BuddyPress.org

The account is blocked and marked as spam, uses this https://codex.wordpress.org/Function_Reference/update_user_status

never use “register” as url for sign up page. Spammers look for this. Go into permalink settings and change to something else sand save. URL redirects not right

It is not Buddypress that is causing the error, but reflecting that a comment has been submitted that should be moderated because it looks like spam.

If you want all the links to go thru, go to the Dashboard/Settings/Discussion/Comment Moderation
and change the number of links it allows to 0. (Or maybe just up it to what you are comfortable with.)

You should of searched the forum for many answers to this already posted.

There are a lot of options and solutions with this… for me, I use the plugin “buddypress humanity” on one of my sites, and a different / similar plugin “good question” on another site.

Change the default questions and answers… this stops most of the auto-bot spammers.. a few manual people may get through, but it cut does spam signups on my site by 99%.

One of my sites I disable “group creation” for all users, as that seems to be a target for many of them.

I also use another plugin with my bp+wp / multi-site … which sets “blog defaults” so that any user who creates a new blog has settings automatically enabled that “block this site from search engine indexing” – if someone signs up and creates a site and adds original content, I will go in an manually change that setting.. most people who “create a site (blog on multi-site) – don’t use them, or are spammers – so I don’t need them sucking away page rank juice or clogging up the activity stream with BS.

random thoughts from another BP user…

Shouldn’t a User promoted to Group Moderator be able to moderate content in that Group, regardless of their WP Role and capabilities?

Sounds logic, but No. See documentation in bp-core/bp-core-caps.php for the “why”. 😉

Since BP 1.6, group moderators can only delete, move, spam group forum content.

External reference.

hi @dani-girl,

intersting question, but thought you’re wrong about Directive 95/46/CE. You have a too strict opinion ! If it would be real, nobody in Europe couldn’t use WordPress and probably also many other CMS’s.
Which is the EU country you are off ?

An e-mail is a personnal data and the directive applies. But…

WordPress need it (username, email and password) to work on registering. That is a legitimate and technical reason, which is allowed.

You don’t collect it illegaly, or by roundabout and the user has access to it any time. Emails never appear publicly on WP and are used for internal purpose only.

Opt-in is mandatory since 2002 in Europe. This means you have to prevent/ask the user before he sign in.
If you clearly write and expose publicly (and easy to access) your policy, explain why you ask the mail, that you freely remove any user data on demand for example, you can ask for an email. This is also valuable for cookies. You should inform the user that you use them… Resaling and forwarding emails for commercial purpose is of course forbidden, but only IF your site has no direct reason to do that. (e-commerce is not a direct reason 😉 )

On the other side, as site owner, you can’t use your members email for advertisement or any other mailing action without their agreement. Or you will be considered as spammer. Which is also illegal in EU.

http://www.cnil.fr/english/data-protection/official-texts/

A similar topic : https://buddypress.org/support/topic/removing-thousands-of-spam-users/

https://buddypress.org/support/topic/here-come-the-spammers/

10 Proven Ways To Stop BuddyPress Spam

Wide subject and several answered on this forum.

Askimet covers comment spam and doesn’t avoid clever spam bots to hit directly the DB.

Basic recommandation is to use table prefix different of the classic wp_. This calms down most bots.

A closed door is always a challenge for any spammer. WP is not fort Knox and depending your host, what YOU did and many other security details, this has no end in fact. If your site is Facebook, you’ll probably receive more spam than if it would be mykittycat homepage. Glory has a price ! 😉

Some htaccess rules against reputated spam server and one or to plugins aside what exist natively in WP should be enough to protect you a little from massive spam.

For example: buddypress honeypot + ban hammer for BP

or more simple and rought
http://mattts.net/development-stuff/web-development-stuff/wordpress/buddypress/anti-spam-techniques/registration-honeypot/

… + searching this forum, maybe you can find more tips. 😉

@shaquana_folks

allowing users to upload to your server some documents is a very bad idea while the registration process.

When a user register, you don’t know if he’s a human or a spam bot.
That’s why a newly register user is only pending and why he has to return an activation key before it is considered as a site member.
Or the site admin can ban him during the pending time, for some reason.
As long as you don’t be sure, a minima, of your new member, don’t allow him anything except viewing the site.

You’re talking about pdf, doc and docx, but on the register page nothing appears about what type of file they have to upload (as it is required) and for what !

Here you’ll be able to upload images. Try it out now! is a bit vague. And i don’t think that BuddyDrive is intended to be on the register page.

BuddyDrive is a per member based plugin and can be used on a profile or in a group. As long as a member is pending, meaning doesn’t really exist, it cannot work.

Seems to be spammers, but IMHO, there is another problem if you receive 2 mails for each new user.

Disallow user registration on live site and do some test on a local install before reoppening registry.

Change also your DB tables prefix. Don’t use wp_ ! This will calm down most spammers for a little while.

Any ideas on what may have caused this ?

That question was answered here.

It’s the user who did it wrong, so guess there is no technical solution.

The “from” wordpress@mysite.com is a default address which redirect to site admin address (the one you indicate when you setup WP).

This can (and should be) changed, as its a common trick used by spammers. Read here how to do this.

@danbp True indeed, but with my previous setup with BuddyPress 1.9.2 I was able to control the spam registrations since they were never activated (I used BuddyPress Pending Activations to manually activate new users) and therefore they could never log in. They were not seen in the activity stream either.

This is my setup: https://buddypress.org/support/topic/create-private-membership-site-with-buddypress/

I’ve now upgraded s2Member which had no effect, and also deactivated the BuddyPress Automatic Friends plugin which didn’t have any effect either. The new user shows up as pending in the Users screen for about 1 minute after registration, but is then automatically activated.

Spam is an endless plague… and there is no radical solution, but only a set of combination for minimizing it, or at least to slow down that phenomenon..

For example, changing the default wp_ table prefix is a good practice which i would recommand to any site owner touched (or not yet) by spammers.

Even if you already use another prefix, but spammers found your site, you have to modify it again. Sounds a bit stupid, but the gain will be effective for a while.

Other tips are avaible on WP Codex.

In some case, you would prefer to use a plugin. See BuddyPress Registration Option.

But in any case, you have to found your own combination.

Hi!

I recently upgraded my site with a new theme (BuddyBoss Boss. theme) and am running WP 4.1.1 and upgraded from BuddyPress 1.9.2 to 2.2.1.

I have a setup where I redirect the activation e-mail to the site admin to be able to manually control new members and verify their information before activating them and letting them log in. This is a cruical function for my site since it’s a private network.

After the upgrade I noticed that some spam users were automatically activated and able to log in without my manual activation. The users are automatically activated, the same issue as @RussAdams is experiencing. I’ve tried deactivating a few plugins (BuddyPress Pending Activations, BuddyPress Auto Group Join) but this issue persists. In BuddyPress 1.9.2, everything was working as expected.

Browser sessions doesn’t seem to be the issue since clearly people on other computers have been able to create accounts which were automatically activated as well.

This is a very serious issue for my site since I no longer have the control over new users and spam users can log in after activating. Did you get this sorted out?

I created a page for each component in this plug-in and I don’t know what to do next.

@dleit It depends. You could start adding Member Profile Fields and/or Create Groups and/or install Group and/or Sitewide Forums if you need forums.

btw, spammers have been removed 🙂

I found with one site on one server – any emails sending via php had a weird return header thing from my server that did not get through some of this big three email clients no spam lists..

a plugin similar to https://wordpress.org/plugins/postman-smtp/

may change your wp to send via an smtp account on your server instead of php using a weird default server header.. you may need to create an smtp account for that work.. and even so there are other factors that could limit your email getting through.. (some shared servers are on backlist, some web hosting companies are given minus points, even if your web site is on the up and up)

There are a lot of things that could cause it to fail the ‘real mail’ test at some of these services..

For me, the plugin “good question” fixed 95% of spam regs.. similar to “buddypress humanity”…