BuddyPress.org

Disallowing bots to follow the signup page link (nofollow on the link), changing the default signup slug and adding new profile fields really really does help. And no plugins either.

@modemlooper Check out this guy’s post regarding a blackhole setup for search bots that don’t respect robots.txt: http://perishablepress.com/press/2010/07/14/blackhole-bad-bots/ Could easily be modified to to do what your talking about regarding the default register slug.

And do any of these bots respect and observe robots.txt file? in which case id them from your server stats and block that url although that should be blocked already really.

You could go the Apache Allow/Deny directive in .htaccess?

You should robots.txt exclude these files

Thanks. How do you know if there human or bots?

The code from this post is the correct one:
https://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/buddypress-spam/?topic_page=3&num=15#post-69499

Replace example.com with your sitename.
And yes, it works just fine on my site; no bots are getting through
But lately I’ve been getting slammed by human sploggers. That’s a tougher nut to crack.

isn’t this Tasty Kitchen full of bots?…those housewifes have very strange usernames

A great way to stop bad bots is the Bad Bot Eliminator script http://www.marcelboast.com/badboteliminator/
It stops bad bots dynamically by blocking IP addresses.

*Mod note: Disclaimer – this script is a paid script

Hi, I am interested in people who are NOT login in (ie people browsing) to be able to send an email to a member from the member profile page. I was looking for a way to put an email form that does not show the members mail in the code, so it can’t be seen by bots or in the source. I considered trying to use the private messaging system in buddypress. Anyone have any ideas?
Essentially, Members pay to be on the site and set up a profile. Regular people (customers) can contact them without knowing the email of the member.

Keep in mind that spambots are very likely to harvest those emails if you don’t have some privacy filters set in place.

I spent some time yesterday to try to stop the constant flow of spam users and blogs being created on my site. Here is what I did…
1- deleted extra registration.php in bbpress folder
2- changed reg. slug
3- installed humanity
4- installed Si Captcha
5- added code from above to htaccess

I am still get about 20-30 per day.
Is there a way to tell if these are humans or bots creating these accounts and blogs?
I don’t know what else to do, any ideas? ( I really don’t want to disable blog creation during registration)

It’s just spammers isn’t it! When bots sign up, they have to or think they have to fill any form fields they find so they simply place random characters. Are these actual users or spammers?

+1

I’ve got a client who needs private blogs (to hide from the scary google robots) but a public directory.

~Kyle~

meta name=’robots’ content=’noindex,nofollow’

@TedMann

I think someone more knowledgeable about things .htaccess could better answer that question. I’m really still learning about all this stuff myself.

About your other idea though… now that could be brilliantly simple! It could sure put one heck of a damper on the efforts of human sploggers who are, if their activities are any indicator, a lazy bunch. Only thing is, it wouldn’t do much for those bots who manage to squeeze through whatever “backdoor” they happen to find (or make).

Anyone want to take on a little “Avatar Required” plugin challenge here?

@TedMann

This is what I’ve added to .htaccess to block bots:

# IF THE UA STARTS WITH THESE
RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]
# STARTS WITH WEB
RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]
# ANYWHERE IN UA — GREEDY REGEX
RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
# ISSUE 403 / SERVE ERRORDOCUMENT
RewriteRule . – [F,L]

To help block spam registrations, add the following to .htaccess, then create a simple GOAWAY type html page and upload to your root directory:

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup.php*
RewriteCond %{HTTP_REFERER} !.yoursitehere.com. [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://yoursitehere.com/yourgoawaypage.html [R=301,L]

Add the following to .htaccess to deny access to wp-config.php to anyone who doesn’t have your ftp details:

order allow,deny
deny from all

Instead of example.com/register or example.com/sign-up, use something like example.com/unb2x-2010 for your register page. If you were a spammer, would that look like an inviting url to hack?

Hope this helps

I was having 5 or 6 sploggers sign up daily no matter what I did until about 2 weeks ago when I revamped my tactics. Since then, I have had 0 spam signups… not one. Fingers crossed Here’s what I’ve done:

– Removed references to WP/BP in footer text
– Changed the register slug to something unrecognizable that has no bearing whatsoever to the concept of signing up (so even those grossly underpaid 3rd-world human spammers can’t figure it out)
– Installed WPMU Super Captcha to let the nice humans through: https://wordpress.org/extend/plugins/super-capcha/
– Installed WP-Ban to block the not-so-nice ones: https://wordpress.org/extend/plugins/wp-ban/
– Installed Buddypress Humanity as a double-check: https://buddypress.org/community/groups/buddypress-humanity/
– Blocked lists of bad bots in .htaccess as suggested in this post: https://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/buddypress-spam/?topic_page=2&num=15#post-60177
– Added “deny from all” in .htaccess for wp-config.php
– If someone does manage to access the register page through a direct url (without visiting any other page first), they are bumped to a GOAWAY page with the following in .htaccess. .

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup.php*
RewriteCond %{HTTP_REFERER} !.examplesite.com. [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://examplesite.com/goaway.html [R=301,L]

So far, so good. As I mentioned, not a single splogger has managed to get through in about 2 weeks. If they do, there are 2 ingredients in the above recipe that can be adjusted:
– the captcha image is fully customizable to render bot algorithms redundant (hopefully)
– the register slug can be changed as often as you change socks

On a final note, there are also some interesting tweaks to be found here: http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/

Not sure of the process but even if you haven’t got bbpress running locate and remove the file. If spambots are managing to get around hidden fields that should remain empty it suggests they are not using whatever form that protection is on.

For CURL try adding this: (but check carefully things still work!)

# trap curl registration downloaders – block in allow,deny rules
SetEnvIfNoCase User-Agent “^curl” blog_spammer
Order Allow,Deny
Allow from All
Deny from env=blog_spammer

Be careful about blocking IP ranges it’s a difficult practice and one that technically you are supposed to notify about in case innocent yet important sites get blocked, you can add further rules to the deny lines above but unless there is a very persistent IP it’s probably not worth it and likely spoffed anyway.

Robots.txt file – google and you will find guides.

a few things i’ve done

removed the powered by in the footer (just changed up the wording to WP/BP)
block the crappy browser MSIE ([3456]).
block a bunch of bad bots (something like: http://www.askapache.com/htaccess/blocking-bad-bots-and-scrapers-with-htaccess.html )
block a bunch of CDIR ranges (something like: http://www.wizcrafts.net/blocklists.html )