagine the amount of server performance wasted and the trouble it caused for me. My server’s IP might have been banned by Google (as I use G Suites) for spamming.
Thankfully, I managed to debug the issue in time and fixed it this way. I learned my lesson to not ignored the basic security practices like putting a captcha on the forms to avoid such bot attacks.
I hope you, too, learned from my experience and it helps you fight bot attacks on your WordPress websites and servers. I also advise using WP-CLI to manage WordPress in the backend.
If you experience something similar and used some other way to handle the situation, please share with the rest of here so that we all can learn from each other’s experiences.