BuddyPress.org

@xprt007,

my 3 word recommendation: disallow group creation !
And prevent your users, if they need a group, that they have to ask you to create it for them.

A good pratice to avoid spam, is to use another table prefix as the default wp_table_name. Bots really like this prefix to rape databases. 👿

Aside you can also try to stop some spambots via htaccess.
Search on the web for more information on how you can do this.

Here 2 lines you can add to htaccess to block some russian spambots (without any waranty)

RewriteCond %{HTTP_REFERER}  ^(.*).ru/(.*)
RewriteRule ^.*$   -   [F]

@donalyza,

if you use phpmyadmin, you can easily export the 3 tables related to groups from site 1 and import them in site 2. phpMyadmin has natively import/export tools and avoids you to use an extra plugin to generate CSV or sql formated files.

xxx_bp_groups
xxx_bp_groups_groupmeta
xxx_bp_groups_members

xxx is the prefix you entered during the wp install. By default it is wp, but it is recommended to use another one. Spambots are too much in love with wp_ prefix. You’re warned ! :d

The security question works, so bots cannot register in the website.

How long are WangGuard active in your website?

If are active less than 2 days, maybe are signups made before WangGuard was installed.

All users has 48h for activate their accounts, so maybe bots are blocked. Wait 2 days and update the result here.

I’m the developer of BuddyPress Security Check. Unfortunately, it appears that spammers have found a way to complete the math sum, allowing them to register. This means that BuddyPress Security Check will probably not prevent bots from registering. It certainly isn’t generating fake signups though. Probably best to disable BuddyPress Security Check until I figure out how I can fix it and release a new update.

Thanks for the ping @johnjamesjaccoby

@robg48 something else you could do is use a honeypot. An example is

http://www.pixeljar.net/2012/09/19/eliminate-buddypress-spam-registrations/

It works by adding a hidden field to your registration form. Users can’t see the field so will never complete it (it will always be blank). Spam bots, however, don’t view the page in the same way as users. They ‘see’ the page source so will always ‘see’ the hidden field and try to complete it.

On registration form submission, if the hidden field is blank then we know it’s a genuine user trying to sign up. If the field is completed then we know it’s a spam bot and we can halt the registration. Hence, the name honeypot.

@robg48 just a thought – try changing the name of your registration page. Spam bots automatically look for pages such as /register/ so maybe use /sign-me-up/

Most of wordpress plugins mentions above work like

Attacker > HTTP server > PHP > WordPress > PLUGINS

We all need to have something before WordPress that’s why I recommend

NinjaFirewall (I do not have any relation with the plugin creator)

https://wordpress.org/plugins/ninjafirewall/

Block the attacker before the WordPress

Attacker > HTTP server > PHP > NinjaFirewall > WordPress > PLUGINS

As always in installing any plugins that possibly can block your admin access you have to read the Installation note and have access to the FTP.

NinjaFirewall will work as another layer to protect your site.

In addition if you have not done it:

1. Change your “Admin” username to something dificult and at least 10 characters (+) but easily to remember (+ for you – for security) or you have to read a note (-) safely secured in your safe locker (+)
2. Make your password at least 25 COMBINATION of characters (+) but easily to remember (+ for you – for security) or you have to read a note (-) safely secured in your safe locker (+)

NinjaFirewall:

• Web Application Firewall
• Full standalone web application firewall
• Multi-site support
• Compatible with shared hosting accounts
• Protects against RFI, LFI, XSS, code execution, SQL injections, brute
• force scanners, shell scripts, backdoors and many other threats
• Scans and/or sanitises GET / POST requests, HTTP / HTTPS traffic, cookies, server variables (HTTP_USER_AGENT, HTTP_REFERER, PHP_SELF, PATH_TRANSLATED, PATH_INFO)
• Sanitises variables names and values
• Advanced filtering options (ASCII control characters, NULL byte, PHP built
• in wrappers, base64 decoder)
• Blocks username enumeration scanning attempts through the author archives and the login page
• Blocks/allows uploads, sanitises uploaded file names
• Blocks suspicious bots and scanners
• Hides PHP error and notice messages
• Blocks direct access to PHP scripts located inside specific directories
• Whitelist option for WordPress administrator(s), localhost and private IP address spaces
• Configurable HTTP return code and message
• Rules editor to enable/disable built-in security rules
• Activity log and statistics
• Debugging mode

Two more methods that help. I recently had a crazy spam attack – probably 300 fake signups per day. I implemented these two methods and it dropped to near 0.

1. Change the /register/ slug to something unique. An example would be /create-your-account/, or something of that nature. It just needs to be unique and also make sense in a URL for your user. Spammers targeting BuddyPress look for /register/ as the signup page. It’s all automated so you want to filter them out at the first step.

2. Add this to your functions.php file in your theme or child theme.

It presents a dummy field that humans don’t see. Spambots will fill it out, and if the field captures a value it will reject the signup.

// BuddyPress Honeypot
function add_honeypot() {
    echo '';
}
add_action('bp_after_signup_profile_fields','add_honeypot');
function check_honeypot() {
    if (!empty($_POST['system55'])) {
        global $bp;
        wp_redirect(home_url());
        exit;
    }
}
add_filter('bp_core_validate_user_signup','check_honeypot');

Credits for #2 go to:
http://mattts.net/development-stuff/web-development-stuff/wordpress/buddypress/anti-spam-techniques/registration-honeypot/

I edited it slightly to remove the required redirect. Add that back from his tutorial if you want to. It requires that you make an extra page to send the spammer to, and I personally think that’s not necessary. I actually want them to have no indication their signup failed.

5-10 is OK — When I was handling a job application site every month we received 4000-5000 applicants and and had about 75-200 “bad users” we did have people entering bad email for their job application but it was also sometime the applicant mistype their email AND ending up shooting registration confirmation to the wrong/closed/nonexistent email at Gmail/Yahoo/Hotmail etc (I had to deal with those email providers 1-2 times a year to make sure that my Mail Server is not on the blacklist).

Btw on the Stop Spammers setting add the StopSpamForum API that way it easier for you to check or submit bad user (add Honeypot & Botscout if possible). Also “Check Spam Words” on the setting and add to them if you see a bad username keep popping up with different IPs.

Also, rename your ‘register’ page to something else. Lots of spam bots look for /register/ so something as simple as /register-page/ will help hide your sign up form from at least a few of the bots.

hi @trinzia,

don’t ask here about YOUR security settings ! We are not reading in chicken guts or in cristal bowls. 😉

Also, if you use BP 1.8+, a solution given over a year back cannot work (most of time)

See here an old discussion with a recent answer (2 mounth) – has patch.

But before to do something, check your WP settings if comments are allowed and/or if comments are allowed for your test post (sorry for this, but… nobody’s perfect ! 😀 )

Also, if you cheched site indexing by robots (settings > reading) it may be possible that the comments won’t show up on the activity wall.
Encountered this a few mounth back with bbPress forum answers on a bp 1.7/bbp 2.3 install

Leofitz, WangGuard will check your user base for spammers and delete them.

See https://wordpress.org/plugins/wangguard/

The author says that “WangGuard not only protect your site from sploggers, spam users or unwanted users, WangGuard cleans your database from them. No plugin or service does this, only with WangGuard you will get this feature,” and I believe him. His English may not be too good, but the plugin is really outstanding.

There’s just one consideration for you: In order to have your database cleaned up, you will have to submit far more than 500 queries the first month. Perhaps you can arrange to pay for a month?

Here’s my suggestion to reduce database queries after that. (It worked for me.) Buddypress allows for the customization of User Profiles. Add a couple of questions that require a certain amount of intelligence to answer and make them required. That means the form will not be submitted either to WordPress or to WangGuard if the required fields are not filled out. It’s not fool-proof, but it decreased queries on my very busy site to just a few a day.

Incidentally, I added a question, “How do you plan to participate?” Among the choices offered the user are these:
“I want to increase my online presence.” and
“I want to sell my stuff.”

We don’t need anyone not bright enough to figure out that these replies do not make the user desirable. Now all I need is a script to automatically kick out users who choose these replies. 😉 (As it is, they can be manually deleted if other users report them.)

I don’t know what happens to a group when all the users are unsubscribed, so this may not be precisely what you are looking for. But WangGuard will make your site secure against almost all sploggers. (One registrant passed all tests on our site, and we had to delete manually, but that person must have registered manually too.)

Good luck!

Inge (http://ssnet.org)

maybe not as long as you think if you use the backend, can’t you mass delete them that way?

Are there any current plugin solutions which can delete accumulated BP spam groups? The BP Group Management plugin did this, from what I’ve read, but it gives error messages with the current versions WP 3.5.1 and BP 1.7.2

Any suggestions will be appreciated as I have a couple dozen WP-BP sites and some have 1000-5000 groups that are spam generated. Manually deleting these would take me until 2014!

@dice2dice
You can change the register page name and slug to sign-up.
You can also try using Private Community For BP:
You will also need to change line 27 in private-community-for-bp.php from /register to /sign-up to reflect the change of the register slug.
If your not using it you can get it here:
https://github.com/bphelp/private_community_for_bp
Another thing you can try is this small plugin “Spam Killer” which creates a hidden field humans can’t see, spam-bots will see it and fill it out and get a message indicating spammy behavior and it rejects their registration. Get it here:
https://github.com/bphelp/bp-spam-killer
Please read the readme.txt for complete instructions for usage for both plugins.

@tux-kapono
Why would it be confusing unless you have several admins? Subscribers should not have access to how many registered users there are in the dashboard anyway. Unless those users are active participants wouldn’t it kinda mislead new legitimate registered users that there is more active members than what is truly there? Most likely the registered users that never logged in was either spam-bots or human spammers and most people fight that tooth and nail. If you have several admins then I would just communicate that to them.

@wpbp
I produced a small plugin that is geared toward automated spam attacks but I haven’t gotten any feedback as far as its effectiveness:
https://github.com/bphelp/bp-spam-killer
As far as spam attacks from real users I think there are helpful solutions out there but spammer hacker types will always find way to circumvent any prevention method so the best prevention as an admin is being active on your site.