BuddyPress.org

I don’t do extra profile fields. I use that to redirect to a payment page so they can pay to join. After they pay, I redirect them to a Thank You page with their payment details. This is just a page with a special page template applied to it. I also have the activation disabled and they are just automatically activated and logged into the site. I can get away with this since they have to pay.

Use the BP Disable Activation plugin by @crashutah –
https://buddypress.org/community/groups/bp-disable-activation/

Make sure you add a captcha plugin or some type of spam prevention!

You have to activate your account via email by default!

It appears that you’re using the BP Disable Activation plugin or some other plugin that does something similar.
Can you confirm?

@zlamczyk: I think we are trying to work on the same thing.
https://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/disable-activation-email/

I am getting spammed (bad) and they are simply using the activation email to approve themselves. My thought was just do a manual approval to either “activate”, “send activation email” or “delete from wp-signup”.

I have modified manual member approve for BuddyPress so I can see the signup table and manually approve members.
http://mattkern.com/wpmu-manually-approve-new-members-on-local-install/

I just need to stop the automatic sending of the activation email. Do you know how?

I’ve simply tried commenting out the following line in wp-core-signup.php to test, but it’s not working.
wp_mail( $to, $subject, $message, $message_headers );

This is the function; but for some reason the activation email still goes out.

Update: After several days of manually adding users with a form (that matches the registration form); I attempted to re-enabled registrations. Immediately I got 2 new spam users and blogs.

New User: terrence1603615
Remote IP: 65.75.250.92
terrence1603615@LIEMAIL.INFO

New User: cooper7790557
Remote IP: 65.75.250.92
cooper7790557@THEINBOX.INFO

This is only happening on one of my installs (http://anglersites.com). Running WPMU 2.9.2/BP 1.2.2.1. My other install (http://fellowmoms.com) is running WPMU 2.9.2/BP 1.2.3 and is not having this issue.

Any reason to think BP update would resolve this? Looks like current version is 1.2.4.1.

Is anyone else experiencing this? Looks like disabling the registrations stops it; from my previous post these were delayed notices. As soon as I disabled registrations again, I recieved a flurry of “Password Lost/Changed” for a couple users (one of them was an active user that was not newly created). I marked this user as spam.

Surely someone else is getting hit?

Disable BuddyPress. Do you get any emails from WordPress on itself? e.g. user registration, comment notification, etc.

I have a couple BuddyPress installs. The older of the 2 has received 150+ spam member registrations (and blogs) this weekend. All create members like bob45873675 and “Bob’s Blog”.

I have changed slugs, activated recaptcha and followed several blog posts on best practices. What’s interesting is they are somehow bypassing my registration page. I have required fields and have removed the “create a blog” from the registration page; but somehow they manage to create an account and a blog. I also receive “lost password reset” email notices for each account that is created, so maybe that’s a clue to where the issue is.

I was so fed up with it, I disabled registrations completely (only allowing blog creation by logged in users) — and I’m still getting new spam members and blogs (how is that possible??) This seems to be a pretty serious security issue that is different from previous “splogging”…

Vulnerability/hack in the registration or lost password, etc…?? I presume this could be WPMU not necessarily BP?

@crashutah thanks a lot man for your responses and information. I’ve noticed that there is some differences indeed between single and MU handling the whole registration, activation, and log in processes.

I tried this piece of code (in my functions.php after the disabling activation and email bits) however it game me some weird behavior and my backend became non functional. I probably missed something (used the code as is while I needed to modify) or maybe one of my other plugins is causing misbehavior? I have auto redirect to profile on login plugin, and branded login plugin activated.

Cheers.

Some thoughts;
– Assuming you don’t want others creating blogs in your installation, and you’re on WPMU, go to Site Admin > Options – under Registration Settings – choose ” User accounts may be registered.”
– Deactivate the Blogs component in admin dashboard – BuddyPress > Components Setup – under Blog Tracking – choose disabled
– Furthermore – https://codex.buddypress.org/how-to-guides/modifying-the-buddypress-admin-bar/

It blows my mind that this is not a core feature of WPMU, WP, or BuddyPress. It is the most obvious first defense against sploggers and spammer-members.

There is a plugin called Pie Registration that claims to do user moderation of unverified users before they are allowed to post. It seems to be a resurrection of an older (discontinued?) plugin called Register Plus. Find it here: https://wordpress.org/extend/plugins/pie-register/

Will check it out now.

EDIT: It says that the feature “Moderate all user registrations to require admin approval” will only work when Email Verification is DISABLED. I can’t get it to work, though.

Also found this:
“Register Plus plugin seemed to be working fine in 2.9.2, with custom logo and all, but now I’ve just discovered that it only sends the registration email if the registration is done in IE. In Firefox or Chrome the mail is not sent. How can this be?”
https://wordpress.org/support/topic/376015

Anyone know how to turn off registrations in Buddypress forums, as recommended here? Can’t find a way…

M,
Yes, I thought of that. I installed the beta copy of WP 3.0 today and found that the users are still stored in the same places for a WP/BP install or a WPMU/BP install as they are separate. So, unless they’ve changed the core user signup calls, then we should be good, but I’ll be sure to test it.

It’s just too bad that there’s not some BP functions that I could just call like bp_core_creat_user(some variables) and bp_core_activate_user(some variables) so we didn’t have to dig in to figure out the functions that BP is already calling at registration. Maybe there is and I just don’t know it?

While you’re preparing part 2 I’ll make the comment (probably unpopular) that too an extent this is an issue that BP, WP, Automatic must accept some responsibility for in that WP has always followed the course of making it as easy as possible for inexperienced people to set up a blog/blogs the principle of ‘Out Of The Box’ and ‘5 Minute Install’ all designed to promote the app/s to those users who otherwise might be put off, it’s a marketing ploy to ensure that the app gains widespread and popular use (that is being deliberately cynical to make a point) It is due to that that I say there is a duty of care that falls on the App not on the user or community. I know how to get down and dirty with htaccess files, to read logs, enable various methods to deal with an issue – as do many others here – but lets not forget most don’t! I would suggest that it’s time to pull together all the various approaches to dealing with spam in one clear stickied post, make the steps as clear as possible but emphasize that these steps are of paramount importance to follow (thinking about it that may already exist?) Until such time as Foxly or the dev team comes up with the core improvements.

For the record I have enabled most of the steps found in various threads here and elsewhere and also disabled sub blog registration and receive no more than around 6 -8 spam sign ups a day, which we can deal with quite quickly and effectively, I’m still slightly puzzled as to why some appear to have such ongoing issues though, very sympathetic but puzzled nonetheless.

@sbrajesh and @r-a-y, it was the bad bad mercime who added the link to the hack. i promise never to let my alter ego do it again

@dandelionweb

It’s better to make your changes in a child theme. This way your changes will not be overwritten when you have to upgrade BP.

@dandelionweb

Try using the post snippet I posted above.

@dandelionweb


function my_redirect_activation_email()
{
return get_site_option( "admin_email" );
}
add_filter('bp_core_activation_signup_user_notification_to', 'my_redirect_activation_email');


Add this to wp-content/plugins/bp-custom.php or your theme’s functions.php file.