You must identify the spam blogs and remove them. Once a spammer has admin access they can add new users to that blog. Those users can then create new blogs.
It really is Crazy!!! Where and how do they get in, that they can Register like that? Every couple of minutes One signup…. HELP! Nothing seems to stop them… I Even disabled any registration and they keep on signing up – really Strange to me!
Thanks for another hint
No, actually I was talking about http://www.prisma-online.org – but same thing with the slug. I just guess it’s not that, because if they would come in normally, they would have to put something in the additional field, wouldn’t they? (at least, that’s what they always did before I stopped them the first time…
I now added again the .htaccess rules you described (didn’t change there the changed registration-slug…)
Does that look right (sorry – on that level I have no idea anymore 
):
# BEGIN ANTISPAMBLOG REGISTRATION
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .registrieren*
RewriteCond %{HTTP_REFERER} !.*prisma-online.org.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]
# END ANTISPAMBLOG REGISTRATION
The limitation of WP-Ban is that it’s not working at .htaccess level, so it only really does it’s thing if a spammer is polite enough to access your site normally. You might want to look at something like a plugin that’s going to ban IPs and referrers at the .htaccess level.
Also, had a quick look at your site – I presume you’re talking about http://young-people.ch ? I notice your register page is still /register (albeit translated) – have you tried changing this to something else? There’s eevery chance that the mere translation of the standard ‘register’ slug won’t slow the spammers down.
thanks mlovelock – this sounds good. All of this has worked with me before.
BUT now,
even that I have blocked with WP-Ban *.info – the spammers with that email get through
even that I have additional required field (lots of) – the spammers can register just with a name (nothing else)
even that I have changed, deleted (whatever) wp-signup.php – spammers can register
MY QUESTION IS: Where do they get in??? Did I overlook a loophole???
Please – any further help would be much appreciated!!!
I’ve no doubt they’ll return, but I haven’t had a spam signup for a fair while. The odd one creeps in, but you can’t stop a determined ‘real’ person. But I haven’t been subject to the continuous signups I used to get when I first started my site.
The steps I’ve taken are:
Rename (not remove) wp-signup.php
Use custom bp-register slug
Removed “powered by” type text in the footer and other obviously WP / BP phrases
Installed NoSpamNX
Installed WP-BAN
Installed SI Captcha
Employed the .htaccess rules explained here: http://wpmututorials.com/how-to/spam-blogs-and-buddypress/
Nothing’s perfect against spam, but certainly for me, these things have helped.
Update: Even with an “empty” wp-signup.php they are still registering… really strange! Where could they come in, for they don’t need to fill out any required addition fields…?!?! Any ideas????
Sorry to pick that up… I thought I won with the spammers for I did what stwc wrote in his article (by the way – the site there is down 
)
But yesterday until now I got about 100 spam-registrations. I did not delete wp-signup.php anymore, because the “reigster” in the admin-bar anywhere else but on the root-blog needs that file… So I thought it’s not a good idea.
BUT now, the spammers registered with just the name. Although I have alot of additional, required field… How is that possible? I guess, they didn’t come in through the bp-register. Maybe the wp-signup.php directly?
I have forums disabled altogether and as far as I know this issue with registering through bb-press should not be an issue anymore.
Would appreciate if someone could give me a further tipp what to do or where they could come from.
PS: @andy (or the developers): Why is it, that on subblogs the admin-bar “register” doesn’t point to the register-slug but is somehow a redirect from wp-signup.php (which doesn’t work anymore, when I delete or empty the file…)
There is a new plugin I just found called BuddyPress Rate Forum Posts — https://wordpress.org/extend/plugins/buddypress-rate-forum-posts/. I haven’t tried it yet, but I plan to. It allows thumbs up/down voting on Forum posts and in the process users receive “karma points” for the quality and frequency of their posts. So, in theory, spammers would get bad karma scores from other users, and you could search for users with bad karma and then delete them.
Yes, that makes sense, until there are hundreds of IP addresses to try to ban. Also, WP isn’t logging the IP addresses, though I suppose I could install a plugin to do that.
Philosophically, it goes back to the debate over sending new users a confirmation email or not. I’m in the yes camp, because many forum spambots will sign up for memberships with a bogus email address, so if they have to confirm via email, their memberships will never get confirmed. But I suppose there’s a performance trade-off to sending out a high percentage of emails that end up bouncing.
Ideally I can figure out a set of methods to stop most spam registrations from happening in the first place, greatly reducing the amount of user editing I would otherwise have to do after the fact.
I was looking through the site and haven’t found anything matching what I want.
Basically for a members inbox I want to have an additional button like the “x” for delete but I want to have a button that is “Mark as abuse” then when a member clicks this it would flag it for admin to block the accused member and IP.
This buttom I would also like inside “groups, forums” so it would be similar to the “like this” plugin for buddypress but instead its a mark as abuse so that the admin can regulate and take control of the site to ensure members aren’t hammered with spammy or abusive private messages.
Another option I would like is to only let users who have posted 4 times to have access to private messaging.
And an option to insert Urls into post/comments/text fields around the buddypress content. I’m not a programmer at all so I can’t figure out how to do any of this to save my soul.
“Many spammer IP addresses resolve to the country of Afghanistan. “
Ban their IPs at the server level. Less work for you, less processing for the system.
Just a little WARNING:
Do NOT use
“External Group Blogs” together with
“Group activity stream subscription”
They don’t like each other.
Your users will be spammed with dozens of Emails a couple times a day.
I think this is why the notifications plugin just picks up everything and the “external groups” fetches articles a couple times. Averytime stuff gets fetched, notifications for all the items (not just the new ones) gets sended out. So far my guess.
I wrote the plugin-creators about it. hopefully they find a solution.
BUT the plugins for themselves are GREAT!!! THX!
check out:
https://buddypress.org/forums/topic/removing-blog-posts-form-the-swa-widget#post-36775
but instead of component == ‘blogs’ change it to type == ‘new_member’
then change your theme activity/index.php to remove the select option ‘show new members’
I would also like to see this filter turned off if logged in as admin, so we could administer the the spammers better –
using the above example – add before the loop
if ( is_site_admin() )
return $activities;
“I still wonder why they are attacking buddypress”
Backlinks, that’s it.
“I am starting to realise that no matter what BP devs do the spammers always try new things “
and this is open source. the code is OPEN. That means whatever is put in to stop spam, the code is viewable by spammers who just rewrite their programs to get around it.
“the fight against spam is in our hands the users, it will also help us learn more about being better webmasters”
Yes! 
If you are setting up a site to host other people’s information, then you have a responsibility as a webmaster to maintain your site.
“would it not be possible to have certain customizable elements which each and every installation of WPMU/BP had to create whilst doing an install, e.g. the name of the pages and hooks that the sploggers exploit?”
They look for the default registration slug. You already have the ability to change it.
Again to the two guys being relentlessly spammed: post the domain names that you are having problems with and I will try to find out what’s going on.
^F^
zageek and Bbrian017 – what are the URLs of the websites that are getting spammed? I will take a look at them for you.
^F^
What recommendations are there for a captcha or a custom field creation that fits into the BP 1.2 registration process?
I have tried a few plugins but they don’t work in BP 1.2 and dont appear in the registration.
Yes, logging on and custom profiles etc are OK … but this open door approach DOES pass on a lot of janitorial work to site admins
It seems strange that there is no default to offer some basic kind of obstacle to registration in the blog registration process … it is like building a house with wide open doors.
Buddypress only adds layers on top of WPMU liabilities what with the attraction of Activity Directory and so on. It looks embarrassing to have it all advertised their by default.
Er, bump…
On a followup, I can mark the user as a spammer, which at least stops them showing up in the members directory.
Just a question, perhaps this should be on dev, but would it not be possible to have certain customizable elements which each and every installation of WPMU/BP had to create whilst doing an install, e.g. the name of the pages and hooks that the sploggers exploit?
Yes, they know which pages and what code to look for … but if this was having to be changed during each and every installation, would it not work to stop them?
Excuse my ignorance, we suffer sploggers but I have no idea what it is they are exploiting.
Thanks Andrea I didnt even realise that other users could add new users, because I was also wondering how they were spamming me even after I disabled registrations.
I feel kind of sorry for the spammers, because if we all put our heads together they won’t have anymore sites left to spam. I still wonder why they are attacking buddypress, is it to drive users to other platforms? Enemys of Buddypress?
So far I have built a list of domains, most of them are .info or .co.cc in otherwords free domains and of course some .com domains. They get clever and get a user to sign up with gmail every now and then to trick me. So i just ban the Gmail users and send them an email from my personal account asking them who they are if they look legitamate. Luckily for me I am in South Africa and its easy to spot non South African “culture” in terms of the types of names and usernames of members.
I have also checked where the IP addresses come from and most are coming from the United States ( do they use proxy servers and could the be from elsewhere in the world) Some IP addresses are also from Sweden.
Btw, I was also angry and blamed the devs for this problem but the more I devote time to looking at the more I am starting to realise that no matter what BP devs do the spammers always try new things and if the devs had to devote lots of time to fighting spam all the time they would never have a chance to improve buddypress and sort out bugs that come along. And if they didnt sort out the issues we would be even more upset.
So I think the fight against spam is in our hands the users, it will also help us learn more about being better webmasters. Its also the least we could do to help give back something in exchange for a product that we are getting for free and that could quite easily be charged for. We need to stop expecting things for free and in our laps and learn to be greatful for what the developers of open source software are putting in and giving away for free.
@Bbrian017 I feel for you, ma. I am scratching my head. On my prod site, in over 18 months (since pre-BP alpah no less) I have had maybe 9 or 10 spam accounts. While I have a bit more of an involved signup process (just a bunch of addl required fields) I don’t have anything else. Blog creation IS disabled, so maybe that help? Not sure.
Ieven had sCaptcha going for awhile btu took it down as folks had so much trouble reading the stupid characters.
Still thinking of what’s up in your case. Hang in there.
Did you try deleting wp-signup.php?
And have you made sure that all spam users have been ‘spammed’ so they cannot just simply add/open new spam users/blogs?
