BuddyPress.org

These automated bots are usually just that, automated that are programmed to look for specific strings in search engines that return a list of buddypress sites and then harvested. I was getting hammered with 20+ blogs getting created a day that was spam. I tried ever plugin and .htaccess tricks known to man and none of them worked. I was tired of all of the spam I was getting so I put on my tin foil and went to war. I was determined to win this war and to stop 99.9% of automated spam dead in its tracks.
First I went to cpanel and under the “Website Traffic” on the left side of the page and clicked “View all traffic” then clicked on my domain name.

When the statistics page for that domain loaded I looked on the left hand side of the page for “Search Keyphrases”, this will show me a list of the keyphrases that was used to find my site.

I found all the keyphrases that was used by the spammers to find my site in the search engines and here is the list of the keyphrases.

1. intext create an account username required email address required blog details inurl register
2. to start connecting please log in first. you can also create an account. .cr. blogs
3. allintext create an account account details profile details blog details yes i d like to create a new blog
4. yes i d like to create a new blog
5. “blog url required ” inurl /register
6. “yes i’d like to create a new blog”
7. intext create an account blog details inurl register
8. to start connecting please log in first. you can also create an account. .be.blogs
9. inurl register yes i d like to create a new blog
10. intext blogs create an account username email address blog details inurl register
11. to start connecting please log in first. you can also create an account. .de.

What I did was I went downloaded the buddypress to my desktop and open every file with NotePad++ and started searching for “create an account; blog details; yes i d like to create a new blog” Once I found those strings, I changed the name to something else and on the registration page I removed the “yes i/d like to create a new blog” along with its checkbox completely and i searched everything with the word “blog” and changed it to something completely different. I Also renamed the “bp-blog.php” and the /bp-blog/ folder.
Make sure to search through the other files in the buddypress folder for anything calling the “bp-blog.php” and the /bp-blogs/ and rename it accordingly.

It has been a week since I done this and I have yet to be spammed. I went from 20 a day to zero overnight by doing this.

You haven’t add Disallow: /? in your robots.txt file.

acpage is the way that BP renders activity pagination to those clients with javascript disabled – such as search engines.

I started a ticket for discussion of technical issues: https://trac.buddypress.org/ticket/3116

You must search for anti-spam plugins that filter out spam activity that the users make.

If the “spammers” are going past the captcha, that means they are not robots, actually people, just spamming your site.

So keep the captcha for robots, and you will need to search for anti-spam software to filter out the spam content posted on your site.

You create a file called robots.txt and you specify which URL so for instance it could be anything after /activity

User-agent: Googlebot
Disallow: /activity/*

This blocks google from scraping your images. This is a MUST for social networks that are using Albums.
User-agent: Googlebot-Image
Disallow: /

@modemlooper, thanks for your suggestion on different forms for different users in the register.php.
I also want to change the register slug. Because spam bots know bp register slug. We can get rid of a lot of them by simply change the register slug. But, how?

@hnla I know that there will be a segment of the population who will be prevented from joining because I am blocking IP addresses. But, I want/need these prevented in the first place and I do not understand why this is not addressed in the core and has to be something I must “hunt through the forum threads to reducing spam signups”. Its not like this is an unknown issue.

Besides, I HAVE searched for “reduce spambots” “reduce fake sign ups” “Reduce and reducing spam sign ups” with zero results.

What I have to ask is “Why?” and “How?” are these spambots accessing and creating users? I have one site that uses WP multisite with BP and there’s a great plugin “BP Registration Options” that works well enough to grab and display all new member requests and displays IP addresses; which I then add to WP-Ban. Its taken a month but I am now down to a dozen or so spambot signups per day.

Now, I have another WP/BP site that is NOT multisite and “BP Registration Options” does not work the same. BUT I copy the IP addresses from the one and paste it into the “WP Ban” of this site. However, I am still 100+ spambot signups per day. So, I have a plugin “Pending Activations” (which doesn’t work in multisite) but this plugin does not display the IP address of the offending spambot signups. Thus, my battle with the signups continues …

So … How are the spambots signing up? Why does the registration form not have CAPTCHA? and how can we stop them from signing up?

“how to disallow bots to follow signup link?”

Put a nofollow, noindex on it, right in the theme where it is linked. And change the default text that is linked. If you look at your access logs and your visitor stats, you’ll see they basically google for you.

@imjscn try hunting for a plugin called KB robots text it allows you to edit the WP robots text from the dashboard and might be handy to have available.

#2 stops bots following the link on other pages, but BP spammers come without a reference page. They know which link is BP register page. I’m not sure if there’s another way for BP.
Jenny this is why I said or mentioned adding a referer trap in .htaccess. Yes bots do link directly so you disallow any direct links that do not contain a referer in the header get request

True search here is a chore

Robots.txt is a file that lives in the root document directory of a site, however I seem to remember issues in the past adding one as WP might be trying to add it’s own one?

What results – if any do you get from running:

http://example.com/robots.txt (your site name obviously)

@imjscn Jenny have you tried googling on ‘nofollow’ links? before asking Andrea_r how to do this or better still have you implemented my advise earlier in the thread for a robots.txt file implementation? and other tip/s?

It’s important to tell us what you have tried other than add plugins – not everything is solvable using plugins and this aspect really requires a few approaches as has already been said.

Did you track down any of the threads on this support forum that go into great detail on the various approaches one can take, a good one is to set a referrer trap in .htaccess so that direct linking to the register page is prevented and register will only accept requests that have an accompanying referrer in the header that comes from your site – mentioned in one of those threads with example code iirc

it’s no solution and pointless running as yet one more plugin, this is simply a Order Allow Deny Apache directive and would be placed in you httpd.config file preferably or in your .htaccess and then list IP or domains to deny. Blocking IPs isn’t something that should be done lightly as it can have repercussions and is only effective on domains if there is one specific troublemaker these spam bots use spoofed domains they will change on the fly so little point trying to block them.

Preventing spam is a multi faceted approach and the many areas and things that need to be done covered at length on the support forum, you need to use all of them to effectively reduce spam and if possible don’t let people sign up for blogs from the sign up page

@arezki … so … does this plugin block attempts to sign up? How does it determine if something should be blocked? I looked at the plugin file on WP.org and it isn’t very specific. I can go into my server cpanel and block IPs all day long and I still get tons of spambots. I get user activation keys and blog setups with out a spambot actually doing the compelte process. grrrr.

have they checked their junk mail / spam folders?
If your users aren’t happy about this, just wait until they start using it – lol it’s a crude work in miserable progress imho – the signup issueS are just the beginning. I would consider buddypress more of a hobby thing for those who want to spend long hours in multiple forums trying to hash out why everything does not work well together. You will find spam robots have no problem signing up and activated dozens of accounts daily. Once your users actually get activated they will have a great time trying to sort out real blog posts from spam, they may wish they never signed up in the first place – especially if they create their own group.