BuddyPress.org

How about using the following plugins:

1. Stop Spammers by Keith Graham
2. Captcha by BestWebSoft.

FYI: I have no relation with the plugin creators

NOTE: Just make sure you also have access to the FTP in case you you are locked out from the admin. Since I do not know what other plugins you have on your site — Some plugins are not compatible with others (e.g I used different CAPTCHA plugin and it locked me out). If you are locked out from the admin just use the ftp to DELETE or RENAME THE plugin folders to disable THE “bad plugins”

Although I haven’t used it myself, I’ve read good reviews:

SI CAPTCHA Anti-Spam
https://wordpress.org/plugins/si-captcha-for-wordpress/

Rick, glad that we’re clearing up some confusion. To confirm, yes, messaging is totally different than posts. Please read the codex links provided. Also, if you really want to take buddypress for a test drive, set up a development site either on a live site or right on your own computer using http://www.instantwp.com/ and then add some “fake” users and messages, and data using this plugin: https://wordpress.org/plugins/bp-default-data/

And then jump in there and click around like crazy, edit, message, post, and see what happens! this is the best way to really check things out without doing any damage to your own site. Nothing compares to getting your hands dirty and mucking about (in a safe test environment).

This way you can really understand what messaging is, what private messaging is, broadcasting from admin to all members, etc. You can also add/remove plugins and check out their functionality, all in the comfort of your own computer’s hard drive or a test environment set up at a test domain/host that you control/own.

Also, keep in mind that buddypress has many features but you do not have to enable them! for example, there is a feature for groups. But you don’t have to enable it! you can add a forum (using bbPress) but you don’t have to! you can have private messaging so members can send private messages to each other… but, you guessed it, you don’t have to enable this feature. Also, another powerful feature is that you can give members of your site the ability to start their own blogs! this is called “multisite” but you can choose to enable this or not. Same goes for “friend connections” feature… etc.

My suggestion is to start with a very simple starting point and then as your community grows, add features that they require or need. It is a far too common mistake for new buddypress users to just turn everything on at the start.

If you don’t want to restrict your membership in any way or to collect money online from them then you don’t need anything else other than buddypress and wordpress. But look through the membership plugin links I provided to familiarize yourself with them and their features just in case. A few are completely free and still have tonnes of features.

Finally, keep in mind that spam registrations do happen. There are many guides and tools to mitigate spam membership registrations. Here’s a good start:

Preventing Spammer Registration

Google is your friend for more info on spam fighting.

definitely spam

I normally install a couple of plugins to deal with spammers and idiots.
Wordfence and Better WP Security

I’d agree with steps 1 to 3! With reference to 4, you could try installing a capcha plugin. It’s always better to stop spammers at the front door as opposed to trying to deal with them when they’re inside your house!

5. What else should be done at this stage?

Celebrate! 🙂

In case someone else sees this problem, you can get the same thing (a flood of user accounts with no email and often no role) if you’re using the WP e-Commerce Plugin.

See the discussion here: https://wordpress.org/support/topic/spam-users-in-wp_users-after-wpsc-upgrade

if it’s not on the front page reply to topic with the word spam and one of the mods will get rid of it.

well but wouldn’t that only happen if a user actually mentions the spammer? any activity the spammer themselves made would be removed along with the user. i have never seen anyone mention a spammer.

i don’t think those 404 should be bothering you. if you have open registration then you will invariably get some amount of spam registration. would you rather have google seeing missing pages or seeing the spammy profiles with links that actually could hurt your ranking? 404 errors in WMT are mainly just to alert you the webmaster that they exist. i do not believe they actually impact your sitewide or page specific ranking at all.

Also, rename your ‘register’ page to something else. Lots of spam bots look for /register/ so something as simple as /register-page/ will help hide your sign up form from at least a few of the bots.

@wpdragon have you tried Akismet? I’ve found that to work well as part of your overall spam fighting strategy.

Wangguard worked for me for a while but spammers started slipping through the cracks. A great plugin (which you can use in conjunction with wanngguard) is recaptcha:

https://wordpress.org/plugins/wp-recaptcha/

It works with BP 1.9 and WP 3.8 (confirmed, using it, loving it)

It seems that those spamming my site are using wordpress’ default way of creating an account and not registering through buddypress. When I go to the users admin, all of the users that used buddypress were given the default forum role of “participant”. The spammers don’t have this role.

Because of my current setup, I installed the Members plugin and created a new role. Then I made the buddypress form show up only for those that I have confirmed. I would recommend that this be added to future buddypress installs as an option.

Also, perhaps the emails are being sent but falling into user’s spam folders. Perhaps ask them to check

A great plugin that I use (is free) that has greatly reduced registration spamming is WANGUARD (check it out here: https://wordpress.org/plugins/wangguard/) works great with buddypress and bbpress

First you said:
>I disabled registrations using “Registration is disabled” from the network admin settings/network settings and the spam registrations continue.

Now you say:
>– disable registrations (network admin) and the automatic reg stops

Not sure why things have changed, but it’s a clue.

btw – did you change the salts in your wp-config ?
https://codex.wordpress.org/Editing_wp-config.php#Security_Keys

@ride2719

https://buddypress.org/support/topic/critical-exploit-backdoor-spam-registrations-via-bbpress/#post-173527 ?

>Forums are enabled (it’s a primary purpose for the site)

Understood, but try deactivating bbPress.
If the spam regs stop, you know it’s a bbPress issue and you can post a bug report on their site.

If they don’t stop, at least you know it’s not bbPress.