BuddyPress.org

Many Thanks, Hugo.

After rechecking I am now down to just no sidebar control over activity page and group forums page. (though will need a little css tinkering which is no big deal) .

My resource to date is just https://codex.buddypress.org/theme-compatibility/ and this forum.

You say

Theme compatibility already provides for a custom bp version of page.php ‘buddypress.php’ in that you can specify named sidebars.

bit lost with that i’m afraid. It would be great if you could elaborate on that.

WP Version: 3.5.1
BuddyPress: 1.7.2

You want to ‘hide’ the profile page for a member who hasn’t paid their dues?
What should happen if that page is accessed by that member or another member?
Redirect? Custom message page ?

Either redirect to a listing of all active members or display an error page would be fine, (i.e. “This member is not currently an active member.”)

If ‘paid dues’ is a boolean, then it’s easy to write a function.
Where is that boolean stored?

It would be stored in their profile as an Admin-editable field, per the original post.

Does that member still appear on the Members page? In the Activity stream?

No to both. Hidden users would be able to login and update information but their profile wouldn’t be public-facing, just them and the admins.

This would be useful as we have staggered dues, allowing profiles to turn off/on.

Yessssss! Thanks @andrewteg! I was seriously beginning to think I dreamed the whole thing up…not sure why I could not find this page, but that is EXACTLY where I was.

Now, since I have found what I was looking for, I’d really like to get some opinions of the plugin and see if this will actually do what I am planning for this site. I am open to all opinions and suggestions. My understanding of BuddyPress and bbPress is coming along and the site is starting to look like what I envisioned. You can see the preliminary site at http://accessories.ldjautobody.com.

First, let me explain what I have planned for this site and, like I said, I am open to all suggestions and comments. I would like to hear what the experts have to say. Good or bad, I need your opinions. You ALL have great ideas and I respect whatever you might have to say or add. 🙂

This blog and forum are dedicated to custom car and motorcycle enthusiasts everywhere. Car enthusiasts are passionate about their subject, and in addition to giving them a place to share their projects and discuss those among each other, I would also like to let them post some articles, hoping that the fresh content will keep the search engines hanging out on the site and help boost the rankings. I have never run a forum site or used BuddyPress or bbPress before and I’m not really sure how this all works in relation to SEO. I do, however, deal with car and motorcycle enthusiasts on a daily basis and I know that I can most likely count on them to get some very good discussions going among themselves and that is my hope for this site.

We will also be doing some affiliate marketing from this site, and my hope is that in a perfect World, the fresh content and activity level of the site will keep us ranking well in the search engines and bring some new customers to the site. Since we are an “auto body shop”, our normal advertising is concentrated in a very local area. The affiliate site, however, will have a much broader range and we will be advertising nationwide vs. the small local area that the body shop is limited to. So my hope is that the increased activity on the site will increase the number of people visiting and also help us reach out well beyond our local area. At least, that is our goal for now!

Thank you all again for all of your help. I am looking forward to hearing anything my experts have to add as we move forward with getting the site ready to launch. 🙂

Denise

I put an !important at the end and it works .
Thanks Hugo

Even I change the style of all spans ( span{} ) but it doesn’t work .
I found this in frisco theme :
div.item-list-tabs ul li a span {}
It doesn’t work neither !

Thanks but none of them works ! I use this css code:

 .item-list-tabs li a span {
color:red;
font-size:20px;
background-color:orange;
}

@bp-help

good suggestions. thx. 2 of them r new to me, so other people may find them helpful also.

on our sites we r using::

Keith Graham’s most excellent ‘stop-spammer-registrations-plugin’ – https://wordpress.org/plugins/stop-spammer-registrations-plugin/

– has stopped over 53,000 spammers since feb this year! it uses external lookups on StopForumSpam, ProjectHoneyPot, BotScout, (Akismet, which we dont use), others – thus great collective benefit/advance warning of bad traffic. also traps brute force attacks (bad logins/registrations/comment posts, etc), etc. is simple enough to play nice with most plugins.

to try & keep as much load off the front-end of the server as possible, we also have set up:

linux iptables ( & ufw add on )- as the basis of all firewall stuff. also has our manually maintained blacklists & whitelists. various custom rule chains setup. takes a while to get your head around, but is essential.

linux fail2ban – essentially an add on to iptables, puts people in jail for bad behaviour – eg: brute force attacks against ssh, ftp, mail logins. we also have set up custom rules detecting bad activity against wp-login.php itself via fail2ban. am looking to do some more with this.

linux apache – mod-security2, libapache2-mod-evasive, libapache2-mod-antiloris, libapache2mod-spamhaus – which help protect against general bad behaviour, DDOS, blank header attacks, the infamous ‘Loris’ script (which we’ve experienced!), and bot-nets. still assessing how effective these r.

we have also had to tune apache on our VPS for resilience in the face of DDOS type attacks and heavy-handed brute force attacks.

some further good tips here: http://www.dannytsang.co.uk/index.php/apache-2-hardening-tips/ & elsewhere.

linux logwatch – reports various access stats (the good & the bad & the ugly) via email – very useful indeed for checking whther situation is under control (or not).

linux rkhunter – scans for rootkits on the server from time to time – just be sure – & particularly useful if u ever do get infected in hunting down the intruder’s code.

obviously we also have file system bolted down. (there is a good wp plugin to check permissions bolt-down, i forget what its called). we also spend a LONG time analysing logs etc.

anway, that takes care of many of the bad boys, but we r still left with the following problems to crack:

1) we have observed that many bad bots/scripts are exhibiting ‘learning behaviour’ (ie. heuristic) and r finding ways around fail2ban rules/jails, etc. in particular:

a) rotating IP addresses to match ‘ban counts’ – currently we have them wasting an IP address every 3-4 attempts, but they still seem to have an inexhaustable supply, else are spoofing extreamly well.

b) varying their retry period to match the length of jail sentence. (ie. they are not wasting their mips whilst in jail, just enough to detect when they are released,record it, and tune their future responses).

2) content scrapers, probes and bad-bots generally – these r wasting enormous resource on our servers. typically i would suggest such ‘bad traffic’ is responsible for over 50% of total server load (ie. not good at peak times on a busy site). additional problems we r facing here:

a) bad bots often spoof the agent string to pretend to be eg. google, bing, etc. the only way u can tell is by reverse lookup of ip address and try and match to one of well known range of ‘good bot’ addresses. but, despite fact that many ranges are well known, most of them are never actually published or confirmed, many are variable. i am not aware of any definitve list of ip addresses of good bots (though there is http://www.iplists.com/ whichis not bad, & http://www.webmasterworld.com/search_engine_spiders/ which is often helpful – these are very much ‘best efforts/as seen in the wild’ lists.). this problem worsens with the rise of social network agregation services, other (legitimate) content agregators, and personal content aggregating software on mobiles, tablets, etc.

idea: i am thinking of writing a script/plugin/rule to do smart lookup of ip against good bots list, & to automatically maintain that (collective) list. ideally, this is a service that someone like spamhause, or projecthoneypot should offer, since they already have the infrastructure. but, we’ll see. the script will detect traffic ‘purporting to be a SE bot, of any kind and to ban it via iptables if it isnt in the approved list/doesnt check out. the risk is in false positives and harming ones SEO. anyone any thought in this area?

b) probes & sniffers hunting out wp/bp forms, ajax ports, plugin files, forms, etc – in advance of main attack by penatration/spamming bots. typically always use swiftly rotated ip’s. many many variants out there. usually they have no luck on our sites, but that does not stop them trying in vast numbers (bot-nets, collectives? hives?) and harming out response times, etc.

idea: url obfuscation has been brought up on this forum before, particularly for eg: login, registration, admin url’s, etc. i am thinking of creating a plugin to dynamically hash encode links of choice using someething based on wp forms nonce system. not only useful for causing probes & hackers pain, but also to help thwart media thieves. obviously, scripters will soon respond by just snanning for link titles in html, so not bullet proof in any way, but they will at least be on 1-time request code, so causing them page reload every request & less sophisticted scripts will be totally wasting their own time.

anyway. these have been my thought so far. would love to hear experience/insights of others.

unfortuntely wordpress & buddypress sites in particular represent the richest of prizes for hackers, content scrapers, spammers, etc – & they r really on our case. furthermore, there is some BIG money involved, from porn to pharma to credit card fraud; that means some very smart programmers being paid excellent rates, to hack our systems, full time. add to that, the 10’s of millions of infected machines out there (often unknowingly) operating as botnet drones, trying to pernetrate our servers 24×7, steal our machine resources and steal our members personal data. it is a war of attrition.

all further experience, ideas welcome, here.

Well, i don’t know how i didn’t think about it before. Pretty simple, just changing the function which gets the slug. So:

function the_slug() {
    $post_data = get_post($post->ID, ARRAY_A);
    $slug = $post_data['post_name'];
	$slug = str_replace(array('-'),' ',$slug);
	return $slug; 
}

It gives me the slug as nice filtering terms like “chrono trigger” (space instead of -). If the page slug is “chrono-trigger-snes” i still having a problem, but i will use another string replace to get rid of this.

Any suggestion or opinion about performance (other faster/lighter way)?

The problem is I need to modify the core files and add a plugin at the same time so a user can change the Throttling settings in his WordPress backend.

I really tried to simple write a plugin and skip the core files modifications, but it’s just not working out. Maybe you can help out here, I will post the 3 core file functions which I modified as well as the plugin code which I wrote. If you can figure out a way for me to not modify the core files and still get Throttling to work, share your code.

Modified files:

1- bp-activity\bp-activity-functions.php

function bp_activity_post_update( $args = '' ) {
	global $bp;

	$defaults = array(
		'content' => false,
		'user_id' => bp_loggedin_user_id()
	);
	$r = wp_parse_args( $args, $defaults );
	extract( $r, EXTR_SKIP );

	if ( empty( $content ) || !strlen( trim( $content ) ) )
		return false;

	if ( bp_is_user_inactive( $user_id ) )
		return false;

	<strong>$floodTest = bp_core_check_for_flood ($user_id);
	
	if (!$floodTest)
		return "flood";</strong>

	// Record this on the user's profile
	$from_user_link   = bp_core_get_userlink( $user_id );
	$activity_action  = sprintf( __( '%s posted an update', 'buddypress' ), $from_user_link );
	$activity_content = $content;
	$primary_link     = bp_core_get_userlink( $user_id, false, true );

	// Now write the values
	$activity_id = bp_activity_add( array(
		'user_id'      => $user_id,
		'action'       => apply_filters( 'bp_activity_new_update_action', $activity_action ),
		'content'      => apply_filters( 'bp_activity_new_update_content', $activity_content ),
		'primary_link' => apply_filters( 'bp_activity_new_update_primary_link', $primary_link ),
		'component'    => $bp->activity->id,
		'type'         => 'activity_update'
	) );

	$activity_content = apply_filters( 'bp_activity_latest_update_content', $content );

	// Add this update to the "latest update" usermeta so it can be fetched anywhere.
	bp_update_user_meta( bp_loggedin_user_id(), 'bp_latest_update', array( 'id' => $activity_id, 'content' => $content ) );

	do_action( 'bp_activity_posted_update', $content, $user_id, $activity_id );

	return $activity_id;
}

2- bp-core\bp-core-moderation.php

function bp_core_check_for_flood( $user_id = 0 )
{	
	<strong>// Option disabled. No flood checks.
	if ( !$throttle_time = bp_get_option( 'bt_activity_time' ) )
		return false;
	
	// Bail if no user ID passed
	if ( !$user_id )
		return false;

	$last_posted = get_user_meta( $user_id, '_bp_last_posted', true );
	
	if ( !$last_posted )
	{		
		$last_posted = time();
		add_user_meta( $user_id, '_bp_last_posted', $last_posted);
		return true;
	}
	else
	{	
		if ( ( time() < ( $last_posted + $throttle_time ) ) && !current_user_can( 'throttle' ) )
		{
			update_user_meta($user_id,'_bp_last_posted',time());
			return false;
		}
		else
		{
			update_user_meta($user_id,'_bp_last_posted',time());
			return true;
		}
	}</strong>
}

3- bp-themes\bp-default\_inc\ajax.php

function bp_dtheme_post_update() {
	// Bail if not a POST action
	if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
		return;

	// Check the nonce
	check_admin_referer( 'post_update', '_wpnonce_post_update' );

	if ( ! is_user_logged_in() )
		exit( '-1' );

	if ( empty( $_POST['content'] ) )
		exit( '-1<div id="message" class="error"><p>' . __( 'Please enter some content to post.', 'buddypress' ) . '</p></div>' );

	$activity_id = 0;
	if ( empty( $_POST['object'] ) && bp_is_active( 'activity' ) ) {
		$activity_id = bp_activity_post_update( array( 'content' => $_POST['content'] ) );

	} elseif ( $_POST['object'] == 'groups' ) {
		if ( ! empty( $_POST['item_id'] ) && bp_is_active( 'groups' ) )
			$activity_id = groups_post_update( array( 'content' => $_POST['content'], 'group_id' => $_POST['item_id'] ) );

	} else {
		$activity_id = apply_filters( 'bp_activity_custom_update', $_POST['object'], $_POST['item_id'], $_POST['content'] );
	}

	if ($activity_id == "flood")
	{
		$bt_activity_throttle_time = bp_get_option ('bt_activity_time');
		$bt_activity_message = bp_get_option( "bt_activity_message" );
		
		$msg = ( $bt_activity_message ) ? $bt_activity_message : "You have to wait to post again";
		
		exit( '-1<div id="message" class="error"><p>' . __( $msg, 'buddypress' ) . '</p></div>' );
	}

	if ( empty( $activity_id ) )
		exit( '-1<div id="message" class="error"><p>' . __( 'There was a problem posting your update, please try again.', 'buddypress' ) . '</p></div>' );

	if ( bp_has_activities ( 'include=' . $activity_id ) ) {
		while ( bp_activities() ) {
			bp_the_activity();
			locate_template( array( 'activity/entry.php' ), true );
		}
	}

	exit;
}

4- The Buddypress Throttling Plugin Code

<?php
add_action( 'admin_menu', 'plugin_menu' );

function plugin_menu() {
	// add_options_page( $page_title, $menu_title, $capability, $menu_slug, $function);
	add_options_page( 'Buddypress Throttling | Settings', 'Buddypress Throttling', 'manage_options', 'buddypress_throttling', 'buddypress_throttling_options' );
}

function buddypress_throttling_options() {

    //must check that the user has the required capability 
    if (!current_user_can('manage_options')) {
     	WP_die( __('You do not have sufficient permissions to access this page.') );
    }

    // variables for the field and option names 
    $hidden_field_name = 'submit_hidden';

    // See if the user has posted us some information
    // If they did, this hidden field will be set to 'Y'
    if( isset($_POST[ $hidden_field_name ]) && $_POST[ $hidden_field_name ] == 'Y' ) 
	{
		// Activity
		$bp_activity_time_val =  ( intval($_POST["bt_activity_time"]) <= 0 ) ? 0 : $_POST ["bt_activity_time"];
		update_option( "bt_activity_time", $bp_activity_time_val );
		
		$bp_activity_message_val =  ( isset($_POST["bt_activity_message"]) && $_POST["bt_activity_message"] != "" ) ? $_POST["bt_activity_message"] : "Please wait before posting again";
		update_option( "bt_activity_message", $bp_activity_message_val );
		?>
		
		<div class="updated"><p><strong><?php _e('Settings saved.', 'menu-test' ); ?></strong></p></div>
		<?php
	}
	
	// Activity read values
	$bt_activity_time = get_option( "bt_activity_time" );
	$bt_activity_time = (intval($bt_activity_time) <= 0) ? 0 : $bt_activity_time;
	$bt_activity_message = get_option( "bt_activity_message" );
	$bt_activity_message = ($bt_activity_message) ? $bt_activity_message : "Please wait before posting again";
	
	echo '<div class="wrap">';
		echo "<h2>" . __( 'Buddypress Throttling Settings', 'menu-test' ) . "</h2>";
		?>
	
		<form name="form1" method="post" action="">
			<input type="hidden" name="<?php echo $hidden_field_name; ?>" value="Y">	
			<div class="bt-plugin">
				<style>
					.bt-plugin span { display: inline-block; width: 120px; margin-left: 20px }
					.bt-plugin textarea {width: 400px}
				</style>
				<h3><?php _e("On Activity Page: ", 'menu-test' ); ?></h3>
				<p><span>Throttling Time:</span><input type="text" name="bt_activity_time" value="<?php echo $bt_activity_time; ?>" size="20"> (in seconds)</p>
				<p><span>Message:</span><textarea name="bt_activity_message" rows="3"><?php echo $bt_activity_message; ?></textarea></p>
			</div>
			<p class="submit">
			<input type="submit" name="Submit" class="button-primary" value="<?php esc_attr_e('Save Changes') ?>" />
			</p>
		</form>
	</div>
<?php
}

Test it out locally, just replace the specified functions in these files with the functions I wrote, add the plugin code in a php file and save it under your Plugins directory (and activate it in the backend). The Plugin code will allow you to set the number of seconds for throttling as well as the message the user will see when he’s flooding.

Put this puzzle pieces together and you got Flooding control (for the activity page for now), which can easily be done for friend requests @bphelp).

Thank you so much @mercime, @naijaping

The site is back up!

I’m relatively new to WP/BP. And this experience is making me think about how can I possibly avoid this in future.

1) Is there a way I can create a backup/mirror image of my site before installing updates? And rollback to that state if anything goes bonkers during installation of updates?

2) I had relabeled some labels including ‘What’s new, @username?’ to ‘Submit a dream,@username’ in the activity-feed page. After deactivating the buddypress-login-redirect folder, these customizations are gone. Any thoughts on how to fix this would be appreciated!

Thanks in advance,
Shreya

Thanks for the info @shanebpdev that is very useful. After using the “Members” role editor I was indeed able to verify that the Manager role already had the “edit_users” capability. Sadly any user with the Manager role still gets taken to the “You do not have sufficient privileges” page. Perhaps it is a bug.

I checked out the bp-members-functions.php file and found the line you spoke of and it is matching:

if ( bp_current_user_can( 'bp_moderate' ) || current_user_can( 'edit_users' ) )

Now “bp_moderate” does not show up as an actual WP role. The regular “moderate” role does however, and the Manager user has access to that capability.

Just for the heck of it I changed the line to current_user_can(‘Manager’) which without any arguments does check for the name of the role. After doing so I noticed that when a manager goes to edit a member’s profile, they are automatically redirected to the member’s activity feed instead of the edit profile page.

Something funky is going on for sure. I really appreciate you helping me out with this.

Hi Modemlooper-

My theme is a child theme of Twenty Twelve, so my style.css declares Template: twentytwelve.

I followed your suggestion then took it a step farther and included slightly modified version of the js setup functions from the template pack in my `functions.php` file. I’ll post them here in case somebody else has the same problem I’m having:

`function bp_support_theme_setup() {
global $bp;

// Load the default BuddyPress AJAX functions if it isn’t explicitly disabled or if it isn’t already included in a custom theme
if ( ! function_exists( ‘bp_dtheme_ajax_querystring’ ) )
require_once( BP_PLUGIN_DIR . ‘/bp-themes/bp-default/_inc/ajax.php’ );

// Let’s tell BP that we support it!
add_theme_support( ‘buddypress’ );

if ( ! is_admin() ) {
// Register buttons for the relevant component templates
// Friends button
if ( bp_is_active( ‘friends’ ) )
add_action( ‘bp_member_header_actions’, ‘bp_add_friend_button’ );

// Activity button
if ( bp_is_active( ‘activity’ ) )
add_action( ‘bp_member_header_actions’, ‘bp_send_public_message_button’ );

// Messages button
if ( bp_is_active( ‘messages’ ) )
add_action( ‘bp_member_header_actions’, ‘bp_send_private_message_button’ );

// Group buttons
if ( bp_is_active( ‘groups’ ) ) {
add_action( ‘bp_group_header_actions’, ‘bp_group_join_button’ );
add_action( ‘bp_group_header_actions’, ‘bp_group_new_topic_button’ );
add_action( ‘bp_directory_groups_actions’, ‘bp_group_join_button’ );
}

// Blog button
if ( bp_is_active( ‘blogs’ ) )
add_action( ‘bp_directory_blogs_actions’, ‘bp_blogs_visit_blog_button’ );
}
}
add_action( ‘after_setup_theme’, ‘bp_support_theme_setup’, 11 );

/**
* Enqueues BuddyPress JS and related AJAX functions
*
* @since 1.2
*/
function bp_support_enqueue_scripts() {

// Add words that we need to use in JS to the end of the page so they can be translated and still used.
$params = array(
‘my_favs’ => __( ‘My Favorites’, ‘buddypress’ ),
‘accepted’ => __( ‘Accepted’, ‘buddypress’ ),
‘rejected’ => __( ‘Rejected’, ‘buddypress’ ),
‘show_all_comments’ => __( ‘Show all comments for this thread’, ‘buddypress’ ),
‘show_all’ => __( ‘Show all’, ‘buddypress’ ),
‘comments’ => __( ‘comments’, ‘buddypress’ ),
‘close’ => __( ‘Close’, ‘buddypress’ )
);

// BP 1.5+
if ( version_compare( BP_VERSION, ‘1.3’, ‘>’ ) ) {
// Bump this when changes are made to bust cache
$version = ‘20120412’;

$params[‘view’] = __( ‘View’, ‘buddypress’ );
$params[‘mark_as_fav’] = __( ‘Favorite’, ‘buddypress’ );
$params[‘remove_fav’] = __( ‘Remove Favorite’, ‘buddypress’ );
}
// BP 1.2.x
else {
$version = ‘20110729’;

if ( bp_displayed_user_id() )
$params[‘mention_explain’] = sprintf( __( “%s is a unique identifier for %s that you can type into any message on this site. %s will be sent a notification and a link to your message any time you use it.”, ‘buddypress’ ), ‘@’ . bp_get_displayed_user_username(), bp_get_user_firstname( bp_get_displayed_user_fullname() ), bp_get_user_firstname( bp_get_displayed_user_fullname() ) );
}

// Enqueue the global JS – Ajax will not work without it
wp_enqueue_script( ‘dtheme-ajax-js’, BP_PLUGIN_URL . ‘/bp-themes/bp-default/_inc/global.js’, array( ‘jquery’ ), $version );

// Localize the JS strings
wp_localize_script( ‘dtheme-ajax-js’, ‘BP_DTheme’, $params );
}
add_action( ‘wp_enqueue_scripts’, ‘bp_support_enqueue_scripts’ );
`

Which is identical to installing the template pack only for the JS, I think. Everything’s working as expected, so I think we can consider this problem resolved. Thanks for your attention, Hugo and Modemlooper.

-David

Hi Hugo-

Thanks for following up. The theme was built against BP1.6 & 1.7-beta, so the buddypress-related template folders (activity, blogs, groups, etc) were in the root of the theme. This resulted in the theme being rendered correctly, but, with BP1.7, the js support disappeared.

I’ve moved the bp-related folders into a “buddypress” folder at the root of the theme (as described in your article: https://codex.buddypress.org/developer/theme-development/a-quick-look-at-1-7-theme-compatibility/). Moving the files causes the output to be garbled. For instance, on a single member’s profile page, a div#content is being created inside of the div#content provided in the main template `buddypress.js`, and, while the object-nav (activity, messages, etc) is being rendered, the header and the main content area aren’t being populated. Structurally, it’s like the entire buddypress output is being wrapped in the theme’s page template. But not completely, because the end of the file isn’t being rendered.

As you can tell, I’m not exactly sure what’s going on. 🙂

Thanks again for your advice,

-David