BuddyPress.org

1. Are there different permissions for creating events based on the user’s Role in the back-end?

For example, I created an event with a “Test User 01” who was recently registered and carried the default role of Subscriber. No problem creating the event, but after it was published there was no Invite tab for this user to use.

2. Also, it seems when I invite other members to an Event, they automatically become registered without logging in to accept the invite. This happens even when the “automatically register” box is left unchecked. I assumed that check box held registrations as pending for approval by an Admin.

Thanks for the great work on this!

Pop a link back to the ticket if you can and some of us may try and take a look, IE did historically have some horrendous show stopping issues with form controls causing it to return wrong values or no value at all. Be surprised though if those IE bugs transposed to IE8 but then again…

Unless eric means multiple radio button fields in the same group.

Radio Buttons are not multiple items though if one is selected the others are supposed to be deselected if they correctly share the same name, or have I missed the point?

Hmm… sounds like you should submit a trac ticket: https://trac.buddypress.org/

This isn’t a straightforward issue to resolve. I’m not sure, but try setting this in your wp-config.php:

`
define ( ‘BP_ENABLE_MULTIBLOG’, true );
define ( ‘BP_ROOT_BLOG’, 2 );
`

I’m assuming that the site ID of the community site is “2”; if not, change the line appropiately. See how that affects registration and we can work from there

Hi Guys!
It seems it’s a problem with the ‘mod_rewrite’ function under Windows, see

https://buddypress.org/community/groups/welcome-pack/forum/topic/welcome-pack-problem-with-activation-key-s/

So, I have a question re: the htaccess tweak to block spam registrations. If I type http://mybuddypressite.com/wp-signup into my browser, I should get automatically redirected to my GOAWAY page, right? If that’s not happening, am I doing something wrong?

@TedMann

This is what I’ve added to .htaccess to block bots:

# IF THE UA STARTS WITH THESE
RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]
# STARTS WITH WEB
RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]
# ANYWHERE IN UA — GREEDY REGEX
RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
# ISSUE 403 / SERVE ERRORDOCUMENT
RewriteRule . – [F,L]

To help block spam registrations, add the following to .htaccess, then create a simple GOAWAY type html page and upload to your root directory:

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup.php*
RewriteCond %{HTTP_REFERER} !.yoursitehere.com. [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://yoursitehere.com/yourgoawaypage.html [R=301,L]

Add the following to .htaccess to deny access to wp-config.php to anyone who doesn’t have your ftp details:

order allow,deny
deny from all

Instead of example.com/register or example.com/sign-up, use something like example.com/unb2x-2010 for your register page. If you were a spammer, would that look like an inviting url to hack?

Hope this helps

Read this and see if this fixes your problem:
https://codex.buddypress.org/getting-started/faqs/specific-faqs/#register

I was having 5 or 6 sploggers sign up daily no matter what I did until about 2 weeks ago when I revamped my tactics. Since then, I have had 0 spam signups… not one. Fingers crossed Here’s what I’ve done:

– Removed references to WP/BP in footer text
– Changed the register slug to something unrecognizable that has no bearing whatsoever to the concept of signing up (so even those grossly underpaid 3rd-world human spammers can’t figure it out)
– Installed WPMU Super Captcha to let the nice humans through: https://wordpress.org/extend/plugins/super-capcha/
– Installed WP-Ban to block the not-so-nice ones: https://wordpress.org/extend/plugins/wp-ban/
– Installed Buddypress Humanity as a double-check: https://buddypress.org/community/groups/buddypress-humanity/
– Blocked lists of bad bots in .htaccess as suggested in this post: https://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/buddypress-spam/?topic_page=2&num=15#post-60177
– Added “deny from all” in .htaccess for wp-config.php
– If someone does manage to access the register page through a direct url (without visiting any other page first), they are bumped to a GOAWAY page with the following in .htaccess. .

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup.php*
RewriteCond %{HTTP_REFERER} !.examplesite.com. [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://examplesite.com/goaway.html [R=301,L]

So far, so good. As I mentioned, not a single splogger has managed to get through in about 2 weeks. If they do, there are 2 ingredients in the above recipe that can be adjusted:
– the captcha image is fully customizable to render bot algorithms redundant (hopefully)
– the register slug can be changed as often as you change socks

On a final note, there are also some interesting tweaks to be found here: http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/

I’m using a custom child theme, so the footer copy has been changed. At the risk of inviting more spam, here’s my signup page: http://injersey.com/join-injersey
I’ve got si-captcha, Humanity, alternate slug, htaccess tweak, and 2 required profile fields. At this point it’s just getting kind of absurd. There must be some kind of backdoor that’s letting them in. Like Matt ( @footybible ), every single one of these spam signups is registering for a sub-blog. Unlike Matt, I offer the ability to register for a town via the Group Registration Options plugin ( https://buddypress.org/community/groups/bp-registration-options/ ) developed by @Messenlehner. Worked pretty well until 2 weeks ago, when we started getting slammed every day at about 2am with spam signups and posts.

@tedmann when I had the rogue bbpress register file and I was getting spammers sign up I could identify them because under ‘users’ they were listed only as users of their subsites rather than my main site – (which I dont believe is possible through legitimate registration?)

However, last night I had another such registration. Granted, its only one, but I dont understand how they can sign up for a sub-blog without being added to the main site. Which makes me also worry there is another ‘backdoor’ somewhere….

Did you allow user registration at least in Site/Super Admin > Options?

The sidebar, by default, allows you to login or create an account:
http://testbp.org

Also, did you enable registration on your BP install?
https://codex.buddypress.org/getting-started/faqs/specific-faqs/#register

I deleted the registration.php file (and have the alternate slug). Still getting slammed with spam signups and posts. Switching to the si-captcha plugin (though I suspect that won’t do anything since the spammers are bypassing the reg form). Any other ideas?

@footybible Yes, good spot by @govpatel

Of course, that file is not going to be BuddyPress aware, so won’t know about BP_REGISTER_SLUG

It’s not really a good choice for the registration / login screen for a BP site. If you are stuck working with that, rather than the standard BP login area, then you will have to hack your wp-login.php as @govpatel suggests