BuddyPress.org

Hi @djsteveb:

Thanks for the awesome feedback! We always want to improve the plugin. If you could contact us via our support form, it would allow us to look into that. With a little modification on our end we should be able to auto-detect, and make it so no one has to tweak any settings.

– Scott

ip geo block plugin best dam thing ever.

shield firewall plugin just to disable xmlrpc or a disable xmlrpc plugin

“good question” (https://wordpress.org/plugins/good-question/) or similar – adds a question that must be answered to finish registering

wp spmashield

limit login attempts

sucuri hardening

audit log and multisite register ips (for the manual dedicated spammers)

this mix seems to make like tough for them – especially the ip geo block stopping several countries from abusing the site..

ymmv
dj Steve

ps

@redsand – good to see you active in bp threads! your plugin is a miracle, especially since akismet changed – one on bp site I did have to fiddle with the settings for forms or something recently – vaguely remember users having trouble sending pms were getting the you cant do that permissions thing until I messed with it a bet.. just like 2 weeks ago.

WP-SpamShield will take care of all of that for you. 🙂

Full disclosure: I’m the developer.

There are some plugins, do a google search.

you can also use this code but you will get spam if they can get in without email conformation.

add_filter( 'bp_registration_needs_activation', '__return_false' );

I’m a bit uncertain about allowing users to change their Usernames, it means they lose connections with the past in so much as the activity table is static so the name does not change on past activity items and this throws some errors, also I think it may make the admin anti spam task harder, users posting stuff then changing their login name.

I suggest an anti spam plugin, the one im using is cleantalk

Hi @Tranny,

Trust me, I completely hear you. You’re right. Ideally anti-spam controls like that should be built-in.

Those are great suggestions. We’ll take a hard look at possibly including those features in future versions of WP-SpamShield as well. One thing you’ll find by using a plugin like WP-SpamShield is that it will block 100% of bots, and it will prevent most human spammers from even registering (which keeps them from even getting to a place where they can spam other users), and it will make it difficult for them to post their spammy messages.

Let us know if we can help in any way.

– Scott

Hey @danbp

I just thought I’d jump in here real quick, as I think this will be beneficial to everyone in the thread including @Tranny.

And even if you would be a genius coder creator of an extra super original spam shield, you could be sure to became target #1 of all spammers, because in this case, you would represent the absolute challenger of all code breakers !

We are that “genius coder creator of an extra super original spam shield” that you speak of. 🙂

There is no miraculous plugin or trick to stop them.

Ahh, but there is.

It’s real, and it’s even called WP-SpamShield. LOL…you can’t make this stuff up. 🙂

Check it out on WPorg. It’s been out for about two and a half years, and is forked from another plugin we developed almost a decade ago. It works perfectly and automatically on BuddyPress, bbPress, and pretty much everything else. You can also feel free to check out the plugin documentation here.

…And for the record, we definitely are a huge target of spammers. 🙂

dealing with spammers is a long run work, to not say a never ending work.

True story!

– Scott

@tranny,

dealing with spammers is a long run work, to not say a never ending work. There is no miraculous plugin or trick to stop them.
And even if you would be a genius coder creator of an extra super original spam shield, you could be sure to became target #1 of all spammers, because in this case, you would represent the absolute challenger of all code breakers !

Back to real life.

Most of updates spam comes directly into the DB. Bots are clever and don’t need to login to do that.
Some spammers are real people, and once they are logged, they do their stuff manually. These people can be isolated, but to do this, you have to find them in the user list. Which is absolutely not easy and time comsumting. And of course, this is not prevention but intervention, after you where spammed.

You could also track IP‘s, but again, this can be helpfull only AFTER you where spammed. But getting ip’s on admin user list is a great way to gain time. Once you have the IP, you can consult many anti spam sites who store any bot and user known to be attackers. And eventually ban them with this plugin.

For now, first thing to do is to clean your user list. Whatever suspect username, like a589xdf or special to BP, Bill UNERHOOD, can be eliminated. The first example use alpha-numeric digits, the second a very well formed first and last name. It’s extremely rare that normal users enter such credentials. In addition to this, you can check their email. Why would you, for example, have members with a polish email (@blogmedykamenty.pl) if you’re in New Zeeland and your site relates about pets ? In this case, you can raisonably doubt about an interest between medicaments and pets ! You can fire such user.

All this may be good and well, but you have also to hardening WP. This means using another table prefix as wp_ at very first. And second, to not use “admin” as user name. Never !
Read also @venutius tutorial

You have to clean out the existing spammers, unfortunately manually. And to avoid upcoming spam.

To calm down the bots – in case you receive dozen of spam daily, close all comments and deactivate notices and messages component in bp settings for 2 or 3 weeks.

Also, in case you’re on a dedicated server, you really need to enforce his security. But this is out of the scope of this forum.

Spam is a serious subject, not a taboo. WordPress codex talks about. Why shouldn’t BP do the same, specially because it can drain spam which need special attention ?

If you read Hardening WordPress, you will find a lot of references to third party plugin. I don’t believe there is an issue, if you mention wordpress plugins available on the plugin repo. Even premium plugins can be mentionned i think, as long as you specify they are premium.

Ok I’ve written something up, hope you like it

http://buddyuser.com/hardening-buddypress-against-spammers

I could try writing a simple guide tonight if you like, might take me some time though depending on what else comes up.

One thing I can say is that before I put in these measures I was getting at least 50 spam registrations a day, I now get 1 a week and this is a human who is trying to register with the site purely to spam, to find these out you have to ask then where they live, they always lie but the IP address does not, so that’s one way of vetting spammers before you allow them onto your site.

Of course with these measures there is always the chance that you are turning down genuine member requests…. It’s a balance.

This page has my own suggestions to try to avoid spammers, this combo dramatically cut down on the number of spam registrations and those that get through I hold them in a queue with BP Registration options a ban then based on discrepencies in their registration information.

http://buddyuser.com/setting-up-wordpress-ready-for-buddypress

Once registered you have no other choice as to remove them manually.
To retain spammers, there many plugins and methods. Afaik none is the perfect solution and in many situation, you’ll need to use a mixed protection.

There many topics on the forum about spam… Search them and make your opinion.
That said, you might follow some basics to harden WordPress, which is a good debut (table renaming, ban “admin” as username, etc). After that, a bunch of anti-spam plugins will calm down their activity on the site. (ban-hammer, buddypress honeypot, etc) Also keep in mind that you won’t probably never avoid spammers. But there is a big difference between 2 spam/day and 1000/per day. 😉

Better to prevent spam users to register at all. There are a lot of plugins, that help with it.
I use WP-SpamShield successfully on a BuddyPress site.

Hi @julia_b

I chose not to add an @ all command because it would be easy for a user to spam people.

@ friends is supported though. Hope that helps!

What is the error you are getting?

The user should get an email with and activation link

By the way, this activation email sometimes ends up in the Spam bin on the users email, one fix to this is to set the outgoing email address used for this email using a plugin such as https://wordpress.org/plugins/cb-change-mail-sender/

Hi,

See first here and check this very old snippet (3 years). Untested.

Isn’t possible at the moment.

My site is getting heavily brigaded by spammers
Sorry for you, but adding moderation to status wouldn’t avoid spammers signicantly.
Have you installed WP by following some basic security recommandation ?
Do you use some anti spam plugins ?
How many members do you have and to what do you estimate the amount of spammers in regard of them ?
Have you inactive users in the list ?
Are you on a MS or single install ?

Maybe you could also blacklist some words from updates publication.

Hi @dnicu26

I can’t immediately see why that should be stopping the emails. Can you remove the snippet and test again, see if the emails resume sending?

Are you talking about the plain text email that you get from WordPress that says something like a “new user registered on your site”? I assume this has always worked in the past — how many such emails have you received? 10s? 100s?

Can you also please check your spam folders in your email?

Finally, are you using Multisite or regular WordPress?