Title: Spammer using Admin API Key Last modified: January 23, 2023 --- # Spammer using Admin API Key * Resolved [Gabe Shackle](https://wordpress.org/support/users/hereswhatidid/) * (@hereswhatidid) * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/) * We’re experiencing an issue where a spammer is gaining access to the admin API key and using that for sending spam requests directly to the Algolia endpoint. We’ve regenerated the Admin API key multiple times and within 1-2 days each time the spammer picks up the Admin API key value again. * Is there any way that the plugin is exposing the Admin API key on the front end somehow? Algolia tech support has been unable to find any other way for the value to be exposed to the spammer. Viewing 13 replies - 1 through 13 (of 13 total) * Plugin Contributor [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * (@tw2113) * The BenchPresser * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16400815) * Only way I can think of and see how they’d potentially be getting that information would be if they’re somehow managing to get ahold of the search client object. That’s not something we coded special, but instead is coming from our bundled copy of [https://github.com/algolia/algoliasearch-client-php](https://github.com/algolia/algoliasearch-client-php) * Are you defining your API keys via the settings page? Or are you perhaps using something like the PHP Constants that can be added to your wp-config.php ? * Thread Starter [Gabe Shackle](https://wordpress.org/support/users/hereswhatidid/) * (@hereswhatidid) * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16415337) * I’m currently defining them via the settings page. * Plugin Contributor [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * (@tw2113) * The BenchPresser * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16415365) * I wonder if setting via the constants could potentially help in this specific case. However I can’t guarantee it. * Thread Starter [Gabe Shackle](https://wordpress.org/support/users/hereswhatidid/) * (@hereswhatidid) * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16415494) * Would any of that search client object be exposed on the front end in some way? I’m not seeing any indication that they have actual WP code or admin access at this point. * Plugin Contributor [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * (@tw2113) * The BenchPresser * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16415524) * Nothing that shouldn’t be exposed directly and scrapable. For example something like: * ```wp-block-code let apikey = 'somerandomstringvalue'; ``` * from localized data on the server side. * Not sure if they could somehow be intercepting and reading POST requests for the search queries. * Thread Starter [Gabe Shackle](https://wordpress.org/support/users/hereswhatidid/) * (@hereswhatidid) * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16415628) * ![](https://i0.wp.com/www.risdall.com/wp-content/uploads/2023/01/spam-request- agent.png?ssl=1) * Here’s a screenshot of an example spam request. You can see for User-Agent it’s Algolia for PHP rather than a web browser. Would that indicate it has access to something on the back end in your opinion? * The API being passed with this request is the admin key rather than the public- facing search key. * Thread Starter [Gabe Shackle](https://wordpress.org/support/users/hereswhatidid/) * (@hereswhatidid) * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16415647) * Just figured this out. Basically what’s happening is we’re using a custom search query parameter and if the spammer uses the default /?s=something that calls the API directly using the Admin API key. Doesn’t look like the key is actually exposed anywhere but it was interesting that using the “s” parameter uses the Admin search key rather than the Search key provided in the settings. * Plugin Contributor [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * (@tw2113) * The BenchPresser * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16415678) * Very interesting and good to know. * Thread Starter [Gabe Shackle](https://wordpress.org/support/users/hereswhatidid/) * (@hereswhatidid) * [3 years, 4 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16463382) * Is it possible to disable using the admin API key for searches? We’re using a specific search key that limits the searches and when the admin API key is used that circumvents any of the limiting functionality. * Plugin Contributor [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * (@tw2113) * The BenchPresser * [3 years, 3 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16467506) * According to the UI in the algolia.com dashboard: * > This is the ADMIN API key. Please keep it secret and use it ONLY from your > backend: this key is used to create, update and DELETE your indices. You can > also use it to manage your API keys. * All stuff that shouldn’t be getting done from performing searches. * Remind me again where you’re seeing the key from the frontend. * Thread Starter [Gabe Shackle](https://wordpress.org/support/users/hereswhatidid/) * (@hereswhatidid) * [3 years, 3 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16474131) * We’re having spammers submit junk searches directly through the site search rather than using the Instantsearch.js or autocomplete methods. When the search is submitted directly via PHP, the search API is using the admin key rather than the search key. * When I look at the logs any of the searches that come up with Algolia for PHP set as the User-Agent the key provided is the admin key. I can provide more detailed logs if you have a secure way to send the files over. * Plugin Contributor [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * (@tw2113) * The BenchPresser * [3 years, 3 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16474175) * [support@pluginize.com](https://wordpress.org/support/topic/spammer-using-admin-api-key/support@pluginize.com?output_format=md) will reach us securely and away from the public forums here. * Plugin Contributor [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * (@tw2113) * The BenchPresser * [3 years, 3 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16475270) * Still trying to make sure we’re tracking things down properly. The only time I can see that we’re running code that involves the admin API key, is during some load indices calls, but those are also not returning anything that would be accessible from the frontend either. More on the watchers side. * I know you sent over some search logs, and I’m wondering if your main suspicion of admin API key is because they’re listed, though obfuscated in the search log data and that’s been a primary lead? Viewing 13 replies - 1 through 13 (of 13 total) The topic ‘Spammer using Admin API Key’ is closed to new replies. * ![](https://ps.w.org/wp-search-with-algolia/assets/icon-256x256.png?rev=2894668) * [WP Search with Algolia](https://wordpress.org/plugins/wp-search-with-algolia/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-search-with-algolia/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-search-with-algolia/) * [Active Topics](https://wordpress.org/support/plugin/wp-search-with-algolia/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-search-with-algolia/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-search-with-algolia/reviews/) * 13 replies * 2 participants * Last reply from: [Michael Beckwith](https://wordpress.org/support/users/tw2113/) * Last activity: [3 years, 3 months ago](https://wordpress.org/support/topic/spammer-using-admin-api-key/#post-16475270) * Status: resolved