BuddyPress.org

Use wanguard.. It has stopped all spam registrations for me 100%
https://wordpress.org/plugins/wangguard/

I just installed WangGuard today on a new site I’m setting up that’s been getting slammed with several an hour, and it stopped the new faker registrations immediately. Also, I’ve been using Pie Register for a couple years on another site, and that alone has done a great job of keeping most spammer registrations out, so I put it on the new site, too. I didn’t have Akismet or anything on my other site, just Pie Registration and I was pasting a bunch of IP’s and certain words in the Settings > Discussion > Comment Blacklist, and no spam.

Pie Register has the best Captcha I’ve seen in the plugins, but what I really like is you can program random questions that the user has to put the right answer in, and that’s fun. I choose stuff that is relevant to my sites, and amusing. I was really glad it works with BuddyPress!

And I’m not affiliated with either of the above plugins, either, just another site owner who knows what it’s like trying to track down help.

Hi,
as you probably know, spam is a world wide disease and there are no ready to use solutions against it. Only tips at least.

So can you please search and read on this forum before asking for such a remaining question ?

https://buddypress.org/support/search/spam/

@sooskriszta totally agree with you on your 3 (relatively) objective tests – this is why I suggested 2 key features that need to be improved in buddypress *immediately*:

1) spam fighting
2) fragment caching

First, 99.9% of buddypress communities have to deal with spam and it is mission critical (who wants a website overrun with spam? users leave, google rank drops, etc.). How many forum threads are opened again and again about people asking for help dealing with spam? how many different methods need to be cobbled together? it just makes sense to take the best practices and build them into the core.

Second, performance is an issue that is more and more important not only because speed is a do or die issue (there is ample evidence of a direct link between a website’s speed and its success in converting and in pageview counts)

with buddypress, regular caching plugins simply do not work, we need fragment caching, and we need it YESTERDAY!

there is already a tentative step in the right direction with rarst’s fragment cache plugin but this should be developed into a full solution and built into core.

everyone will benefit from improvements in caching and it will make a MASSIVE impact on the overall quality and success of buddypress as a platform

/drops mic

That would resolve your problem. The issue then would be how can you fight the spammers that sign up. The Google captcha would help. There’s also Akismet which is free for personal use and is unobtrusive too.

Up to now – Yes – NinjaFirewall combine with Stop Spammers, Akismet, Captcha and other plugins of your choice as long they work together and do not slowing down your website.

The draw back of NinjaFirewall is that you have to know how to set it properly otherwise Editor/Author will have problem updating.

Other things you can do:

If under attack — You still need to scan and look for continuous IP/username and manually add them to the Stop Spammers AND Report them to Stop Forum Spam/Project Honey Pot

If you do not have time to read/check your Themes line by line install Theme Authenticity Checker
https://wordpress.org/plugins/tac/

@brealtv

Would you mind sharing what you did or what plugins you use to “almost completely stop spam signups”?

you’re more than likely slamming into mail server spam filtering and that’s not the user spam filtering but the actual email server with strict RDNS & SPF checks in place. Generally it’s not understood that you can’t just relay emails from a server from any old domain name, that’s a possible open relay and email servers will block emails that are authorised to be sent via a given server IP, look up RDNS and get it set if it’s not already and then SPF and get that set in your MX records.

btw i just registered on your website without a problem to test it for you and it is indeed going to my spam folder as i mentioned.

also after logging in i also noticed you have wordpress set up as a multisite installation, is there any reason you have done this? are you planning having a multisite setup?

@matthewhout lol matthew dont worry man we was all noobs at some point :), regarding the emails have you checked the spam folder? sometimes wordpress mails go to the spam folders, best thing to do is configure your mail to go through smpt (i guess you also wont be familiar with this either?)

if you want help i may have a little time spare to help you set it up initially, are you on skype? you can add me if you want.

if not set a free skype account up and post me your username and i will add you, i can help you out a little if you want seeing as your struggling setting up the basics.

@robg48 something else you could do is use a honeypot. An example is

http://www.pixeljar.net/2012/09/19/eliminate-buddypress-spam-registrations/

It works by adding a hidden field to your registration form. Users can’t see the field so will never complete it (it will always be blank). Spam bots, however, don’t view the page in the same way as users. They ‘see’ the page source so will always ‘see’ the hidden field and try to complete it.

On registration form submission, if the hidden field is blank then we know it’s a genuine user trying to sign up. If the field is completed then we know it’s a spam bot and we can halt the registration. Hence, the name honeypot.

@robg48 just a thought – try changing the name of your registration page. Spam bots automatically look for pages such as /register/ so maybe use /sign-me-up/

@xxxtristamxxx
They would have to have activated and logged into the account for them to see BP content using my plugin so no, just registering would not unblock the BP content. There is really no way of differentiating who is a spammer and who is not once they are logged in so it would be up to you to moderate. Good luck!

@iameverywhere

I have thought about this a lot as well. BuddyPress spam is SO obvious for a human to figure out. You can detect spammers with almost perfect accuracy in just a few seconds. They all do the same thing. They create an account, then post garbage links. If you have Groups enabled, they create groups full of links in the description. I don’t know of a plugin that will do this, but the best way to block BP spam I think would be to put users in moderation if they post links to groups or activity, just like the setting we have for blog post comments.

https://buddypress.org/support/search/spam/
https://codex.wordpress.org/Hardening_WordPress

Awesome, I didn’t know about NinjaFirewall until now.

Change your “Admin” username to something dificult

Yes, this is very important. Not to stop spammers as much as to stop your site from getting hacked. Brute force hacking is infinitely harder if they have to guess the username AND password correctly at the SAME time. Just about impossible. If they know the username is “admin” they only have to guess the password, which is actually possible if they hammer your site all day.

Not sure why it’s not working.

For alternative spam plugins/solutions, there’s another more active thread going on here:
https://buddypress.org/support/topic/stop-buddypress-spam/

Two more methods that help. I recently had a crazy spam attack – probably 300 fake signups per day. I implemented these two methods and it dropped to near 0.

1. Change the /register/ slug to something unique. An example would be /create-your-account/, or something of that nature. It just needs to be unique and also make sense in a URL for your user. Spammers targeting BuddyPress look for /register/ as the signup page. It’s all automated so you want to filter them out at the first step.

2. Add this to your functions.php file in your theme or child theme.

It presents a dummy field that humans don’t see. Spambots will fill it out, and if the field captures a value it will reject the signup.

// BuddyPress Honeypot
function add_honeypot() {
    echo '';
}
add_action('bp_after_signup_profile_fields','add_honeypot');
function check_honeypot() {
    if (!empty($_POST['system55'])) {
        global $bp;
        wp_redirect(home_url());
        exit;
    }
}
add_filter('bp_core_validate_user_signup','check_honeypot');

Credits for #2 go to:
http://mattts.net/development-stuff/web-development-stuff/wordpress/buddypress/anti-spam-techniques/registration-honeypot/

I edited it slightly to remove the required redirect. Add that back from his tutorial if you want to. It requires that you make an extra page to send the spammer to, and I personally think that’s not necessary. I actually want them to have no indication their signup failed.

Currently the plugin “good question” is helping me with reducing spam signups more than any other.

I used to rely on si-captcha to help with this, but it started having some issues a few months ago (on my multi-site / BP sites), so that is not in use on my sites any longer.

as buddyboss mentioned above, “bp-registration options” was a good choice for a while, it worked pretty well for me around v 1.5 or 1.6 I think.. but then issues started occurring and it was left without updates for a long time (while the plugin dev was running for an election or something if my memory is serving me today), so axed that one…

Nothing is going to stop the manual spammers, but they are easy to eradicate once you have stopped all the bot signups with one of the QnA type plugins in my humble experience anyhow.

5-10 is OK — When I was handling a job application site every month we received 4000-5000 applicants and and had about 75-200 “bad users” we did have people entering bad email for their job application but it was also sometime the applicant mistype their email AND ending up shooting registration confirmation to the wrong/closed/nonexistent email at Gmail/Yahoo/Hotmail etc (I had to deal with those email providers 1-2 times a year to make sure that my Mail Server is not on the blacklist).

Btw on the Stop Spammers setting add the StopSpamForum API that way it easier for you to check or submit bad user (add Honeypot & Botscout if possible). Also “Check Spam Words” on the setting and add to them if you see a bad username keep popping up with different IPs.