CleanTalk's blog

Sign Up

Category: CleanTalk

  • Security Update: Please Update CleanTalk Anti-Spam to the Latest Version

    Security Update: Please Update CleanTalk Anti-Spam to the Latest Version

    We’re reaching out to let you know about a security vulnerability that was recently disclosed in the CleanTalk Anti-Spam plugin for WordPress. We’ve already released a fix, and we want to make sure you’re protected.

    What happened?

    On February 14, 2026, a vulnerability (CVE-2026-1490) was publicly disclosed affecting CleanTalk Anti-Spam plugin versions 6.71 and earlier. The issue was found in the checkWithoutToken function, which relied on reverse DNS (PTR record) resolution to verify incoming requests. An attacker could spoof a PTR record to impersonate CleanTalk servers, potentially allowing them to install unauthorized plugins on a vulnerable site. In a worst-case scenario, this could lead to remote code execution through a chain of exploits.

    Here’s the important part: this vulnerability only affects sites running with an invalid or expired or missing API key. If your CleanTalk subscription is active and your API key is valid, the exploitable code path is never triggered. That said, we strongly recommend updating regardless – it’s simply good practice.

    What you need to do:

    Update the plugin to version 6.72 or later – the fix is already available in the WordPress plugin repository
    Verify your API key is active and valid in your CleanTalk dashboard at https://cleantalk.org/my  or in your WP Dashboard->Settings->Anti-Spam by CleanTalk.
    If you have auto-updates enabled, you may already be on the latest version — but please double-check

    Keeping plugins up to date is the most effective way to maintain website security.

    What we’ve done on our end:
    We patched the checkWithoutToken function to no longer rely solely on PTR records for authorization. The updated verification process uses stronger validation methods that cannot be spoofed. The fix was released in version 6.72, which is available now.

    References:
    CVE record: https://www.cve.org/CVERecord?id=CVE-2026-1490 
    Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/cb603be6-4a12-49e1-b8cc-b2062eb97f16 
    Plugin changelog: https://wordpress.org/plugins/cleantalk-spam-protect/#developers 

    A note from our team:
    We take security seriously – both yours and our own. No software is immune to vulnerabilities, but what matters is how quickly they’re addressed and how transparently they’re communicated. We identified the issue, developed a fix, and released the update promptly. 

    We’re also conducting an internal review of similar patterns across our codebase to prevent this class of vulnerability from recurring.
    If you have any questions or need assistance updating, our support team is here to help at support@cleantalk.org.

    Best regards,
    The CleanTalk Team

  • CleanTalk Malware Scanner — heuristic code analysis

    CleanTalk Malware Scanner — heuristic code analysis

    We have already talked about the launch of security service for WordPress in the previous article. Today we want to talk about the launch of heuristic analysis to detect malicious code.

    The very presence of malicious code can lead to a ban in search results or a warning in the search for that the site is infected, to protect users from potentially dangerous content.

    You can find malicious code on your own, but it’s a lot of work and most WordPress users do not have the necessary skills to find and remove unnecessary lines of code.

    Often, the authors of malicious code disguise it, which makes it difficult to determine by its signatures. The malicious code itself can be located anywhere on the site, for example the obfuscated PHP-code in the logo.png file, and the code itself is called by one inconspicuous line in index.php. Therefore, the use of plugins to search for malicious code is preferable.

    CleanTalk on the first scan scans all WordPress kernel files, plugins and themes. When rescanning, only those files that have changed since the last scan were scanned. This saves resources and increases scanning speed.

    How heuristic analysis works

    One of the main disadvantages of heuristic analysis is that it is quite slow, so we use it only when it is really necessary. First of all, we divide the source code into lexemes (the minimal language construct) and remove all unnecessary:

    1. Space symbols.
    2. Comment of different types.
    3. Not PHP code (outside of tags <?php ?> )

    Next, we recursively simplify the code until there are no “complex constructs”:

    1. Perform concatenation of strings.
    2. Substitution of variables into variables.
    3. and other

    Also, in the process of simplifying the code, we monitor the origin of the variables and many others.

    In the end, we get a clean code that can be analyzed. It is very important that we get the code not in the form of a string, but in the form of lexemes. Thus, we know where the lexeme is a string with the desired text, and where the lexeme function is.

    In the sense of finding “bad constructs” eval for us there is a difference:

    <?php echo 'eval("echo \"some\"")'; ?>

     

    — in this case there will be no lexeme T_EVAL,

    there is a lexeme T_CONSTANT_ENCAPSED_STRING ‘eval (“echo \” eval\”)’

    <?php eval('echo "some"'); ?>

    – and here it is. And this is the version we will find.

    We look for such constructs, we break them down into degrees of criticality:

    Critical:

    • eval
    • include* и require*
      • with bad file extension
      • non-existent files (will be deleted in the next  versions)
      • connecting deleted files

    Dangerous

    • system
    • passthru
    • proc_open
    • exec
    • include* и require*
      • with the error suppression operator (will be deleted in the next versions)
      • with variables depending on POST or GET.

    Suspicious

    • base64_encode
    • str_rot13
    • syslog

    And other.

    We are constantly improving this analysis: adding new constructions to search, reducing the number of false alarm, optimize the simplification of the code.

    In the plans to teach it to detect and decode strings encoded in URL and BASE64 and others.

    The plugin itself is available in the WordPress directory. If you are unsure how to identify, remove, or clean malware using the plugin, you can book a WordPress Malware Removal service with our Security & Pentest team.

  • WordPress Password Leak Protection in CleanTalk Plugin

    WordPress Password Leak Protection in CleanTalk Plugin

    Leaked passwords are one of the fastest-growing threats to WordPress. WordPress password leak protection helps block attackers who reuse stolen credentials from massive breaches.Security by CleanTalk now gives you a way to stop them before they log in.

    What’s New: WordPress Password Leak Protection

    Password Leak Protection automatically checks user credentials against public breach databases. If a password is exposed, login is denied and the user is forced to reset it on the next attempt.

    Update your plugin and turn it on in General Settings.

    66
    Password Leak column in the Users table with clear statuses6

    User experience

    When a password is flagged as leaked, the next login takes the user to a compact reset form right on the login page. They enter the current password, choose a new one, confirm it, and can sign in again immediately. The leaked status is cleared after a successful change.

    77
    Dashboard banner shown when a user’s password has been leaked

    Administrator View: WordPress Password Leak Protection

    Administrators can monitor security directly inside WordPress, and WordPress password leak protection adds another layer of defense. The Users table now shows a Password Leak column with three possible statuses: Not verified, Safe, or Leaked. If the system finds compromised accounts, the dashboard shows a warning banner.. For additional control, administrators can run manual checks from the Users section, and results update instantly through AJAX. Background tasks run automatically in batches, ensuring that large sites are processed without extra load.

    How to enable

    By default, the system keeps the feature disabled. To turn it on:

    1. Go to in your WP Dashboard → Settings → Security by CleanTalk.
    2. Click on Genetal settings tab.
    3. In the Authentication and Logging In section, select and enable the option “Checking the user’s password for information leaks.”
    4. Select which roles to cover. By default, the system includes Administrators and Editors.
    5. Run a one-time scan in Users to get an instant baseline for current accounts.
    88
    Settings panel for enabling password leak checks and selecting roles

    Why It Matters: WordPress Password Leak Protection

    According to OWASP, exposed credentials are among the most dangerous security risks for web applications. Even strong passwords become unsafe once they appear in leak databases. Password Leak Protection reduces this risk by stopping logins with compromised passwords and requiring users to reset them before continuing.

    Next steps

    Update your CleanTalk Security Plugin to the latest version.
    Enable Password Leak Protection in Authentication → General Settings, choose the roles to cover, and run a one-time scan in Users to check current accounts.

    This ensures that compromised passwords are blocked and users must reset them before logging in again.

    If you want to strengthen your defenses further, combine Password Leak Protection with CleanTalk Anti-Spam to stop bot registrations and spam comments, and with Uptime Monitoring (ссылка) to keep track of your site’s availability around the clock.

    FAQ

    Which roles are checked by default?
    By default, Password Leak Protection applies to Administrators and Editors. You can extend coverage to other roles in Authentication → General Settings.

    Does Password Leak Protection send email alerts?
    No. Notifications appear in the WordPress dashboard as a banner and as statuses in the Users table. There are no email alerts for leaked passwords.

    If a password leaks, the system blocks the login. On the next attempt, it redirects the user to a reset form on the login page. After the user confirms a new password, the system marks their account as safe again..

    How does this feature work with Brute Force Protection and 2FA?
    Password Leak Protection complements brute force defense and Two-Factor Authentication (2FA). Together they stop both guessed and compromised passwords, reducing the most common login risks for WordPress sites.

    To explore more ways of keeping your site secure, check out our guide on CleanTalk Security Plugin tools for WordPress

  • Spam Bot phil9982@bestaitools.my — How to Block It and Stop Website Attacks

    Spam Bot phil9982@bestaitools.my — How to Block It and Stop Website Attacks

    A sophisticated spambot operating under the email address phil9982@bestaitools.my became one of the most active threats in late 2025. Since its discovery on November 10, 2025, this automated attacker has spammed 11,428 websites, with the last recorded activity being December 15, 2025. The CleanTalk anti-spam service currently blocks approximately 9,048 requests per day from this single email address—that’s over 375 spam attempts every hour.

    Unlike obvious spam, the messages mimic legitimate customer support requests, making them difficult to detect without advanced anti-spam protection.

    Spam Messages Used by phil9982@bestaitools.my

    This bot sends seemingly mundane questions about service offerings, appearing to be from potential customers:

    1. “Is there a referral program?”
    2. “Do you offer maintenance plans?”
    3. “Do you work weekends?”
    4. “Can I pay with PayPal or other methods?”
    5. “Do you offer support after purchase?”
    6. “Do you offer consultations over Zoom or phone?”
    7. “Do you offer recurring service plans?”
    8. “Do you offer service in rural areas?”
    9. “Can I pick up instead of delivery?”
    10. “Can I get a service checklist after the job?”
    11. “Can I get a quote by text or email?”
    12. “Do you offer financing through a third party?”

    It’s very difficult to tell if a message is spam based on its content. This poses the risk of you replying and having your email harvested by spammers. It’s hard to say how they’ll use it, but it’s safe to assume it could be used to send spam to websites or to try to gain access to your website account.

    phil9982 bestaitools my spam report 12 19 2025 02 11 PM
    phil9982 bestaitools my spam report 12 19 2025 02 11 PM

    How to Block Spam from phil9982@bestaitools.my

    If you’re seeing traffic or spam submissions from this email, here’s how to stop it:

    1. Use CleanTalk Anti-Spam Plugin
    Install the CleanTalk Anti-Spam plugin for your CMS (WordPress, Joomla, Drupal, etc.). It automatically filters requests by checking emails, IPs, and behavior against the global CleanTalk Spam Database.

    This email is already blacklisted and will be blocked automatically by the plugin.

    2. Manually Block the Email (if needed)
    If you want to block it manually in addition to using CleanTalk:

    Add phil9982@bestaitools.my to your site’s block list.

    Block common IPs that were used in attacks.

    Monitor your server logs for repetitive POST requests.

    phil9982@bestaitools.my is a known spammer attacking thousands of sites daily. By installing proper anti-spam protection like CleanTalk and staying vigilant, you can block these threats before they reach your visitors.

    If you’re already using CleanTalk, rest assured — this spammer is on the blacklist and will be filtered automatically.

    You can check any email or IP for spam activity on our BlackLists page.

    🧩 Want full protection?

    ✅ Blocks fake registrations and spam submissions
    ✅ Filters bots and fake emails in real time
    ✅ No CAPTCHAs or puzzles – clean and fast

    Stay ahead of spam – let CleanTalk handle the bots so you can focus on your content. Protect your site in under 5 minutes.
    👉 Start now

  • How Agencies Use CleanTalk to Secure High-Risk WordPress Environments

    How Agencies Use CleanTalk to Secure High-Risk WordPress Environments

    WordPress powers business websites of every size and is one of the most commonly used tools in website development due to its massive developer ecosystem. However, in fast-growing and higher-risk digital environments, WordPress also has a long history of vulnerabilities, often exploited because of its large and open plugin ecosystem.

    At CleanTalk, we regularly work with professional WordPress agencies managing business-critical websites across healthcare, infrastructure, and enterprise sectors. In these contexts, security solutions must be reliable, lightweight, and proven over time.

    One such example comes from Myanmar, where a regional web development agency, Bold Label, manages multiple high-traffic and high-visibility WordPress sites for enterprise clients.

    CleanTalk as a Long-Term Security Standard

    Rather than relying on multiple overlapping plugins or reactive fixes, Bold Label made an early decision to standardize on CleanTalk as its primary WordPress security layer across client projects. CleanTalk became the default security foundation for all Bold Label–managed WordPress installations.

    This approach reduced plugin bloat, simplified maintenance, and made security behavior predictable across different sites and industries.

    Securing Medical Platforms at Scale

    Healthcare websites are among the most sensitive WordPress environments. They handle patient inquiries, appointment requests, and critical informational content that must remain accessible and trustworthy.

    One of the largest diagnostic centers in Myanmar operates its main website on WordPress, with ongoing management by Bold Label. CleanTalk has been actively protecting this site by blocking automated attacks, filtering spam submissions, and preventing malicious access attempts.

    The result has been stable operations, clean form data, and minimal administrative overhead through an easy-to-manage dashboard. Security remains effective without interfering with legitimate patients or medical staff.
    See website.

    Protecting Industrial and Corporate Websites

    CleanTalk is equally effective for corporate and infrastructure-focused websites that face different threat profiles.

    A leading powerline and electrical construction company in Myanmar relies on CleanTalk for malware protection and abuse prevention on its corporate WordPress site. Managed by Bold Label, the site serves as a key business touchpoint for partners and institutional stakeholders.

    CleanTalk keeps the site clean, fast, and uncompromised, even under constant background scanning and automated threats.
    See website.

    Why Agencies Standardize on CleanTalk

    For agencies like Bold Label, WordPress security is not an upsell feature. It is part of delivery responsibility.

    By standardizing on CleanTalk, agencies reduce maintenance complexity, shorten incident response time, and avoid reactive security workflows. This allows development teams to focus on performance, UX, and scalability rather than ongoing cleanup and monitoring.

    Practical Security in Real Deployments

    These deployments show how CleanTalk operates in real production environments, not just controlled test cases.

    Across healthcare and industrial websites, CleanTalk delivers consistent protection with minimal configuration and low ongoing overhead. While these examples come from specific sectors, the same approach applies to any WordPress site that requires stable, long-term security.

    CleanTalk can be deployed across a wide range of use cases, from corporate and service websites to high-traffic platforms. Details on available plans and pricing are available on the CleanTalk website.

  • otujoye@mailcorplrtgood.com — Detection and Blocking

    What Is This Bot?

    The email address belongs to a set of randomized domains generated for automated use. As a result, it does not correspond to a legitimate mailbox and is therefore used for automated form submissions. In practice, log data shows repeated, high-frequency submission attempts, which are typically associated with domains lacking valid MX records. In this context, the observed activity involves machine-generated input that targets website forms and underlying application logic.

    Recent Attacks Detected

    Across websites protected by CleanTalk Anti-Spam, this bot consistently demonstrates aggressive behavior. On December 2, 2025, it initiated a rapid sequence of contact-form submissions at machine speed, and attempted multiple user registrations. The following day, the system recorded a pattern of IP rotation that is characteristic of botnet behavior. On December 4, the bot was again identified scanning form endpoints, but the attempt was stopped before reaching the application layer thanks to SpamFireWall filtering.

    These events closely align with bot behaviors described by Imperva, where malicious automation imitates real users, rotates identities, and continuously probes for vulnerabilities.

    How This Spam Bot Operates

    Instead of behaving like a normal visitor, this bot submits forms far faster than a human ever could, changes its user agent headers to appear legitimate, and introduces artificial timing delays to bypass simple JavaScript filters. It fabricates random names, email addresses and message subjects, while trying to discover weak validation rules or unprotected endpoints such as custom APIs.
    Beyond this, its activity distorts website analytics by generating fake conversions, sign-ups and form submissions. As confirmed in OOPSpam’s 2024 report, synthetic and disposable emails — exactly like those from the mailcorplrtgood domain cluster — represent the fastest-growing pattern of automated abuse.

    Why This Bot Is Dangerous

    Bots of this type cause multiple layers of damage. They inflate registration and form-submission counts, undermining accurate analytics. Their constant POST requests increase server load, sometimes raising CPU usage by as much as 15–25%, as highlighted by ClickCease’s research.
    In addition, because they repeatedly scan your site structure, they can reveal vulnerable entry points or expose weak validation. Since modern bots easily bypass common CAPTCHA implementations, their activity often precedes more serious intrusions such as credential stuffing or brute-force attempts.

    How to Check This Email

    The easiest way to validate whether an email is legitimate is to use the CleanTalk Email Checker: https://cleantalk.org/email-checker

    In addition to the Email Checker, you can also verify this address in the CleanTalk Public Blocklist.
    This database records spam activity, failed form submissions, and bot-generated behavior for domains and email accounts.
    You can view the real-time status of this address here:

    The checker evaluates email existence, spam history, MX configuration and signs of bot activity. For otujoye@mailcorplrtgood.com, the system typically reports that the address does not exist, is associated with spam activity, and belongs to a low-reputation synthetic domain — all indicators of a high-risk automated bot.

    stop spam bot attacks

    How to Protect Your Website

    The most reliable method of stopping this bot is to activate CleanTalk Anti-Spam, which filters automated submissions before they reach your backend. Combined with SpamFireWall for IP-level blocking and Anti-Crawler technology for detecting scanning patterns, the system prevents bots from overloading forms or probing endpoints.

    Recommended setup:

    ✔ CleanTalk Anti-Spam Plugin
    ✔ SpamFireWall
    ✔ Anti-Crawler
    ✔ Form & Registration Protection

    Install Anti-Spam:
    https://cleantalk.org/help

    Conclusion

    The address otujoye@mailcorplrtgood.com is part of a known botnet that uses machine-generated domains to carry out high-volume automated attacks. With malicious bot traffic representing nearly a third of the modern internet, proactive and cloud-based anti-spam protection is essential.

    CleanTalk Anti-Spam blocks bots before they interact with your website, preserving performance, security and analytics integrity.

  • Spam Bot dinanikolskaya99@gmail.com — How to Block It and Stop Website Attacks

    Spam Bot dinanikolskaya99@gmail.com — How to Block It and Stop Website Attacks

    The email address dinanikolskaya99@gmail.com has been reported for sending spam and launching automated malicious requests on thousands of websites.

    According to CleanTalk BlackLists, this address has:

    • Attacked over 10,002 websites
    • Generated approximately 17,304 spam requests in the last 24 hours
    • The bot uses many different IP addresses from all over the world.
    • First detected on June 19, 2025
    • Last activity recorded: Nov 21, 2025 06:28:40 GMT0.

    The bot is currently blacklisted in CleanTalk Anti-Spam databases.

    What Does This Spam Bot Do?

    This spam bot employs a multilingual approach, sending seemingly innocent pricing inquiry messages in various languages to bypass basic spam filters. The messages appear legitimate at first glance, making them particularly insidious for website owners who might mistake them for genuine customer inquiries.

    Common Spam Messages from dinanikolskaya99@gmail.com

    The bot sends variations of pricing inquiries in multiple languages:

    • Danish: “Hej, jeg ønskede at kende din pris.”
    • Indonesian: “Hai, saya ingin tahu harga Anda.”
    • Latin: “Hi, ego volo scire vestri pretium.”
    • Albanian: “Hi, kam dashur të di çmimin tuaj”
    • English: “Hi, I wanted to know your price.”
    • Spanish: “Hola, quería saber tu precio..”
    • Zulu: “Sawubona, bengifuna ukwazi intengo yakho.”

    All these messages translate roughly to:
    “Hi, I wanted to know your price.”

    The bot repeats this pattern on contact and comments forms.

    Here is a snapshot from CleanTalk’s logs:

    “17304 requests in 24 hours detected from multiple IP addresses. All actions associated with spam form submissions and bot-like behavior.”

    dinanikolskaya99@gmail.com spam report
    dinanikolskaya99@gmail.com spam report Nov 21, 2025 06:28:40 GMT0

    How to Block Spam from zekisuquc419@gmail.com

    If you’re seeing traffic or spam submissions from this email, here’s how to stop it:

    1. Use CleanTalk Anti-Spam Plugin
    Install the CleanTalk Anti-Spam plugin for your CMS (WordPress, Joomla, Drupal, etc.). It automatically filters requests by checking emails, IPs, and behavior against the global CleanTalk Spam Database.

    This email is already blacklisted and will be blocked automatically by the plugin.

    2. Manually Block the Email (if needed)
    If you want to block it manually in addition to using CleanTalk:

    Add zekisuquc419@gmail.com to your site’s block list.

    Block common IPs that were used in attacks (CleanTalk logs show many from Russian ranges).

    Monitor your server logs for repetitive POST requests.

    zekisuquc419@gmail.com is a known spammer attacking thousands of sites daily. By installing proper anti-spam protection like CleanTalk and staying vigilant, you can block these threats before they reach your visitors.

    If you’re already using CleanTalk, rest assured — this spammer is on the blacklist and will be filtered automatically.

    You can check any email or IP for spam activity on our BlackLists page.

    🧩 Want full protection?

    ✅ Blocks fake registrations and spam submissions
    ✅ Filters bots and fake emails in real time
    ✅ No CAPTCHAs or puzzles – clean and fast

    Stay ahead of spam – let CleanTalk handle the bots so you can focus on your content. Protect your site in under 5 minutes.
    👉 Start now

  • Critical Vulnerability in WP Reset – Plaintext License Key Exposure via Public Log File (CVE-2025-10645)

    Critical Vulnerability in WP Reset – Plaintext License Key Exposure via Public Log File (CVE-2025-10645)

    CleanTalk Research Team has identified a severe information disclosure vulnerability in the popular WordPress plugin WP Reset (400,000+ active installations). The issue allows unauthenticated attackers to obtain license keys and sensitive site metadata directly from a publicly accessible log file created by the plugin.

    This vulnerability has been assigned CVE-2025-10645 and independently confirmed by Wordfence.

    Potential Consequences


    1. License Abuse

    • License Theft: Using stolen keys on other websites
    • Resale: Illegally selling valid license keys
    • Financial Losses: Losses to plugin developers from illegal use

    2. Targeted Attacks

    • Infrastructure Reconnaissance: Collecting software version information to find other vulnerabilities
    • Phishing: Using website information for targeted phishing attacks
    • Social Engineering: Using data for convincing attacks

    3. Privacy Breach

    • Corporate Data Leak: Exposing organization names and internal URLs
    • Compliance Issues: Violation of GDPR/CCPA when personal data is leaked
    • Reputational Risks: Damage to reputation when a leak is discovered

    4. Attack Escalation

    • Exploit Chains: Using nonces and metadata for other attacks
    • Credential Stuffing: Using obtained information to attack other services
    • RCE Chains: Combining with other vulnerabilities for remote execution Code

    Affected Versions

    Confirmed to be vulnerable: WP Reset version 2.05 and earlier
    Fixed in: version 2.06 (released September 18, 2025)

    CVE-2025-10645 poses a serious privacy threat to hundreds of thousands of WordPress sites using WP Reset. While the vulnerability does not allow direct code execution, the leak of license keys and metadata creates significant security risks and can lead to financial losses.
    This incident highlights the critical importance of secure logging practices:

    • Never write secrets in plaintext
    • Store logs outside the web root
    • Disable verbose logging in production
    • Audit and purge logs regularly

    Developers should treat logging with the same seriousness as password handling—any sensitive information must be protected at all stages of the application lifecycle.

    References
    Wordfence Advisory:
    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-reset-2/wp-reset-205-unauthenticated-sensitive-information-exposure-via-wf-licensinglog 

    CleanTalk Research Report:
    https://research.cleantalk.org/cve-2025-10645/ 

CleanTalk

About

Create a support ticket

Contact us

Dashboard

Sign up / Sign in

Anti-Spam

Anti-Spam for Websites

Best Anti-Spam Plugins in 2026

Check IP

Check Email

Filter fake emails

Hide contact data

Stop spam emails in Contact form 7 (CF7)

Stop spam in Elementor form builder

Stop spam in GiveWP  Donation & Fundraising Plugin

Stop spam in WPForms

Security

Website malware scanner

Malware removal service

WordPress Security & Firewall Plugin

Documentation

Anti-Spam API

Help

License agreement

Privacy Policy

Refund Policy

Signs of Malware