BuddyPress.org

@dennish The installation of bbPress that is packaged with BuddyPress contains a file at buddypress/bp-forums/bb-config.php. When you attempt to access the bbPress installation directly as you describe, the bbPress bootstrap loads this bb-config.php file, and sends a 403 Forbidden header to the browser. Thus, it should NOT be the case that users are able to create accounts (or do anything else) on these pages. If you are finding otherwise, it could be because your buddypress/bp-forums/bb-config.php file is missing or corrupt.

In the future, when you find what you believe are security issues in BP, please do not post them to the forums, but instead send an email to security@wordpress.org. Thanks.

Having the identical issue as above. Spammer registers for site, activates and then I find them in a private group. No request to join, no approval by Group Admin. The only clue I have is that when looking at their profile it says they belong to the private group but the button to the right still says “request permission”. Somehow bypassing the approval process.

@robg48
Those 2300 must not have logged in the first time. If they have not, they will not show up in the members directory. If they have not logged in yet I would imagine a good majority of them are spam accounts. Good luck!

@bphelp I haven’t been able to test this for you yet but I did notice yesterday that non-activated users get given a URL which is visible to anyone. For example, if you completed the registration form on my site and chose username ‘bphelp’ – even before you click on the link in the activation email you will be able to go to

mysite.com/members/bphelp

Here you’d see: Your name, the mystery man avatar etc.

Imagine a site that has lots of spam signups. They’d have hundreds if not thousands on unused URLs.

How is this currently handled by BP?

@shaungreen
I am not sure I am following you but if you deactivated that plugin and a new user can register and activate an account and login successfully then this is not a BP or bbPress issue. It needs to be taken up on that plugins support forum if you insist on using this plugin. Otherwise you may want to look into alternatives! I have used:
https://wordpress.org/plugins/bp-force-profile/
It forces a user to complete the required xprofile fields before they can interact with the site and seem like a good deterrent against spam registrations.

@nodeadbunnies
1.) You do realize BP is a WP plugin right? It is not its own entity therefor if the user registers with BP activated, they are also registering with WP.
2.) By default if a user enters a wrong password they are then redirected to wp-login.php if you want to include the lost password link there may be some login widget plugins that includes that link, other wise you could get that link from wp-login.php and hard code it into your child themes sidebar.php which may not be a good idea until you get a little more experience. Try searching for plugins that will accomplish this before going that route.
3.) You may want to check the spam folder to see if the activation email went there. If not then check your servers error logs and report back.

@asieger A rather basic question: Have you checked the Spam folders in your email accounts?

@cpagan2000 thanks SO much for coming back and posting that code! I have literally searched for hours to try and fix my problem that my site, which has been running over a year spam free, all of a sudden was getting SLAMMED with spam registrations because BuddyPress hijacked my registration page and I couldn’t figure out how to make it stop.

For anyone else who finds this thread, you have to create the bp-custom.php file and put it in your wp-content/plugins folder (contrary to all the other information out there on the web – – SO CONFUSING!!) I tried to put in in my functions.php and it just wouldn’t work. You can find more information on customizing BuddyPress by following the link above that @bp-help posted above.

This information should really be easily accessible. No one should ever have to search this hard to fix this type of issue. That is why I made a point to come back and thank pagan and add the missing info that I had to track down to fully understand the situation.

try wangguard it definitely helps

Screen for marking a user as spammer to start off. Alternatively, while in users’ area, there’s an “Edit Members” dropdown menu in WP toolbar for site/super admin where you can set User’s Capability as well.

@laboratorio35 The group creation was not stopped. It was created right after clicking on “create group and continue” link after filling up group name as “X” and description as “x” in the first group creation screen that’s why you see the group in the Group Directory oage. At this stage, you as Site/Super Admin can always delete the group if you wish.

Probably it’s just in the spam folder. The activation email quite often seems to be marked as spam, unfortunately.

Mail server configuration can be tricky and I’d suggest you also contact your web host for support, as there may be other configuration changes that you or the host could make to improve the chances of the email being received correctly.

@yzord
Did you check for the activation email in your spam folder?

Hugo,
I cant fid this: dashboard -> admin or network admin -> users and check user, ?

I have loads of spam coming in and I need to delete them…

Can anyone help please ?
James