In this day and age, if there is a way for the spammer and other abusers of this world to take use of your site, they will. One “attack vector” which I never even considered until I was confronted with it just minutes ago, were K2 users. They create the perfect platform for K2 User Spam if you are not paying attention. K2 User Spam being “using K2 users to post spam on your website”. Now that that’s on the way, let’s take a look at how it works and how you can prevent it.
How it works
Unlike Joomla, K2 by default allows ‘Users’ to create profiles with fancy avatars, subscriptions and links. Which is super, if you’re building a content based sites. Got to have those neat author profiles.
However, that means that the K2 User profiles can – and will – be abused.
Spammers can create account(s) on your website, and then fill their description with whatever they see fit, including images and links. This will then appear on their author page. What it comes down to, is that by creating a Joomla User they can basically create a spam page with the content their spammer hearts desires. These pages can and will show up when your friend Google visits your site, as proven by the DMCA requests we got for a site. That’s what brought the exploit to my attention. DMCA requests, for a site whose only page says “Site under construction?”
How to fix / avoid it
In K2 2.7, tackling this problem is as simple as setting an option. In the Spam Settings section, set “Control K2 User Profile display for users with no items” to disabled. This will disable all user profiles from being displayed, and is the default setting. It won’t stop the Spam users from signing up, but it’ll at least stop them from ruining your SEO.
Additionally, you can enable the anti-spam measures of K2, which include recaptcha and StopUserSpam, which detects known spammers and disables their accounts. However, we haven’t been able to test whether this will prevent users from signing up through the Joomla user form although the previous solution should prevent their profiles from being displayed regardless.