BuddyPress.org

I have a couple BuddyPress installs. The older of the 2 has received 150+ spam member registrations (and blogs) this weekend. All create members like bob45873675 and “Bob’s Blog”.

I have changed slugs, activated recaptcha and followed several blog posts on best practices. What’s interesting is they are somehow bypassing my registration page. I have required fields and have removed the “create a blog” from the registration page; but somehow they manage to create an account and a blog. I also receive “lost password reset” email notices for each account that is created, so maybe that’s a clue to where the issue is.

I was so fed up with it, I disabled registrations completely (only allowing blog creation by logged in users) — and I’m still getting new spam members and blogs (how is that possible??) This seems to be a pretty serious security issue that is different from previous “splogging”…

Vulnerability/hack in the registration or lost password, etc…?? I presume this could be WPMU not necessarily BP?