BuddyPress.org

Two more methods that help. I recently had a crazy spam attack – probably 300 fake signups per day. I implemented these two methods and it dropped to near 0.

1. Change the /register/ slug to something unique. An example would be /create-your-account/, or something of that nature. It just needs to be unique and also make sense in a URL for your user. Spammers targeting BuddyPress look for /register/ as the signup page. It’s all automated so you want to filter them out at the first step.

2. Add this to your functions.php file in your theme or child theme.

It presents a dummy field that humans don’t see. Spambots will fill it out, and if the field captures a value it will reject the signup.

// BuddyPress Honeypot
function add_honeypot() {
    echo '';
}
add_action('bp_after_signup_profile_fields','add_honeypot');
function check_honeypot() {
    if (!empty($_POST['system55'])) {
        global $bp;
        wp_redirect(home_url());
        exit;
    }
}
add_filter('bp_core_validate_user_signup','check_honeypot');

Credits for #2 go to:
http://mattts.net/development-stuff/web-development-stuff/wordpress/buddypress/anti-spam-techniques/registration-honeypot/

I edited it slightly to remove the required redirect. Add that back from his tutorial if you want to. It requires that you make an extra page to send the spammer to, and I personally think that’s not necessary. I actually want them to have no indication their signup failed.

5-10 is OK — When I was handling a job application site every month we received 4000-5000 applicants and and had about 75-200 “bad users” we did have people entering bad email for their job application but it was also sometime the applicant mistype their email AND ending up shooting registration confirmation to the wrong/closed/nonexistent email at Gmail/Yahoo/Hotmail etc (I had to deal with those email providers 1-2 times a year to make sure that my Mail Server is not on the blacklist).

Btw on the Stop Spammers setting add the StopSpamForum API that way it easier for you to check or submit bad user (add Honeypot & Botscout if possible). Also “Check Spam Words” on the setting and add to them if you see a bad username keep popping up with different IPs.

Also, rename your ‘register’ page to something else. Lots of spam bots look for /register/ so something as simple as /register-page/ will help hide your sign up form from at least a few of the bots.

hi @trinzia,

don’t ask here about YOUR security settings ! We are not reading in chicken guts or in cristal bowls. 😉

Also, if you use BP 1.8+, a solution given over a year back cannot work (most of time)

See here an old discussion with a recent answer (2 mounth) – has patch.

But before to do something, check your WP settings if comments are allowed and/or if comments are allowed for your test post (sorry for this, but… nobody’s perfect ! 😀 )

Also, if you cheched site indexing by robots (settings > reading) it may be possible that the comments won’t show up on the activity wall.
Encountered this a few mounth back with bbPress forum answers on a bp 1.7/bbp 2.3 install

Leofitz, WangGuard will check your user base for spammers and delete them.

See https://wordpress.org/plugins/wangguard/

The author says that “WangGuard not only protect your site from sploggers, spam users or unwanted users, WangGuard cleans your database from them. No plugin or service does this, only with WangGuard you will get this feature,” and I believe him. His English may not be too good, but the plugin is really outstanding.

There’s just one consideration for you: In order to have your database cleaned up, you will have to submit far more than 500 queries the first month. Perhaps you can arrange to pay for a month?

Here’s my suggestion to reduce database queries after that. (It worked for me.) Buddypress allows for the customization of User Profiles. Add a couple of questions that require a certain amount of intelligence to answer and make them required. That means the form will not be submitted either to WordPress or to WangGuard if the required fields are not filled out. It’s not fool-proof, but it decreased queries on my very busy site to just a few a day.

Incidentally, I added a question, “How do you plan to participate?” Among the choices offered the user are these:
“I want to increase my online presence.” and
“I want to sell my stuff.”

We don’t need anyone not bright enough to figure out that these replies do not make the user desirable. Now all I need is a script to automatically kick out users who choose these replies. 😉 (As it is, they can be manually deleted if other users report them.)

I don’t know what happens to a group when all the users are unsubscribed, so this may not be precisely what you are looking for. But WangGuard will make your site secure against almost all sploggers. (One registrant passed all tests on our site, and we had to delete manually, but that person must have registered manually too.)

Good luck!

Inge (http://ssnet.org)

maybe not as long as you think if you use the backend, can’t you mass delete them that way?

Are there any current plugin solutions which can delete accumulated BP spam groups? The BP Group Management plugin did this, from what I’ve read, but it gives error messages with the current versions WP 3.5.1 and BP 1.7.2

Any suggestions will be appreciated as I have a couple dozen WP-BP sites and some have 1000-5000 groups that are spam generated. Manually deleting these would take me until 2014!

@dice2dice
You can change the register page name and slug to sign-up.
You can also try using Private Community For BP:
You will also need to change line 27 in private-community-for-bp.php from /register to /sign-up to reflect the change of the register slug.
If your not using it you can get it here:
https://github.com/bphelp/private_community_for_bp
Another thing you can try is this small plugin “Spam Killer” which creates a hidden field humans can’t see, spam-bots will see it and fill it out and get a message indicating spammy behavior and it rejects their registration. Get it here:
https://github.com/bphelp/bp-spam-killer
Please read the readme.txt for complete instructions for usage for both plugins.

@tux-kapono
Why would it be confusing unless you have several admins? Subscribers should not have access to how many registered users there are in the dashboard anyway. Unless those users are active participants wouldn’t it kinda mislead new legitimate registered users that there is more active members than what is truly there? Most likely the registered users that never logged in was either spam-bots or human spammers and most people fight that tooth and nail. If you have several admins then I would just communicate that to them.

@wpbp
I produced a small plugin that is geared toward automated spam attacks but I haven’t gotten any feedback as far as its effectiveness:
https://github.com/bphelp/bp-spam-killer
As far as spam attacks from real users I think there are helpful solutions out there but spammer hacker types will always find way to circumvent any prevention method so the best prevention as an admin is being active on your site.

One plugin that looks good for preventing registration spam is WangGuard. (Search for it in the WordPress repository.) I’ve just installed it, so can’t tell you if it’s as good as it sounds. (I run a very busy blog and allow commenting by unregistered users. Akismet catches spam and Conditional Captcha deletes it without my seeing it. The latter reduced spam from hundreds of comments a day [marked by Akismet] to near-zero. Only the occasional human spammer gets in.)

Allowing unmoderated registrations is spammer nirvana. 😉 I allowed posting by unregistered users so I could turn off user registration. Now that I’m wanting to use Buddypress, I had to enable registration but installed WanGuard. Within a few hours, I had one registration attempt — even though Buddypress can’t be seen anywhere on the site yet — but no successful registration, thanks to WangGuard. Tomorrow will tell me more.

@wpbp 1. Disable registration in Settings > General.

2. Disable group creation in Settings > BuddyPress > Settings > Groups.

3. Disable album creation/uploading of images in the plugin’s settings or are you referring to native WP image galleries?

You can enable group creation and registration after you’ve done some general housekeeping and adding some spam/spammer prevention.

@wpbp, The problem is that many spam nowadays are not bots but real human spam. I have same problem on one of my installation. all you can do is to ban the domain which has been a source of spam to your site. e.g: spam1@me-now.com. spam22@me-now.com

when you put “me-now.com” in the following code, it will ban any email from me-now.com, Put it in your functions.php

http://pastebin.com/a2mTNVZX

Note: I have 3 sets of this code, I have the one which can ban specific email from gmail, yahooo, hotmail etc without banning other users using gmail, yahooo, hotmail. if you want that aswell i can post it or all the 3 if someone can release it as a free plugin , no problem.

Naijaping

You did of course add a robots.txt text file? Use webmaster tools to give more granular control on the site with Google? Disabled feeds in case they are an issue?

@hnla
Well said Hugo! It also seems to me that if it was checked by default it would make it even easier for spam bots to compromise a site.

The reason for that is so many installs are not customized enough and that makes it easy for bots.

No system is safe from spam.

@somdefabrica double-check the privacy settings of your blog in subsite. It must allow indexing by robots/google.

there is no perfect solution for this problem and these “bots” are actually humans a good deal of the time i have had good experience with WangGuard though.

There is no perfect solution other then to disable registration entirely but i have had a good experience with WangGuard. FYI a good chunk of these “bots” are actually humans (at least at some point) believe it or not.

You can’t just install and not take action to limit server requests. You need to cache as much as possible and use a CDN. Also check logs you can have bots hitting site and you can block those.

Find out what is hitting ajax file and block it.

FYI a lot of those “bots” are humans no perfect solution exists some amount of human intervention will always be required to deal with spamming and splogging but…

i have been having a pretty good experience with WangGuard they are currently blocking about 90 to 95% of our spam registrations.