This was a fun one to discover - I was reviewing my domains outgoing links from Ahrefs and a few sites caught my eye. I don't remember linking to any of these... so what's this all about? To my slight surprise, there were a lot of Pingbacks/Trackbacks referencing some slightly dodgy websites 👀
Rushing to my WP dashboard to figure out what was going on, I was more confused to discover these pingback requests hadn't been approved by me. That's right - they were live on the site (without me being logged in) meaning I had inadvertently been linking to these sites at the bottom of my article.
A pingback/trackback is a mechanism used when you want to make a site aware that they've linked to on of your posts. Personally I still don't quite see the value or use in them, and I nearly always end up rejecting any such requests. Which is why I found this one interesting. Somehow they had forced themselves live without being approved.
Fixing the Pingback spam 💪
This was quite an easy one - I just had to reject the pingbacks - by marking them as spam they were removed from WordPress, and so those links dropped off the page.
They 100% were live and published though, as otherwise a tool like Ahrefs wouldn't have picked them up.
I felt this must be an issue with my theme so I put out a tweet in the hope that someone kind (and clever!) would see it.... which leads me to the brilliant @jemjabella reaching out, the MD of UltimatelyBetter, a WordPress design and dev agency.
Jem kindly offered to take a look at my theme code to see if she could spot anything. After a bit of faffing-around on my part (I had to download my theme files via FTP) I'd shared them with Jem.
⭐I should note here that I'm not happy with the WP theme I use on my site - I bought it on a hunch many years ago for the massive fee of $35 from ThemeForest. I think I was drawn to it because the theme was called "WP SEO" and in my youthful days I believed it would allow me to rank "for all the things". I do plan on relaunching my website with a new, custom theme... when I have a moment....one day. ⭐
Whilst I was waiting to hear back from Jem (which took just a few minutes!) I was looking to see if any other sites on the web had been affected by the same issue as myself. And whilst I can't say with 100% certainty that I did find one, I'm pretty darned sure there are many other sites that are affected. I can't be sure because they could be approving these spammy pingback requests - unlikely but possible.
Other sites potentially impacted 😥
Another digital marketing agency in Colombia, watermelonmarketing.com might also be impacted - as I said before, it's hard to say for sure as they could approve any of these pingback requests. You can see a few of those pingbacks at the article shown below.
Issues with Live Composer's commenting system 💬
Jem replied and stated more or less the following:
Looking at the theme, it's got this note in the comments template:
* In our theme LiveComposer plugin render the comments thread and * the comment form in it's own template system, so the standard * WordPress comments output is obsolete in our case.
So I downloaded Live Composer. Sure enough, the function in Live Composer that handles the pingbacks/trackbacks does no checking if they're approved before spitting it out on the page:
case 'pingback' : case 'trackback' : ?> <li class="dslc-comments-pingback"> <p><?php _e( 'Pingback:', 'live-composer-page-builder' ); ?> <?php comment_author_link(); ?><?php edit_comment_link( __( '(Edit)', 'live-composer-page-builder' ), ' ' ); ?></p> <?php break;
Unlike normal comments just underneath, which checks if the comment is approved...
if ( $comment->comment_approved == '1' ) :
So, tl;dr - it's the Live Composer plugin, and this is quite a big issue tbh - because as you've found it, it could be used to insert all sorts of spam links into a site!
So ultimately I was wrong to blame the WP theme in use - it was the LiveComposer plugin instead.
Fixing the issue if your site is affected 🔧
It's quite a simple fix really - just disable pingback/trackback requests from your WordPress settings. This is what I did first of all after realising I'd been hit by this issue.
It might be worth doing this check on your site, or that of your clients - just in case they've fallen foul of something similar. It's never a bad idea to audit your external links now and then. You never know which sites might have dropped off the web, or been taken control of by 3rd parties - or whether you're inadvertently being used to link out to other dodgy sites.
Thanks again to Jem for kindly looking into this and flagging the issue, without her input I'd have been none the wiser! 👏