Still no reply to this…can ANYBODY help me with this?
How about using the following plugins:
- Stop Spammers by Keith Graham
- Captcha by BestWebSoft.
FYI: I have no relation with the plugin creators
NOTE: Just make sure you also have access to the FTP in case you you are locked out from the admin. Since I do not know what other plugins you have on your site — Some plugins are not compatible with others (e.g I used different CAPTCHA plugin and it locked me out). If you are locked out from the admin just use the ftp to DELETE or RENAME THE plugin folders to disable THE “bad plugins”
Akismet is a good plugin to have enabled. It’s free for personal websites and is completely unobtrusive:
https://wordpress.org/plugins/akismet/
But think of your fight against spam as a ‘strategy’. No single plugin will do the job. You’ll probably need to deploy a combo of plugin(s), manual moderation etc. Spammers are always changing their tactics so your strategy will need to change from time to time also.
What anti-spam plugins are you running and how many spam registration do you average per day?
I’m currently running akismet, pixel jar honeypot, si captcha, and stop spammer by keith graham and I get 3-5 spam registration per day.
Has anyone tried Bad Behavior? How does that work for spam registration?
I have used Bad Behavior. It’s ok.
I found the best solution so far has been BuddyPress Security Check.
https://wordpress.org/plugins/bp-security-check/
It knocked out the majority of spam for me, and I’ve tested many spam plugins. You’ll still get some spammers, but hopefully less.
Most spammers leave links in forums. BuddyPress could really use a method to block new users who post links pending approval.
This plugin puts users in moderation on signup:
https://wordpress.org/plugins/bp-registration-options/
But that still requires you to manually activate everyone…
Stop Spammers, Akismet, siCaptcha are the ones I currently have and use. I get 5-10 a day I guess.
5-10 is OK — When I was handling a job application site every month we received 4000-5000 applicants and and had about 75-200 “bad users” we did have people entering bad email for their job application but it was also sometime the applicant mistype their email AND ending up shooting registration confirmation to the wrong/closed/nonexistent email at Gmail/Yahoo/Hotmail etc (I had to deal with those email providers 1-2 times a year to make sure that my Mail Server is not on the blacklist).
Btw on the Stop Spammers setting add the StopSpamForum API that way it easier for you to check or submit bad user (add Honeypot & Botscout if possible). Also “Check Spam Words” on the setting and add to them if you see a bad username keep popping up with different IPs.
Currently the plugin “good question” is helping me with reducing spam signups more than any other.
I used to rely on si-captcha to help with this, but it started having some issues a few months ago (on my multi-site / BP sites), so that is not in use on my sites any longer.
as buddyboss mentioned above, “bp-registration options” was a good choice for a while, it worked pretty well for me around v 1.5 or 1.6 I think.. but then issues started occurring and it was left without updates for a long time (while the plugin dev was running for an election or something if my memory is serving me today), so axed that one…
Nothing is going to stop the manual spammers, but they are easy to eradicate once you have stopped all the bot signups with one of the QnA type plugins in my humble experience anyhow.
Two more methods that help. I recently had a crazy spam attack – probably 300 fake signups per day. I implemented these two methods and it dropped to near 0.
1. Change the /register/ slug to something unique. An example would be /create-your-account/, or something of that nature. It just needs to be unique and also make sense in a URL for your user. Spammers targeting BuddyPress look for /register/ as the signup page. It’s all automated so you want to filter them out at the first step.
2. Add this to your functions.php file in your theme or child theme.
It presents a dummy field that humans don’t see. Spambots will fill it out, and if the field captures a value it will reject the signup.
// BuddyPress Honeypot
function add_honeypot() {
echo '';
}
add_action('bp_after_signup_profile_fields','add_honeypot');
function check_honeypot() {
if (!empty($_POST['system55'])) {
global $bp;
wp_redirect(home_url());
exit;
}
}
add_filter('bp_core_validate_user_signup','check_honeypot');
Credits for #2 go to:
http://mattts.net/development-stuff/web-development-stuff/wordpress/buddypress/anti-spam-techniques/registration-honeypot/
I edited it slightly to remove the required redirect. Add that back from his tutorial if you want to. It requires that you make an extra page to send the spammer to, and I personally think that’s not necessary. I actually want them to have no indication their signup failed.
Most of wordpress plugins mentions above work like
Attacker > HTTP server > PHP > WordPress > PLUGINS
We all need to have something before WordPress that’s why I recommend
NinjaFirewall (I do not have any relation with the plugin creator)
https://wordpress.org/plugins/ninjafirewall/
Block the attacker before the WordPress
Attacker > HTTP server > PHP > NinjaFirewall > WordPress > PLUGINS
As always in installing any plugins that possibly can block your admin access you have to read the Installation note and have access to the FTP.
NinjaFirewall will work as another layer to protect your site.
In addition if you have not done it:
- Change your “Admin” username to something dificult and at least 10 characters (+) but easily to remember (+ for you – for security) or you have to read a note (-) safely secured in your safe locker (+)
- Make your password at least 25 COMBINATION of characters (+) but easily to remember (+ for you – for security) or you have to read a note (-) safely secured in your safe locker (+)
NinjaFirewall:
- Web Application Firewall
- Full standalone web application firewall
- Multi-site support
- Compatible with shared hosting accounts
- Protects against RFI, LFI, XSS, code execution, SQL injections, brute
- force scanners, shell scripts, backdoors and many other threats
- Scans and/or sanitises GET / POST requests, HTTP / HTTPS traffic, cookies, server variables (HTTP_USER_AGENT, HTTP_REFERER, PHP_SELF, PATH_TRANSLATED, PATH_INFO)
- Sanitises variables names and values
- Advanced filtering options (ASCII control characters, NULL byte, PHP built
- in wrappers, base64 decoder)
- Blocks username enumeration scanning attempts through the author archives and the login page
- Blocks/allows uploads, sanitises uploaded file names
- Blocks suspicious bots and scanners
- Hides PHP error and notice messages
- Blocks direct access to PHP scripts located inside specific directories
- Whitelist option for WordPress administrator(s), localhost and private IP address spaces
- Configurable HTTP return code and message
- Rules editor to enable/disable built-in security rules
- Activity log and statistics
- Debugging mode
Awesome, I didn’t know about NinjaFirewall until now.
Change your “Admin” username to something dificult
Yes, this is very important. Not to stop spammers as much as to stop your site from getting hacked. Brute force hacking is infinitely harder if they have to guess the username AND password correctly at the SAME time. Just about impossible. If they know the username is “admin” they only have to guess the password, which is actually possible if they hammer your site all day.
So did the ninjafirewall work well? Any negative side effects?
Have a site started getting a few hundred per day so changed the slug & used the math captcha instead of si captcha and added the honeypot to the functions. Still getting a few subscribers all with hotmail address’s.
Up to now – Yes – NinjaFirewall combine with Stop Spammers, Akismet, Captcha and other plugins of your choice as long they work together and do not slowing down your website.
The draw back of NinjaFirewall is that you have to know how to set it properly otherwise Editor/Author will have problem updating.
Other things you can do:
If under attack — You still need to scan and look for continuous IP/username and manually add them to the Stop Spammers AND Report them to Stop Forum Spam/Project Honey Pot
If you do not have time to read/check your Themes line by line install Theme Authenticity Checker
https://wordpress.org/plugins/tac/
My site that was getting hammered is no longer getting the hotmail signups after adding the honeypot & changing reg slug. Guess this needs to be done on all membership sites. Just got a message from another client with the same problem.
@virtualgeorge Glad that worked for you
No More Captchas plugin is pretty helpful. It recognizes if you are human or not via bio-chronometrics.
Can anyone recommend a good honey pot for BP registration? I keep seeing them for comments, not so much login.
I’m trying the coding from BuddyBoss I’ll let you know if it helps
@culsire_ceo That code should add a working honeypot for you. Curious to find out if it helps on your site. It won’t remove 100%, but every little bit helps.
I just installed WangGuard today on a new site I’m setting up that’s been getting slammed with several an hour, and it stopped the new faker registrations immediately. Also, I’ve been using Pie Register for a couple years on another site, and that alone has done a great job of keeping most spammer registrations out, so I put it on the new site, too. I didn’t have Akismet or anything on my other site, just Pie Registration and I was pasting a bunch of IP’s and certain words in the Settings > Discussion > Comment Blacklist, and no spam.
Pie Register has the best Captcha I’ve seen in the plugins, but what I really like is you can program random questions that the user has to put the right answer in, and that’s fun. I choose stuff that is relevant to my sites, and amusing. I was really glad it works with BuddyPress!
And I’m not affiliated with either of the above plugins, either, just another site owner who knows what it’s like trying to track down help.
