Skip to:
Content
Pages
Categories
Search
Top
Bottom

Fighting Splogs

  • Avatar of Michael Berra
    Michael Berra
    Participant

    @miguael

    Hi everybody

    I know this is kind of an endless topic – at least it seems so, when I read the threads over at mu.wordpress.org…

    My questions is the following – could it be, that some plugins do not work with buddypress, because it is not using the wp-signup.php?

    That is what I tried:

    - rename or even delete the wp-signup.php…

    - Using a captcha on my registration page (register.php)

    - I installed the hashcash plugin with signup-protection activated (without aksimnet), but it seems, that it doesn’t do anything – I still get spam registrations.

    Any ideas? It is very anoying…!

    I post this here, because I think this is just a great community of helpers!!!

Viewing 20 replies - 26 through 45 (of 45 total)
  • Avatar of arezki
    arezki
    Participant

    @arezki

    ALso: you may want to install WP-Ban and watch for the IP address of those who are driving you crazy. I suspect we are getting troubled by same punks. If so, feel free to take the list of my banned IP addresses and drop them in the wp-ban section after u install it. I managed to get about 500 attempts blocked in 3 days. Her’s my list so far. http://northafricaadvisors.com/banned-ips/

    Avatar of stripedsquirrel
    stripedsquirrel
    Participant

    @stripedsquirrel

    Thanks arezki, but my last 15 splogs all had different IP’s and email domains, so I am not sure if this will help anything/

    I also have nothing of the original message in the footer, but they keep on coming.

    I notice that (with the welcome pack installed/enabled), that I receive friendship requests from, well, myslef :) whenever a splog signs up. I am not sure if this means that the email to the sploguser has bounced or so?

    Seems that the banned email domains list in WPMU Admin options is not being used/checked as well, I just had a sign up from @live.cn, while I have *.cn on my blocklist…

    I sent a message to Andy yesterday, as this problem is too big to ignore, see testbp.org.

    Avatar of stwc
    stwc
    Participant

    @stwc

    Well, I don’t know — I seem to have lucked out, or it’s just that my site is too new and so-far untrafficked, but the few very simple, small changes I made last week seem to have stopped the firstnamelastname19xx signups.

    1) I changed the some of the text on the /register page.

    2) I removed the “powered by” text in footer.php of my child theme (someone mentioned that it was being searched for)

    3) I changed the register slug in wp-config.php

    4) Added a functions.php file in my custom childtheme with the following code to redirect signups for all blogs to the Buddypress register page

    function rk_signup_redirect() {
    if (strpos($_SERVER['REQUEST_URI'], 'wp-signup.php') !== false ) {
    $url = 'http://mydomain.com/customregisterslug';
    wp_redirect($url);
    exit;
    }
    }
    add_action('init', 'rk_signup_redirect');

    where mydomain.com is, you know, my domain, and customregisterslug is the slug I changed in step 3.

    I don’t think I changed anything else — no captchas or anything — and I’ve received zero splog signups in the 5 days since, after getting a few a day before that. Fingers crossed.

    Avatar of bpisimone
    bpisimone
    Participant

    @bpisimone

    Sounds nice stwc. Can you describe 3) a little more detailed?

    Avatar of stwc
    stwc
    Participant

    @stwc

    Yep, here.

    define ( 'BP_REGISTER_SLUG', 'signup' );

    except rather than ‘signup’ I used ‘jointhecommunity’ as I recall.

    Avatar of bpisimone
    bpisimone
    Participant

    @bpisimone

    perfect!

    Avatar of stwc
    stwc
    Participant

    @stwc

    Don’t forget to put the define statements BEFORE the STOP EDITING HERE LINE in the config.php. That had me scratching my head for a while.

    Avatar of stripedsquirrel
    stripedsquirrel
    Participant

    @stripedsquirrel

    So far no luck with all of the above.

    Just noticed that when changing register slug as mentioned that the link on the login page (for example after logging out: http://biketravellers.com/wp-login.php?loggedout=true) does not change, it links to http://biketravellers.com/wp-login.php?action=register which gives a 404.

    (as it links to /register)

    Any idea why the new slug does not work (it works on the homepage, and I also added a function to the functions page).

    How to change that link on wp-login.php without hardcoding and losing it after every upgrade?

    Cheers, Harry

    Avatar of Andrea Rennick
    Andrea Rennick
    Participant

    @andrea_r

    Yep, one of the tricks on even a plain mu install is to rename signup. Stops ‘em dead.

    There’s a few automated programs out there that scammy people are selling to other scammy people to send out these automated signups. So, the things you can change from the defaults usually stop them.

    Avatar of BestofNJ.com
    BestofNJ.com
    Participant

    @frenchtowner

    Why can’t we just add a quiz question that has to be read by human eyes to be answered. I use that with Contact Form 7 and it works perfectly. How do I add that to register php?

    Avatar of Bowe
    Bowe
    Participant

    @bowromir

    stwc wrote a very good guest post for BP-Tricks where he explains the tips he gave here in a very clear and understandable way. Check out the post here:

    http://www.bp-tricks.com/tips_and_tricks/stopping-the-sploggers/

    Avatar of bcbccouk
    bcbccouk
    Participant

    @bcbccouk

    stwc’s summary of methods does seem to stop a lot of spam, but I’ve still been having some. I tried SI Capthca (http://wordpress.org/extend/plugins/si-captcha-for-wordpress) but that seemed completely ineffective.

    My latest weapon in the war has been to modify Invisible Defender (http://wordpress.org/extend/plugins/invisible-defender) firstly to make it work with the buddypress registration page and secondly obfuscate its hidden fields by giving them random names and values:

    http://bcbc.co.uk/mu/blog/2009/12/11/wordpress-registration-spam/

    Avatar of r-a-y
    r-a-y
    Moderator

    @r-a-y

    @bcbccouk

    That’s the exact approach I took (although I removed the admin screen because I don’t really care for it). It works wonders.

    +1 for randomising the names and values. I’m going to take that bit of code! ;)

    Avatar of bcbccouk
    bcbccouk
    Participant

    @bcbccouk

    It works…for the moment. (There’s an obvious way around the hidden fields method). I’ve got some other ideas to make it harder to regex the html, I’ll post back when I’m done.

    Avatar of Bowe
    Bowe
    Participant

    @bowromir

    Thanks bcbccouk I’ve updated the post and added your information and plugin link!

    Avatar of jnkfrancis
    jnkfrancis
    Participant

    @jnkfrancis

    Anyone have any luck using sign-up question or wpmudev’s sign-up code? They both work great on a regular MU install since the person signing up has to answer a logical question or enter a code that they have received previously. The problem is when you activate those plugins, they work on the WordPress registration page and not the BuddyPress Registration page. Those would likely solve all the problems if we could get them to work together.

    I’m developing a site that we want only approved, or in some cases paid members to be able to sign up, but I can’t get either of those plugins to work with BuddyPress. Anyone been able to do that, or know how it would be done?

    Avatar of bcbccouk
    bcbccouk
    Participant

    @bcbccouk

    Signup questions and codes are a good supplement to the other methods but are also ultimately fallible. In the same way that Captcha is rendered ineffective by human relay attack, so to are questions; it will just take time for spammers to catch on.

    It seems to me that the way forward is to incrementally roll out new defences, only presenting new defences when the old ones have been broken. As soon as lots of sites use a defence, that defence will probably soon be doomed to failure: spammers will only take the time to develop new exploits when a particular method of defence becomes popular. I believe this is the only reason why the hidden fields method currently works: its not sufficiently popular to bother coding an exploit for it (even though such a task would take about five minutes).

    Avatar of dadaas
    dadaas
    Member

    @dadaas

    I have ask my question in other topic but they deleted it.

    Anyway, is there a way i could use original wordpress signup page instead of security leaked buddypress signup page?

    Please anyone know how to force peopel to signup trough original signup form.

    I might be missing the point completely here, but I changed my theme’s sidebar.php code to call up the root sign-up using this;

    <?php printf( __( ' You can also create an account.’, ‘buddypress’ ), site_url( ‘/wp-signup.php’ ) ) ?>

    Mind you, it shows the sign-up form complete with the extra fields I added via Buddypress. Does this mean it’s still being hooked into by BP and is actually bypassing the standard WP 3.0 sign-up code? I noticed that even pulling out the php and replacing it with a normal href link, it still does the same thing.

    Avatar of MrsAngelD
    MrsAngelD
    Participant

    @mrsangeld

    stwc, found this post and using your method I haven’t had a spam registration yet. thanks so much.

Viewing 20 replies - 26 through 45 (of 45 total)

You must be logged in to reply to this topic.