Skip to:
Content
Pages
Categories
Search
Top
Bottom

Is there a backdoor in WPMU/Buddypress?

  • Avatar of Michael Berra
    Michael Berra
    Participant

    @miguael

    To make it clear: This is not a “methods-for-stopping-spammers” question. I stopped with the methods mentioned here most of the spammers coming through the “normal” way. Additional fields, changed slug, captcha, etc etc… All the spammers I once had, filled in the required field some dummy information.

    BUT here is my question: Is there another way to get through and create users and efterwards blogs. I know once there was, through a bbpress-loophole. But I think this is not an issue anymore (without a seperate bbpress installation)

    Here is what let’s me ask this question, because I think it is strange:

    - I get ALOT of spam-registrations with just the name/username – no required fields are even touched or filled in any way

    - I deleted wp-signup.php (because I guessed they could use that)

    - I even deactivated any form of registration/creation from the backend

    - there is not one spam-user already in the system (I know them all personally)

    - occasionally I got a real human registration, not assigend to any blog, no required fields filled out (which is really strange)

    –>My conclusion after this: It is possible to register without even touching the registration-form or the wp-signup.php, right?

    So, my question is: Is there ANY way of registration that goes around everything mentioned? Then I guess: THERE IS A BACKDOOR?!

    Please don’t answer with use this captcha, this method, etc…

    This is a question, so that I understand how it works and if I miss something (which really would be possible :-))

    Thanks to all the WPMU/Buddypress-Gurus, that could answer this question!!!

    Greez, Michael

Viewing 9 replies - 1 through 9 (of 9 total)
  • Avatar of Helmi
    helmi
    Participant

    @helmi

    just a thought: How about the intruder coming from another end than wordpress? There are so many theoretical ways to enter some data in the database.

    Of course that doesn’t mean it’s not a wordpress problem – just to keep an eye on other things too.

    Avatar of Andy Peatling
    Andy Peatling
    Keymaster

    @apeatling

    I’ve already answered this question.

    If you have a spammer with admin access on a blog, they can add new users to that blog. They are then new users in the system since WPMU shares a global users table. So essentially once a spammer has a blog they can get others in.

    This is simply the way WPMU works, and if I try and change that, people shout and scream at me. The reality is, if you want to use WordPress MU and BuddyPress along with it, you are going to have to manage this somehow. Otherwise, just use standard WordPress since it doesn’t have these issues.

    Avatar of Windhamdavid
    Windhamdavid
    Participant

    @windhamdavid

    ~ also might want to make sure and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”

    Avatar of Andy Peatling
    Andy Peatling
    Keymaster

    @apeatling

    Good call Windhamdavid.

    Avatar of Michael Berra
    Michael Berra
    Participant

    @miguael

    Yes i disabled that Option already… Don’t think they come in that Way… :)

    my question is just: is there another possible Way to signup (besides the Register-page and adding through admins)

    Avatar of Windhamdavid
    Windhamdavid
    Participant

    @windhamdavid

    let’s continue this thread over here ~ http://buddypress.org/forums/topic/how-to-control-spam-registration/page/2

    and did you try that recommendation regarding bbpress?

    Avatar of danbpfr
    danbpfr
    Participant

    @chouf1

    für ä’biräbitzeli drischnure…

    Did you show into the comments or posts on the different blogs ? There are sometimes strange links that can appeal to spammers. Some long post with many links inside or many Viagra words. You see what i mean…

    I recently did such a search and find some on my “trusted members” blogs.

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    Have to admit I had no idea there was another registration.php page and it would have never have occurred to me to look in the bbpress folder.

    This kinda worries me really why is this required and also a password reset file, it feels as though it’s a bad hangover from earlier days and ought to be removed.

    Is it not time that this bbpress thing be integrated fully or at least forum capabilities simply part of BP core .

    I have deleted this registration file and will be interested to see if it clears up the remaining few spam signups still being received

    Avatar of itoube
    FayssalF
    Participant

    @itoube

    Michael, could you have a look at the invisible-defender plugin?

Viewing 9 replies - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.