BuddyPress.org

@tyler ~ I’ve now built two similar ‘medical related’ sites where the privacy was of utmost concern and I used my code from above beautifully. You could drop the plugin and the secondary install and just use that for any pages you want to keep private from both unregistered users and spiders/robots.

You lucky, the spambots that are after me figure out the new slugs after a few days.

I am actually considering setting up a botnet to jam up their IP’s and domains as payback lol

Any of you who continue this thread any further are simply staring the ‘gift horse in the mouth’ so to speak.

~ spam in a problem for every company, be it IBM, Google or WordPress. These companies spend millions combatting it and it’s a problem for almost any CMS, or site that has UGC. If you can’t install Askimet, and/or a couple other preventative measures on your site, then you should hire someone who knows what their doing or you have a compromised(hacked) site where once again, you should hire someone who knows what they’re doing.

while not naming names ~ I have watched ‘your’ post on this forum and you’ve offered very little contribution and quite a bit of negativity. That doesn’t bode well for an open source community who provides you a product free of charge. Perhaps providing some meaningful feedback about your experiences will help the community develop better solutions instead of glaring accusations and harsh criticism? In fact your post in this community are very much like spam for the very same reason. At this point, you’ve pretty much hit an all time low since your accusing developers, many of whom work for free, of turning a blind eye towards the issue of spam. If you’re unhappy with website, may i suggest move on to another piece of software that is magically immune to spam robots, where you’ll most positively be a great asset, not only to them, but also with your absence here on the Buddypress Forums.

The best trick I learned for fighting spam bots is to ask a question that only a human can answer and making them type it into a text box. If you change the question daily or randomize it, it makes it even tougher. Don’t do anything like math or captcha or something that a bot can calculate or decipher. Ask a question like “What color is snow?” or “How many sides does a triangle have?”

But if humans are filling out the forms, you are pretty much SOL.

IMHO – being overcritical will not solicit the best help. Like any community – you’ll need to fight spam regardless of the platform and requires ongoing patience to battle.

Some tricks I use

block all MSIE456 users, block bad bots, block known spammer country CDIR ranges, rename template pages, try whatever plug-in and tweak if needed.

I agree with you totally I also highlighted this issue in this thread:

https://buddypress.org/forums/topic/spam-domains-to-add-to-your-block-list

Not to sound rude but it feels like if the developers or the main people aren’t too affected by an issue then its not regarded as an issue.

SPAM is major problem and while a test site might work fine if you have niche sites around certain topics you might get more spam than others based upon the fact that spammers might come across your site through keywords specific to your site and as such the devs might not neccisarily experience such problems.

I have tried everything some spambots even seem to get around CAPTCHAs, the only option I have is to manually approve each new user.

@Cyndy: The two posts above you give alternatives to using captcha. It’s not the “only known solution”. SPAMers use bots. Bots look for known text and urls… like “Powered by BuddyPress” or http://www.mysite.com/register or whatever. Changing those things can help a lot. And invisible defender helps too. All without captcha. Which I think everyone will agree… sucks.

Here’s something else that might interest a few: I installed WPMU Super Captcha over the weekend (running WPMU2.9.1 & BP1.2rc). Since then, there have been no bot signups at all, and the plugin has blocked exactly 50 attempts. Plus, it logs each attempt that it blocks so I can keep track.

I’ve also added a comment on the registration form directed towards human signer-uppers with a support email address just in case. None of the 50 blocked attempts have used it, so…

Bots had managed to get around other plugins I’ve tried before, but not this one.

I have been running BP in Production since well before the 1st alpha release on the same url with the exact same registration slug AND requirements. Nothing is protecting on my site any more than a standard install – no captcha, etc. I can count on my hand the number of spam attempts to register. They are so few, I just delete them and use BanHammer once they try.

How? We have a specific (albeit small) set of required registration fields to fillout. That’s all. I love siple and fast registration as much as the next guy but, unless you want to enforce email address verification and a bunch more, those are your real options.

Changing the slug will work until it doesn’t …which won’t be very long. Consider how that spammer found you in the first place…with a bot – not by randomly coming across your site.. and just like in the matrix, the bots will find you again.

If you change the signup slug, ie. from to signup to regme, probably that this can be found easely by spammers. But if you change signup to bolimp or domybest or f_12gt_99xpm, probably not. And building a random letter word constructor to spam a wp install is probably too much also… As far as i know, the majority of wp users never look into the code. And robots like majority…

Anyway, the signup table would still exist… and accessing a db is not impossible at all i presume. So the only thing to change is the table name, 6 x by day if necessary. And this is not simple at all.

Happy coding !

The short answer is Yes. The long one is they are made for filling out forms and submitting them. A drop-down is just a field that they might encounter, so expect the functionality. On the other hand we are talking here about bots that look for WP/MU installations to exploit the default sign up or comment forms. As a rule of thumb, anything that you can do to change the default behavior, do it. It’s like Andy said: if you make it the default, the spammers will figure out a way to get around it.

Also: try very hard to stay away from the following in your URLs: wp-signup.php, wp-register, register, wpmu, wp, and anything that hints at a wordpress installation.

@guristu Right… but can bots submit drop down values? For instance, I have a drop down for “Training Level” which is a required field. If it’s left at “please select”… the form will return a required field error.

@David that’s what wp-hashcash does. it adds a hidden form field whose value is set only via JavaScript when the page loads in the browser. if the browser is a bot, the value of the field will not be set because bots usually do not have JavaScript capabilities. It isn’t the field itself that makes the difference, it’s what it contains that enables you to tell a human from a bot.

I have adjusted the wp-hashcash plugin to work with buddypress signup. Here is what I did: I got the wp-hashcash plugin and I added the following code to the file:

global $bp;

// get our options
$options = wphc_option();
$spam = false;
//if( !strpos( $_SERVER[ ‘PHP_SELF’ ], ‘wp-signup.php’ ) )
//return $result;

// Check the wphc values against the last five keys
$spam = !in_array($_POST[“wphc_value”], $options[‘key’]);

if($spam){
$options[‘signups-spam’] = ((int) $options[‘signups-spam’]) + 1;
wphc_option($options);
$bp->signup->errors[‘spam’] = __(‘You did not pass a spam check. Please enable JavaScript in your browser.’);
} else {
$options[‘signups-ham’] = ((int) $options[‘signups-ham’]) + 1;
wphc_option($options);
}

}
add_action( ‘bp_signup_validate’, ‘wphc_check_signup_for_bp’);

function wphc_error_hook_register_page(){

do_action(‘bp_spam_errors’);

}
add_action(‘bp_before_register_page’, ‘wphc_error_hook_register_page’);

Then, under the line (line number about 507)

I put this line:

Then I activate the plugin. It should keep spam bots from being able to create accounts, but humans spammers can still do it. Anyway, if you can’t get it to work, let me know via PM and I will try to send you the file.

Later

I am having major problems with spam as well. Ironically it started as soon as I put my link in the showcase thread on this forum. I think the spam bots are looking there for easy targets as well.

Why do people make spambots that don’t even advertise stuff and just waste everyone’s time filling sites with meaningless crap. Is it like they are trying to sabotage Buddypress?

How does one submit domains and sites and IP addresses to spam traps.

http://www.bp-tricks.com/tips_and_tricks/stopping-the-sploggers/

i guess this is one of the best trick against spam blogs and “wild” registrations.

Step 1 and 2 are a bit obvious, but 3 and 4 are really efficient.

Keep in mind that on a wpmu site each blog created by a member has his first post and comment appearing on the default template – the good ol’ kakumei… on which is also written “powered by…” ( Step 2 is only for main blog i think) Spam bots eat this with delectation i suppose.

Spam programs are written to bypass signup. Well. I presume other narrow words like join, fall in, get together are also activ in such programms. But what do these programms if you choose “groink” or “methabolic” ? So follow the explanation and choose a really original word for your signup redirection. This works well for the moment. And don’t forget to put the functions.php file the in mu-plugins folder (to be theme independant).

To use in addition with some other solutions (wp-ban, invisible defender, …) of course.

i just installed this system, and yes it send the validation email, so the users may be compromised in error…

on my side i added a TOS plugin *(my own), so people have to check it and the input name have a name the bots are not recognising so they do not check it before registration…

@Harry

Yes, my Privacy Component works just as I described. It is an advanced beta available for testing. See this thread for more details: https://buddypress.org/forums/topic/buddypress-privacy-component-an-update/page/3#post-30574

@David

I wouldn’t give users the option to set it to friends only. Or at least… I would like the site admin to have the ability to disable that option.

In my Privacy Component, the site admin can choose to disable this feature.

But, to get back on topic, I agree that the best solution is the one that requires the brunt of the filtering to be accomplished through invisible, behind-the-scenes techniques. Requiring users to prove that they are members and not bots should not be the first line of defense. I think it is okay, even necessary for registration purposes. But that is a one time occurrence. After that, the system should do more of the policing.

Concerning your second link above, perhaps we could create a new CAPTCHA that could harness the collective intelligence of site members to solve the Unified Field theory.

Word. Patch it!

I’ve been having sign up spams (arguably a different issue) on my BP install, and just shut all signups down until I could figure out what to do about it.

Scouring the WordPress MU forums has made me realize three things:

1. Spamming is a huge problem for WordPress MU users

2. I’m betting that BuddyPress will/might have even larger problems due to the very nature of the beast (it’s all about users, right? Which is where the bots/spammers gravitate)

3. There are no sure-fire methods for preventing spammers

…well, there’s a fourth, too…

4. Many of the old hats on the WordPress MU forums are getting tired of explaining how to defend against so-called “splog” signup bots and spammers.

Just some observations, as BP just received its first official spammer. (Yes, I got the email too, and saw the small twitter firestorm this morning over it.)

I posted this elsewhere but it now belongs as part of this discussion: When using Buddypress, should /wp-signup.php result in an blank page or the registration form (or redirect to /register)? If the issue described here exists, how do you get the proper default buddypress behavior?

see: http://ttacconnect.org/wp-signup.php

I could delete /wp-signup to remove the errors but I’d like to understand how bp and wpmu is designed to work (are there any consequences for deleting wp-signup.php?).

I know BuddyPress is using /register.php and not /wp-signup.php. But when /wp-signup.php is hit (typically by spam bots) a PHP Warning is generated. No white space outside of php closing tags in header.php. I’m not too concerned about that as I figure if it’s working as it should (no registration form), then the php warning will take care of itself (and not be generated). So what needs to change to get /wp-signup.php to result in a blank page?

PHP Warning: Cannot modify header information – headers already sent by (output started at xxxx/bp-sn-parent/header.php:3) in xxxx/wp-includes/pluggable.php on line 865

See no Warning and no Registration Form (blank page). Is this the proper default buddypress/wpmu behavior?

http://nourishnetwork.com/wp-signup.php

Here /wp-signup.php was deleted and results in a page not found:

http://memomu.com/wp-signup.php

wpmu 2.8.6 with active plugins on main bp site:

bp 1.1.3, bp-groupblog, auto group join, Group Forum Subscripton, bad behavior

@michael -> de nada

Attempt will continue a few days after you did changes. The time spam robots refresh their attack strategy, heu, their cache…

I couldn’t say to you “be patient”, i know you are, but…wait a little ? This is not Nescafé, but computing…