Some people have suggested installing WP Hashcash to block signups, though I haven’t tried it myself.
But you’re saying that someone signed up on your BP install with the Facebook Connect plugin?
So it sounds like a problem with the FB plugin… not sure though.
Sounds like DJPaul suspects the same thing!
FB-Connect isn’t my favourite bit of software in the world as I spent some time checking out the code once, so there may be a hole there. </randomguess> Certainly my money is on a plugin.
Have a look at the record in wp-signups or wp-users; any clues or differences vs a user who registered properly? Any clues?
3635122Inactive
Hi everyone
Ok, here we go again. I have WPMU v2.8.2 and BP 1.0.3 installed. Also, the latest version of BBPress, FB-Connect, reCaptcha and Askimet.
About a week ago, despite having ALL registrations/posts/comments completely disabled, a person/bot was able to sneak through and register for an account.
I posted back here and asked what I should do about this and was advised to install reCaptcha (which I did).
Now this morning I went to my BP site and see that once again someone has registered for an account and not only that but they have also used my FaceBook name as their sign-up name but when I click on their icon, instead of taking me to their BP profile, it just refreshes the page. A further look shows that they used a FaceBook URL but used several trailing slashes in the address and no email address was provided.
At first I thought that perhaps this account had been automatically created when I logged into FaceBook under my FB developer account so I tried to recreate this but no dice.
It looks like once again, someone has gotten through. I have no idea what their game/gig/motive was in creating an FB account using my name or how they even got in. I know it wasn’t a family member or friend playing a joke on me either (as has been suggested).
Any ideas?.
Thanks, Steve
Totally clear. Thank you so much!
When you are installing Buddypress, the only plugin you want in your /plugins folder is buddypress itself. Nothing in /mu-plugins either. Your plugins which run on buddypress are causing this error.
I have a few plug-ins running, but without the admin back end working, I can’t deactivate them. Can I place them in a separate folder temporarily without causing even more havoc? i.e. welcome pack, monty spam, wp ban, limited log in attempts, askimet, etc.
Hey Jfcarter,
Sorry for not being clear there.
If you’re using the default BP member theme, I replaced instances of bp_send_message_button with the newly, created bp_send_message_to_friend_button in these files:
* /bp-themes/bpmember/activity/just-me.php
* /bp-themes/bpmember/wire/latest.php
* /bp-themes/bpmember/profile/index.php
Keep in mind that if you’re using a different BP member theme, that those template links might be different.
Hope that was clear enough!
@r-a-y,
Thanks for this information. It was a manual signup.
I like what you’ve suggested and plan to use the code in my bp-custom file.
But what did you mean by this: “Then I edited the template files mentioned above with the new function call – bp_send_message_to_friend_button().”?
What exactly did you add to the templates, and which templates were you referring to?
Much, much appreciated.
Thx
I liked this idea, so I implemented it on my BP install.
I decided to do step #2.
Here’s what I added to my /wp-content/plugins/bp-custom.php:
function bp_send_message_to_friend_button() {
global $bp;
if ( bp_is_home() || !is_user_logged_in() || !friends_check_friendship($bp->loggedin_user->id,$bp->displayed_user->id) )
return false;
$ud = get_userdata( $bp->displayed_user->id );
?>
<div class="generic-button">
<a class="send-message" title="<?php _e( 'Send Message', 'buddypress' ) ?>" href="<?php echo $bp->loggedin_user->domain . $bp->messages->slug ?>/compose/?r=<?php echo $ud->user_login ?>"><?php _e( 'Send Message', 'buddypress' ) ?></a>
</div>
<?php
}
Then I edited the template files mentioned above with the new function call – bp_send_message_to_friend_button().
Now, the “Send Message” button only shows up if you are a friend of said user.
I’ve added a trac ticket about this issue as an enhancement, so maybe the above change will be built into the bp_send_message_button() function in the next BP release instead of having to add your own function.
—
There’s still the autocomplete feature in the “My Messages > Compose” area, as well as the wire and group wire to worry about though… one step at a time!
Is this a bot or a manual signup who manually sends messages to the users?
Anyway, the way I see it, there are two ways to combat this problem in the interim:
1) do a check to see if the logged-in user is a friend of that user, if so run the bp_send_message_button() function
2) code own function based on bp_send_message_button() and do the check within this function
Either option will require modifying the Buddypress member theme template in three places:
* /bp-themes/bpmember/activity/just-me.php
* /bp-themes/bpmember/wire/latest.php
* /bp-themes/bpmember/profile/index.php
(I’m using the default BP member theme as an example)
This is only for the “Send message” button though… how did the person spam your users?
I’m trying to figure out ways to stop spam email. I just had a spammer setup an account on my BP network, leave it dormant for a day and then sent a bunch of emails to all of our members except the admin.
This problem will be solved when people can only send messages to friends, but until then, does anyone have any plugins or solutions I could use to “stop the spammers.”
Grrrrrrrrrr. Very frustrating.
John – thanks for the reply!! 
I’ll check with my host about the memory… that’s something new to me… hmm.
All the files are in the correct locations, triple and quadruple checked. Buddypress 1.0.2 was working fine, it’s the upgrade to 1.0.3 that caused this. It was never activated, got a fatal error on activation so I clicked deactivate and then POOF. It said that it could not activate the plug-in when i clicked activate. But, white screen of death before I could try to delete it or do anything. It really didn’t like that update.
I have a few plug-ins running, but without the admin back end working, I can’t deactivate them. Can I place them in a separate folder temporarily without causing even more havoc? i.e. welcome pack, monty spam, wp ban, limited log in attempts, askimet, etc.
Just really want to get my blogs back in action. Don’t want people hating on me for losing all their data… although data is all still there, it’s just invisible. bizarre indeed!
Thanks so much for responding. really appreciate it.
Per Jack Bauer, oops, meant Sam Bauers.
Today we’ve released two versions of bbPress.
* bbPress 1.0.2 addresses a number of issues which have come up since the 1.0.1 release, including a problem where the voices count could get out of sync.
* bbPress 0.9.0.6 is the first “legacy†release of the bbPress 0.9 branch, which will be maintained for security until late 2010.
Both releases fix a long standing bug which was affecting the way spam was being reported via the Akismet plugin. These releases are recommended for all users of both bbPress branches.
Download either (or both!) from the download page now.
Since upgrading to Bp 1.0.x on the site http://betsocial.net you’ll notice that the home, members, groups, etc buttons do not work as they ought to and are not picking up the correct data.
on another site http://gibcosta.com using RC1 this seems to work fine – both are set up in pretty much the same way on a vps with subdomain WPMU in the root and Buddypress in a directory
Please can anyone tell me where I’ve gone wrong here with the upgrade and why this no longer seems to work properly on http://betsocial.net.
Many thanks!
And I know I’ve got masses of signup spam on there, I’m dealing with it!
3635122Inactive
The FB-Connect issue was successfully addressed by removing the $DIM variable from fbconnect.php. However, this no longer seems to be effective and the error message I’m receiving seems to be complaining that out of 5 variables in fbc_get_avatar(), one is missing ie;
Missing argument 5 for fbc_get_avatar()
There are 5 variables here and I’ve removed one. However, even if I replace it so that there are now “5”, I still get the same error.
– Steve
Nope, Im afraid there´s not a newer version.
1.1 was coded by Andy himself, and there are no signs that it is going to be updated. He has made clear many times that its up to Buddypress community to continue with the update of Facebook connect plugin.
If I had coding skills, I would have updated it a long time ago, but I am still busy understanding how BP works ! ;-(
3635122Inactive
Hey, thanks for all the great help!.
I’ve installed reCaptcha and it works good. Won’t reCaptcha interfere with Askimet though since they are both anti-spam plugins (just wondering)?.
I couldn’t find any place in the latest version of BBPress to disable new registrations. Where would I go to find this option?.
I’m still stumped on the FB-Connect error. I’m currently using version 1.1. Is there a newer version (or an easy-to-install patch available?.
Again, thanks so much, Steve
If you have disabled registration on your WordPress MU installation, and users are still signing up, you may have forgotten that if you are running group forums you have a bbPress installation that synchronizes users with the WordPress MU installation. Disable registration in bbPress and you should be good to go.
the fbc_get_avatar() error is from the facebook connect… it’s been addressed somewhere else in the forums. ..it’s been fixed. The spam.. the user “LnddMiles” is not just on buddypress sites, so it’s a spambot that looks for open registrations.
You should add a captcha or math problem to your registration page to divert these.
3635122Inactive
Hi everyone
I’ve had WordPressMU/BuddyPress installed for several months now. Recently I upgraded to WordPressMU v2.8.2 and BuddyPress v1.0.3. I’ve always had registrations disabled and recently I installed the latest version of Askimet.
Everything has been installed by-the-book and everything has worked perfectly until this morning when I awoke to see that someone had registered with the user name “LnddMiles” – despite registrations being disabled and having Askimet installed.
A Google search quickly showed that this same user has registered on thousands of other BuddyPress sites.
Additionally, I am now getting the following error each time I access my admin center…
Warning: Missing argument 5 for fbc_get_avatar() in /home/azonez/public_html/wp-content/plugins/bp-fbconnect/includes/wp-facebookconnect/fbconnect.php on line 529
What does this mean and what can I do about this?.
Thanks for any help and have a great day!.
– Steve
It’s important to note that BuddyPress is an opensource project, just like all of the other WordPress related ones. That being said, if you find something isn’t working up to your expectations you are free to develop or contribute to the project to make it work how you wish. As it stands today, BuddyPress does a good job of keeping tidy and cleaning up after itself; better than most plugins in my opinion. The signups table is specific to MU and is a new addition, so you can expect it’s functionality to be misunderstood. When a user is deleted, the idea is that their signup remain in the signups table as proof of their previous registration. One could even argue that removing all user data is a bad idea in the event someone ever needs it later, say for law enforcement purposes.
Regarding blocking spam registrations, read some articles about Twitter. Some analysts have said that nearly 50% of all registrations on Twitter are spammers. Crazy eh? There just isn’t a fool proof way to prevent it from happening unfortunately.
Also, while none of the moderators are directly employed by Automattic, it’s about the best internship I think anyone in our respective businesses can hope for. We all do our best to represent Automattic and are here to help to the best of our abilities.
If you can find a specific bug or flaw in how users are currently managed between BuddyPress and WordPress, you’re welcome to respond here or file ticket in the trac. If you feel your opinion warrants more attention you can message me privately if you’d like also, and I’d be happy to help further.
I really do appreciate all the work you do. I’m just really frustrated with the lack of synchronization and consistency between Buddypress xprofile and WordPress users/usermeta etc. Automattic needs to take a serious look at member management.
FYI, here’s the response from the WPMU forum:
Because if a spammer signs up, for instance, and you delete their username and blogs, if their registration member is also deleted, then they can sign up again.
I’m not satisfied with that answer. There must be cleaner ways to block/blacklist spammers.
Isn’t there a plugin that deletes users more thoroughly?
Spam signups != comment spam.
Isn’t Akismet keeping the SPAM away?
No I turned of caching. For instance, I just deleted a bunch of spam registrants. The last spam registrant with a blog, their theme is taking over my home page. I don’t have any posts in my root blog.
Instead of looking at banning users, I would be more concerned with preventing spam signups.
That way you won’t have to think about banning people (at least not often!)
