BuddyPress.org

Disable BuddyPress. Do you get any emails from WordPress on itself? e.g. user registration, comment notification, etc.

I have a couple BuddyPress installs. The older of the 2 has received 150+ spam member registrations (and blogs) this weekend. All create members like bob45873675 and “Bob’s Blog”.

I have changed slugs, activated recaptcha and followed several blog posts on best practices. What’s interesting is they are somehow bypassing my registration page. I have required fields and have removed the “create a blog” from the registration page; but somehow they manage to create an account and a blog. I also receive “lost password reset” email notices for each account that is created, so maybe that’s a clue to where the issue is.

I was so fed up with it, I disabled registrations completely (only allowing blog creation by logged in users) — and I’m still getting new spam members and blogs (how is that possible??) This seems to be a pretty serious security issue that is different from previous “splogging”…

Vulnerability/hack in the registration or lost password, etc…?? I presume this could be WPMU not necessarily BP?

@crashutah thanks a lot man for your responses and information. I’ve noticed that there is some differences indeed between single and MU handling the whole registration, activation, and log in processes.

I tried this piece of code (in my functions.php after the disabling activation and email bits) however it game me some weird behavior and my backend became non functional. I probably missed something (used the code as is while I needed to modify) or maybe one of my other plugins is causing misbehavior? I have auto redirect to profile on login plugin, and branded login plugin activated.

Cheers.

Some thoughts;
– Assuming you don’t want others creating blogs in your installation, and you’re on WPMU, go to Site Admin > Options – under Registration Settings – choose ” User accounts may be registered.”
– Deactivate the Blogs component in admin dashboard – BuddyPress > Components Setup – under Blog Tracking – choose disabled
– Furthermore – https://codex.buddypress.org/how-to-guides/modifying-the-buddypress-admin-bar/

It blows my mind that this is not a core feature of WPMU, WP, or BuddyPress. It is the most obvious first defense against sploggers and spammer-members.

There is a plugin called Pie Registration that claims to do user moderation of unverified users before they are allowed to post. It seems to be a resurrection of an older (discontinued?) plugin called Register Plus. Find it here: https://wordpress.org/extend/plugins/pie-register/

Will check it out now.

EDIT: It says that the feature “Moderate all user registrations to require admin approval” will only work when Email Verification is DISABLED. I can’t get it to work, though.

Also found this:
“Register Plus plugin seemed to be working fine in 2.9.2, with custom logo and all, but now I’ve just discovered that it only sends the registration email if the registration is done in IE. In Firefox or Chrome the mail is not sent. How can this be?”
https://wordpress.org/support/topic/376015

Anyone know how to turn off registrations in Buddypress forums, as recommended here? Can’t find a way…

M,
Yes, I thought of that. I installed the beta copy of WP 3.0 today and found that the users are still stored in the same places for a WP/BP install or a WPMU/BP install as they are separate. So, unless they’ve changed the core user signup calls, then we should be good, but I’ll be sure to test it.

It’s just too bad that there’s not some BP functions that I could just call like bp_core_creat_user(some variables) and bp_core_activate_user(some variables) so we didn’t have to dig in to figure out the functions that BP is already calling at registration. Maybe there is and I just don’t know it?

While you’re preparing part 2 I’ll make the comment (probably unpopular) that too an extent this is an issue that BP, WP, Automatic must accept some responsibility for in that WP has always followed the course of making it as easy as possible for inexperienced people to set up a blog/blogs the principle of ‘Out Of The Box’ and ‘5 Minute Install’ all designed to promote the app/s to those users who otherwise might be put off, it’s a marketing ploy to ensure that the app gains widespread and popular use (that is being deliberately cynical to make a point) It is due to that that I say there is a duty of care that falls on the App not on the user or community. I know how to get down and dirty with htaccess files, to read logs, enable various methods to deal with an issue – as do many others here – but lets not forget most don’t! I would suggest that it’s time to pull together all the various approaches to dealing with spam in one clear stickied post, make the steps as clear as possible but emphasize that these steps are of paramount importance to follow (thinking about it that may already exist?) Until such time as Foxly or the dev team comes up with the core improvements.

For the record I have enabled most of the steps found in various threads here and elsewhere and also disabled sub blog registration and receive no more than around 6 -8 spam sign ups a day, which we can deal with quite quickly and effectively, I’m still slightly puzzled as to why some appear to have such ongoing issues though, very sympathetic but puzzled nonetheless.

@sbrajesh and @r-a-y, it was the bad bad mercime who added the link to the hack. i promise never to let my alter ego do it again

@dandelionweb

It’s better to make your changes in a child theme. This way your changes will not be overwritten when you have to upgrade BP.

@dandelionweb

Try using the post snippet I posted above.

@dandelionweb


function my_redirect_activation_email()
{
return get_site_option( "admin_email" );
}
add_filter('bp_core_activation_signup_user_notification_to', 'my_redirect_activation_email');


Add this to wp-content/plugins/bp-custom.php or your theme’s functions.php file.

#buddypress-dev on freenode.

Or use this java applet:
http://java.freenode.net/?channel=buddypress-dev

@mercime – that hack you linked to is totally unnecessary! It is possible to use filters to achieve the same result. The same method was brought up in the IRC room a few days ago. It is actually quite a nice way around the problem

@mercime
@dandelionweb
For signups, please select the box which says user and blogs can be created.

To disable blog creation by non logged in user, put this code in your theme’s functions.php or bp-custom.php
Here is the code on pastebin(current forum has trouble posting code, so i posted it there).
http://bpdev.pastebin.com/1AyszwQ7

And the issue with bp-registration-options seems to be of PHP5.

There is a hack to core BP files which can be turned into a plugin (hint, hint) which works in BP 1.2.3 and WPMU 2.9.2 …