BuddyPress.org

I put an !important at the end and it works .
Thanks Hugo

Even I change the style of all spans ( span{} ) but it doesn’t work .
I found this in frisco theme :
div.item-list-tabs ul li a span {}
It doesn’t work neither !

Thanks but none of them works ! I use this css code:

 .item-list-tabs li a span {
color:red;
font-size:20px;
background-color:orange;
}

@bp-help

good suggestions. thx. 2 of them r new to me, so other people may find them helpful also.

on our sites we r using::

Keith Graham’s most excellent ‘stop-spammer-registrations-plugin’ – https://wordpress.org/plugins/stop-spammer-registrations-plugin/

– has stopped over 53,000 spammers since feb this year! it uses external lookups on StopForumSpam, ProjectHoneyPot, BotScout, (Akismet, which we dont use), others – thus great collective benefit/advance warning of bad traffic. also traps brute force attacks (bad logins/registrations/comment posts, etc), etc. is simple enough to play nice with most plugins.

to try & keep as much load off the front-end of the server as possible, we also have set up:

linux iptables ( & ufw add on )- as the basis of all firewall stuff. also has our manually maintained blacklists & whitelists. various custom rule chains setup. takes a while to get your head around, but is essential.

linux fail2ban – essentially an add on to iptables, puts people in jail for bad behaviour – eg: brute force attacks against ssh, ftp, mail logins. we also have set up custom rules detecting bad activity against wp-login.php itself via fail2ban. am looking to do some more with this.

linux apache – mod-security2, libapache2-mod-evasive, libapache2-mod-antiloris, libapache2mod-spamhaus – which help protect against general bad behaviour, DDOS, blank header attacks, the infamous ‘Loris’ script (which we’ve experienced!), and bot-nets. still assessing how effective these r.

we have also had to tune apache on our VPS for resilience in the face of DDOS type attacks and heavy-handed brute force attacks.

some further good tips here: http://www.dannytsang.co.uk/index.php/apache-2-hardening-tips/ & elsewhere.

linux logwatch – reports various access stats (the good & the bad & the ugly) via email – very useful indeed for checking whther situation is under control (or not).

linux rkhunter – scans for rootkits on the server from time to time – just be sure – & particularly useful if u ever do get infected in hunting down the intruder’s code.

obviously we also have file system bolted down. (there is a good wp plugin to check permissions bolt-down, i forget what its called). we also spend a LONG time analysing logs etc.

anway, that takes care of many of the bad boys, but we r still left with the following problems to crack:

1) we have observed that many bad bots/scripts are exhibiting ‘learning behaviour’ (ie. heuristic) and r finding ways around fail2ban rules/jails, etc. in particular:

a) rotating IP addresses to match ‘ban counts’ – currently we have them wasting an IP address every 3-4 attempts, but they still seem to have an inexhaustable supply, else are spoofing extreamly well.

b) varying their retry period to match the length of jail sentence. (ie. they are not wasting their mips whilst in jail, just enough to detect when they are released,record it, and tune their future responses).

2) content scrapers, probes and bad-bots generally – these r wasting enormous resource on our servers. typically i would suggest such ‘bad traffic’ is responsible for over 50% of total server load (ie. not good at peak times on a busy site). additional problems we r facing here:

a) bad bots often spoof the agent string to pretend to be eg. google, bing, etc. the only way u can tell is by reverse lookup of ip address and try and match to one of well known range of ‘good bot’ addresses. but, despite fact that many ranges are well known, most of them are never actually published or confirmed, many are variable. i am not aware of any definitve list of ip addresses of good bots (though there is http://www.iplists.com/ whichis not bad, & http://www.webmasterworld.com/search_engine_spiders/ which is often helpful – these are very much ‘best efforts/as seen in the wild’ lists.). this problem worsens with the rise of social network agregation services, other (legitimate) content agregators, and personal content aggregating software on mobiles, tablets, etc.

idea: i am thinking of writing a script/plugin/rule to do smart lookup of ip against good bots list, & to automatically maintain that (collective) list. ideally, this is a service that someone like spamhause, or projecthoneypot should offer, since they already have the infrastructure. but, we’ll see. the script will detect traffic ‘purporting to be a SE bot, of any kind and to ban it via iptables if it isnt in the approved list/doesnt check out. the risk is in false positives and harming ones SEO. anyone any thought in this area?

b) probes & sniffers hunting out wp/bp forms, ajax ports, plugin files, forms, etc – in advance of main attack by penatration/spamming bots. typically always use swiftly rotated ip’s. many many variants out there. usually they have no luck on our sites, but that does not stop them trying in vast numbers (bot-nets, collectives? hives?) and harming out response times, etc.

idea: url obfuscation has been brought up on this forum before, particularly for eg: login, registration, admin url’s, etc. i am thinking of creating a plugin to dynamically hash encode links of choice using someething based on wp forms nonce system. not only useful for causing probes & hackers pain, but also to help thwart media thieves. obviously, scripters will soon respond by just snanning for link titles in html, so not bullet proof in any way, but they will at least be on 1-time request code, so causing them page reload every request & less sophisticted scripts will be totally wasting their own time.

anyway. these have been my thought so far. would love to hear experience/insights of others.

unfortuntely wordpress & buddypress sites in particular represent the richest of prizes for hackers, content scrapers, spammers, etc – & they r really on our case. furthermore, there is some BIG money involved, from porn to pharma to credit card fraud; that means some very smart programmers being paid excellent rates, to hack our systems, full time. add to that, the 10’s of millions of infected machines out there (often unknowingly) operating as botnet drones, trying to pernetrate our servers 24×7, steal our machine resources and steal our members personal data. it is a war of attrition.

all further experience, ideas welcome, here.

Well, i don’t know how i didn’t think about it before. Pretty simple, just changing the function which gets the slug. So:

function the_slug() {
    $post_data = get_post($post->ID, ARRAY_A);
    $slug = $post_data['post_name'];
	$slug = str_replace(array('-'),' ',$slug);
	return $slug; 
}

It gives me the slug as nice filtering terms like “chrono trigger” (space instead of -). If the page slug is “chrono-trigger-snes” i still having a problem, but i will use another string replace to get rid of this.

Any suggestion or opinion about performance (other faster/lighter way)?

The problem is I need to modify the core files and add a plugin at the same time so a user can change the Throttling settings in his WordPress backend.

I really tried to simple write a plugin and skip the core files modifications, but it’s just not working out. Maybe you can help out here, I will post the 3 core file functions which I modified as well as the plugin code which I wrote. If you can figure out a way for me to not modify the core files and still get Throttling to work, share your code.

Modified files:

1- bp-activity\bp-activity-functions.php

function bp_activity_post_update( $args = '' ) {
	global $bp;

	$defaults = array(
		'content' => false,
		'user_id' => bp_loggedin_user_id()
	);
	$r = wp_parse_args( $args, $defaults );
	extract( $r, EXTR_SKIP );

	if ( empty( $content ) || !strlen( trim( $content ) ) )
		return false;

	if ( bp_is_user_inactive( $user_id ) )
		return false;

	<strong>$floodTest = bp_core_check_for_flood ($user_id);
	
	if (!$floodTest)
		return "flood";</strong>

	// Record this on the user's profile
	$from_user_link   = bp_core_get_userlink( $user_id );
	$activity_action  = sprintf( __( '%s posted an update', 'buddypress' ), $from_user_link );
	$activity_content = $content;
	$primary_link     = bp_core_get_userlink( $user_id, false, true );

	// Now write the values
	$activity_id = bp_activity_add( array(
		'user_id'      => $user_id,
		'action'       => apply_filters( 'bp_activity_new_update_action', $activity_action ),
		'content'      => apply_filters( 'bp_activity_new_update_content', $activity_content ),
		'primary_link' => apply_filters( 'bp_activity_new_update_primary_link', $primary_link ),
		'component'    => $bp->activity->id,
		'type'         => 'activity_update'
	) );

	$activity_content = apply_filters( 'bp_activity_latest_update_content', $content );

	// Add this update to the "latest update" usermeta so it can be fetched anywhere.
	bp_update_user_meta( bp_loggedin_user_id(), 'bp_latest_update', array( 'id' => $activity_id, 'content' => $content ) );

	do_action( 'bp_activity_posted_update', $content, $user_id, $activity_id );

	return $activity_id;
}

2- bp-core\bp-core-moderation.php

function bp_core_check_for_flood( $user_id = 0 )
{	
	<strong>// Option disabled. No flood checks.
	if ( !$throttle_time = bp_get_option( 'bt_activity_time' ) )
		return false;
	
	// Bail if no user ID passed
	if ( !$user_id )
		return false;

	$last_posted = get_user_meta( $user_id, '_bp_last_posted', true );
	
	if ( !$last_posted )
	{		
		$last_posted = time();
		add_user_meta( $user_id, '_bp_last_posted', $last_posted);
		return true;
	}
	else
	{	
		if ( ( time() < ( $last_posted + $throttle_time ) ) && !current_user_can( 'throttle' ) )
		{
			update_user_meta($user_id,'_bp_last_posted',time());
			return false;
		}
		else
		{
			update_user_meta($user_id,'_bp_last_posted',time());
			return true;
		}
	}</strong>
}

3- bp-themes\bp-default\_inc\ajax.php

function bp_dtheme_post_update() {
	// Bail if not a POST action
	if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
		return;

	// Check the nonce
	check_admin_referer( 'post_update', '_wpnonce_post_update' );

	if ( ! is_user_logged_in() )
		exit( '-1' );

	if ( empty( $_POST['content'] ) )
		exit( '-1<div id="message" class="error"><p>' . __( 'Please enter some content to post.', 'buddypress' ) . '</p></div>' );

	$activity_id = 0;
	if ( empty( $_POST['object'] ) && bp_is_active( 'activity' ) ) {
		$activity_id = bp_activity_post_update( array( 'content' => $_POST['content'] ) );

	} elseif ( $_POST['object'] == 'groups' ) {
		if ( ! empty( $_POST['item_id'] ) && bp_is_active( 'groups' ) )
			$activity_id = groups_post_update( array( 'content' => $_POST['content'], 'group_id' => $_POST['item_id'] ) );

	} else {
		$activity_id = apply_filters( 'bp_activity_custom_update', $_POST['object'], $_POST['item_id'], $_POST['content'] );
	}

	if ($activity_id == "flood")
	{
		$bt_activity_throttle_time = bp_get_option ('bt_activity_time');
		$bt_activity_message = bp_get_option( "bt_activity_message" );
		
		$msg = ( $bt_activity_message ) ? $bt_activity_message : "You have to wait to post again";
		
		exit( '-1<div id="message" class="error"><p>' . __( $msg, 'buddypress' ) . '</p></div>' );
	}

	if ( empty( $activity_id ) )
		exit( '-1<div id="message" class="error"><p>' . __( 'There was a problem posting your update, please try again.', 'buddypress' ) . '</p></div>' );

	if ( bp_has_activities ( 'include=' . $activity_id ) ) {
		while ( bp_activities() ) {
			bp_the_activity();
			locate_template( array( 'activity/entry.php' ), true );
		}
	}

	exit;
}

4- The Buddypress Throttling Plugin Code

<?php
add_action( 'admin_menu', 'plugin_menu' );

function plugin_menu() {
	// add_options_page( $page_title, $menu_title, $capability, $menu_slug, $function);
	add_options_page( 'Buddypress Throttling | Settings', 'Buddypress Throttling', 'manage_options', 'buddypress_throttling', 'buddypress_throttling_options' );
}

function buddypress_throttling_options() {

    //must check that the user has the required capability 
    if (!current_user_can('manage_options')) {
     	WP_die( __('You do not have sufficient permissions to access this page.') );
    }

    // variables for the field and option names 
    $hidden_field_name = 'submit_hidden';

    // See if the user has posted us some information
    // If they did, this hidden field will be set to 'Y'
    if( isset($_POST[ $hidden_field_name ]) && $_POST[ $hidden_field_name ] == 'Y' ) 
	{
		// Activity
		$bp_activity_time_val =  ( intval($_POST["bt_activity_time"]) <= 0 ) ? 0 : $_POST ["bt_activity_time"];
		update_option( "bt_activity_time", $bp_activity_time_val );
		
		$bp_activity_message_val =  ( isset($_POST["bt_activity_message"]) && $_POST["bt_activity_message"] != "" ) ? $_POST["bt_activity_message"] : "Please wait before posting again";
		update_option( "bt_activity_message", $bp_activity_message_val );
		?>
		
		<div class="updated"><p><strong><?php _e('Settings saved.', 'menu-test' ); ?></strong></p></div>
		<?php
	}
	
	// Activity read values
	$bt_activity_time = get_option( "bt_activity_time" );
	$bt_activity_time = (intval($bt_activity_time) <= 0) ? 0 : $bt_activity_time;
	$bt_activity_message = get_option( "bt_activity_message" );
	$bt_activity_message = ($bt_activity_message) ? $bt_activity_message : "Please wait before posting again";
	
	echo '<div class="wrap">';
		echo "<h2>" . __( 'Buddypress Throttling Settings', 'menu-test' ) . "</h2>";
		?>
	
		<form name="form1" method="post" action="">
			<input type="hidden" name="<?php echo $hidden_field_name; ?>" value="Y">	
			<div class="bt-plugin">
				<style>
					.bt-plugin span { display: inline-block; width: 120px; margin-left: 20px }
					.bt-plugin textarea {width: 400px}
				</style>
				<h3><?php _e("On Activity Page: ", 'menu-test' ); ?></h3>
				<p><span>Throttling Time:</span><input type="text" name="bt_activity_time" value="<?php echo $bt_activity_time; ?>" size="20"> (in seconds)</p>
				<p><span>Message:</span><textarea name="bt_activity_message" rows="3"><?php echo $bt_activity_message; ?></textarea></p>
			</div>
			<p class="submit">
			<input type="submit" name="Submit" class="button-primary" value="<?php esc_attr_e('Save Changes') ?>" />
			</p>
		</form>
	</div>
<?php
}

Test it out locally, just replace the specified functions in these files with the functions I wrote, add the plugin code in a php file and save it under your Plugins directory (and activate it in the backend). The Plugin code will allow you to set the number of seconds for throttling as well as the message the user will see when he’s flooding.

Put this puzzle pieces together and you got Flooding control (for the activity page for now), which can easily be done for friend requests @bphelp).

Thank you so much @mercime, @naijaping

The site is back up!

I’m relatively new to WP/BP. And this experience is making me think about how can I possibly avoid this in future.

1) Is there a way I can create a backup/mirror image of my site before installing updates? And rollback to that state if anything goes bonkers during installation of updates?

2) I had relabeled some labels including ‘What’s new, @username?’ to ‘Submit a dream,@username’ in the activity-feed page. After deactivating the buddypress-login-redirect folder, these customizations are gone. Any thoughts on how to fix this would be appreciated!

Thanks in advance,
Shreya

Thanks for the info @shanebpdev that is very useful. After using the “Members” role editor I was indeed able to verify that the Manager role already had the “edit_users” capability. Sadly any user with the Manager role still gets taken to the “You do not have sufficient privileges” page. Perhaps it is a bug.

I checked out the bp-members-functions.php file and found the line you spoke of and it is matching:

if ( bp_current_user_can( 'bp_moderate' ) || current_user_can( 'edit_users' ) )

Now “bp_moderate” does not show up as an actual WP role. The regular “moderate” role does however, and the Manager user has access to that capability.

Just for the heck of it I changed the line to current_user_can(‘Manager’) which without any arguments does check for the name of the role. After doing so I noticed that when a manager goes to edit a member’s profile, they are automatically redirected to the member’s activity feed instead of the edit profile page.

Something funky is going on for sure. I really appreciate you helping me out with this.

Hi Modemlooper-

My theme is a child theme of Twenty Twelve, so my style.css declares Template: twentytwelve.

I followed your suggestion then took it a step farther and included slightly modified version of the js setup functions from the template pack in my `functions.php` file. I’ll post them here in case somebody else has the same problem I’m having:

`function bp_support_theme_setup() {
global $bp;

// Load the default BuddyPress AJAX functions if it isn’t explicitly disabled or if it isn’t already included in a custom theme
if ( ! function_exists( ‘bp_dtheme_ajax_querystring’ ) )
require_once( BP_PLUGIN_DIR . ‘/bp-themes/bp-default/_inc/ajax.php’ );

// Let’s tell BP that we support it!
add_theme_support( ‘buddypress’ );

if ( ! is_admin() ) {
// Register buttons for the relevant component templates
// Friends button
if ( bp_is_active( ‘friends’ ) )
add_action( ‘bp_member_header_actions’, ‘bp_add_friend_button’ );

// Activity button
if ( bp_is_active( ‘activity’ ) )
add_action( ‘bp_member_header_actions’, ‘bp_send_public_message_button’ );

// Messages button
if ( bp_is_active( ‘messages’ ) )
add_action( ‘bp_member_header_actions’, ‘bp_send_private_message_button’ );

// Group buttons
if ( bp_is_active( ‘groups’ ) ) {
add_action( ‘bp_group_header_actions’, ‘bp_group_join_button’ );
add_action( ‘bp_group_header_actions’, ‘bp_group_new_topic_button’ );
add_action( ‘bp_directory_groups_actions’, ‘bp_group_join_button’ );
}

// Blog button
if ( bp_is_active( ‘blogs’ ) )
add_action( ‘bp_directory_blogs_actions’, ‘bp_blogs_visit_blog_button’ );
}
}
add_action( ‘after_setup_theme’, ‘bp_support_theme_setup’, 11 );

/**
* Enqueues BuddyPress JS and related AJAX functions
*
* @since 1.2
*/
function bp_support_enqueue_scripts() {

// Add words that we need to use in JS to the end of the page so they can be translated and still used.
$params = array(
‘my_favs’ => __( ‘My Favorites’, ‘buddypress’ ),
‘accepted’ => __( ‘Accepted’, ‘buddypress’ ),
‘rejected’ => __( ‘Rejected’, ‘buddypress’ ),
‘show_all_comments’ => __( ‘Show all comments for this thread’, ‘buddypress’ ),
‘show_all’ => __( ‘Show all’, ‘buddypress’ ),
‘comments’ => __( ‘comments’, ‘buddypress’ ),
‘close’ => __( ‘Close’, ‘buddypress’ )
);

// BP 1.5+
if ( version_compare( BP_VERSION, ‘1.3’, ‘>’ ) ) {
// Bump this when changes are made to bust cache
$version = ‘20120412’;

$params[‘view’] = __( ‘View’, ‘buddypress’ );
$params[‘mark_as_fav’] = __( ‘Favorite’, ‘buddypress’ );
$params[‘remove_fav’] = __( ‘Remove Favorite’, ‘buddypress’ );
}
// BP 1.2.x
else {
$version = ‘20110729’;

if ( bp_displayed_user_id() )
$params[‘mention_explain’] = sprintf( __( “%s is a unique identifier for %s that you can type into any message on this site. %s will be sent a notification and a link to your message any time you use it.”, ‘buddypress’ ), ‘@’ . bp_get_displayed_user_username(), bp_get_user_firstname( bp_get_displayed_user_fullname() ), bp_get_user_firstname( bp_get_displayed_user_fullname() ) );
}

// Enqueue the global JS – Ajax will not work without it
wp_enqueue_script( ‘dtheme-ajax-js’, BP_PLUGIN_URL . ‘/bp-themes/bp-default/_inc/global.js’, array( ‘jquery’ ), $version );

// Localize the JS strings
wp_localize_script( ‘dtheme-ajax-js’, ‘BP_DTheme’, $params );
}
add_action( ‘wp_enqueue_scripts’, ‘bp_support_enqueue_scripts’ );
`

Which is identical to installing the template pack only for the JS, I think. Everything’s working as expected, so I think we can consider this problem resolved. Thanks for your attention, Hugo and Modemlooper.

-David

Hi Hugo-

Thanks for following up. The theme was built against BP1.6 & 1.7-beta, so the buddypress-related template folders (activity, blogs, groups, etc) were in the root of the theme. This resulted in the theme being rendered correctly, but, with BP1.7, the js support disappeared.

I’ve moved the bp-related folders into a “buddypress” folder at the root of the theme (as described in your article: https://codex.buddypress.org/developer/theme-development/a-quick-look-at-1-7-theme-compatibility/). Moving the files causes the output to be garbled. For instance, on a single member’s profile page, a div#content is being created inside of the div#content provided in the main template `buddypress.js`, and, while the object-nav (activity, messages, etc) is being rendered, the header and the main content area aren’t being populated. Structurally, it’s like the entire buddypress output is being wrapped in the theme’s page template. But not completely, because the end of the file isn’t being rendered.

As you can tell, I’m not exactly sure what’s going on. 🙂

Thanks again for your advice,

-David

Hi, @shanebp

Oh no, not all this is happening in the one customised plugin. I was simply describing what appears to be happening in the system as a whole when you hit the Submit button in the customised post. This thing is one tortured mass of plugins. 🙁

The Custom post page is generated by Gravity Forms. This is the plugin that handles creating a post & saving it.

The Add-a-Post-to-Activity-Stream-so-it-sends-an-Email-Like-an-Update is provided by a custom plugin that extends the functionality of BuddyPress Group Email Subscription.

It just seems that the timing’s out a bit.

If I can make the postmeta handling occur before the post is added to the Activity Stream, then all will be well, as my own trivial addition to this will be fine.

I’ll take a look at wp_mail. I thought that Buddypress may override what happens in there.

Thanks for that & apologies for posting in the wrong part of the forum. Just noticed that.

So I placed this in wp-content\plugins\bp-custom.php

Then I added:

function bp_guest_redirect() {

global $bp;

if ( bp_is_activity_component() || bp_is_groups_component() /*||

bbp_is_single_forum()*/ ||bp_is_forums_component() ||

bp_is_blogs_component() || bp_is_page( BP_MEMBERS_SLUG ) ) {

// enter the slug or component conditional here

if(!is_user_logged_in()) { // not logged in user

wp_redirect( get_option(‘siteurl’) . ‘/members-2’ );

} // user will be redirect to any link to want

}

}

add_filter(‘get_header’,’bp_guest_redirect’,1);

That didnt help the pages still show

@mercime I understand what you’re saying, I really do. I tried everything. When I was able to successfully activate BP 1.7 beta, I received multiple posts on the activity stream — four of them right in a row. Here’s the really weird part. When I went to the BP default theme and posted from there, the little button wouldn’t appear to post the text. My site had some severe issues. It tried to, and a hard refresh sometimes made it appear. After making a post, the button disappeared again.

I ultimately reverted back to the Stable BP version, and everything worked fine. Then, to make sure I won’t face an upgrade issue down the road when the new release is issued, I uploaded everything from scratch. Totally wiped it all clean and created a new database with a different name.

I know this solution sounds like turning off a computer with the button on the tower — a big no no for professionals, but I’m still learning. A week ago I could barely navigate my multisite, and today I’m really moving through it. I even created custom page names this time to assign to BP.

Last week after I installed BP 1.7 beta, I tried several times to change me permalinks. Mostly due to appearance and robot spam (renaming register page to something else).

A new install today has afforded me the chance to really make a good solid base for any and all WordPress and BuddyPress upgrades in the future.

I’m really learning a lot about databases and domain add-ons (for clean URLs). This past week I’ve taught myself to use cPanel for almost everything. I use FileZilla now for mostly uploading zip files.

I hope I don’t wear out my welcome here with my issues. I really appreciate everyone’s help. I find myself often reading posts that are two and three years old. All informative. It’s all very interesting, and I’m really learning a lot.

Thank you for your time. I really appreciate it.

Kevin