BuddyPress.org

doing a merge of the 1.2.3 and 1.2.4 – looks like this function changed and is called during the installation process. I don’t run WPMU/MS – if anyone can verify this is the problem and submit a trac ticket

1.2.4
function bp_blogs_record_existing_blogs() {
global $bp, $wpdb, $current_site;

/* Truncate user blogs table and re-record. */
$wpdb->query( “TRUNCATE TABLE {$bp->blogs->table_name}” );

$blog_ids = $wpdb->get_col( $wpdb->prepare( “SELECT blog_id FROM {$wpdb->base_prefix}blogs WHERE mature = 0 AND spam = 0 AND deleted = 0 AND site_id = %d” ), $current_site->id );

1.2.3
function bp_blogs_record_existing_blogs() {
global $bp, $wpdb;

/* Truncate user blogs table and re-record. */
$wpdb->query( “TRUNCATE TABLE {$bp->blogs->table_name}” );

$blog_ids = $wpdb->get_col( $wpdb->prepare( “SELECT blog_id FROM {$wpdb->base_prefix}blogs WHERE mature = 0 AND spam = 0 AND deleted = 0” ) );

Maybe we should ask this question in a spammer’s forum

Andy Peatling once told me it was more of a WPMU problem (are you using WPMU?). But I have also heard people reporting the problem only arises once BuddyPress is activated. I don’t know, sorry.

I reduced Sploggers to about 20 per day, which is OK for the time being to handle (but of course quite annoying). Looking forward to solutions – as we all are, I guess. I can’t imagine anyone not having this problem – since I have so much spam on a hardly known site.

@Dwenaus is spot on guy, (IMHO) sorry. Let’s face it, the examples he gave all put their listing here for viz purposes only. It’s almost spam-like. The photo gallery one is the worst infraction as it is the most misleading. Everyone in BP-land anxiously awaits a fully BP aware image plugin (we’re talking ones that integrate with xprofile, the activity stream etc) There are tons of gallery plugins on WP (I use NextGen Gallery a lot) but they are no different than this one. Why don’t they ALL get listed here? They shouldn’t. The only reason they added #buddypress to their listing was exposure. I have written that plugin dev many times to get clarity on this and they have disappeared. That’s because they just wanted exposure.

Are there useful WP only plugins in a BP world, of course. Should they be tagged as such? Debatable. Boone, Jeff, and others have done such great work in BP specific stuff that it becomes an insult and a disservice.

This is different than the WP plugin repo. It requires some moderation ( @jjj and @apeatling you listening?) because to build a BP plugin is non-trivial.

PMs are disabled on here for now due to spam; I’m guessing the old messages are still in the DB though.
Awaiting further word about this from Andy.

This is why we need to intercept spammers. This is a the first thing I saw when I logged in!

http://img337.imageshack.us/img337/3872/blahg.jpg

I couldn’t be more excited about the merge of mu into 3.0. Finally I can come out of the closet I’ve been hiding in for so long.

On most forums, as soon as I mention that I run mu, I get the proverbial, ‘not supported’, argument, whether it’s a theme or plugin purchase, or even a simple question. I suppose in the long run I should be grateful for the treatment I received most places as it really has taught me to be more self-sufficient. I actually spend more time now learning how to code then all other activities combined. As frustrating as it’s been, I have to say it’s been more than worth it. It’s almost a joke going back a year or two and reading the questions I had on other forums. And to think.. at the time I was running hundreds of client websites. Little did I know just how little I actually knew. It’s also important to mention that the absolute best wp coders that I have met all either run mu, or are intimately familiar with it. Many of those people are here on this site. Their level of expertise is head and shoulders above the normal wp user.

@johnjamesjacoby has it absolutely correct. The more time you spend on the theme of the site, and especially the back-end administration portion, the more the site really starts to shine. I’d say that I spend an equal part on modifying the looks and functionality of the backend as I do the theme. Basically every time one of my customers asks me how to do something that I believe they should be able to figure out on their own, I go back and try to find ways of making it more intuitive for them.

Most of my clients don’t even know they are running wp/bp. They simply wanted internal group communication systems, and it just turns out that bp fits the bill almost perfectly. What better system could there be than a system where I can give a client who has multiple locations a series of sites all connected together, cohesive, and simple to use. Gone are the days of having to stitch together or bridge multiple systems. I’m so glad that I will never have to write or pay for another bridge script again, only to have one of the products die a slow death on the vine. I really believe wordpress and possibly buddypress are here for the long haul.

It’s also important to mirror what JJJ said about site size vs. features. I have some very small client sites, where it would make no sense to turn on most features. Doing that would only confuse the users and make it look awfully lonely. Then again I have sites with thousands of users. Turning on most of the features for them would make perfect sense, as everyone finds their own little area of the site that they enjoy. Bp makes this very easy.

@shnooka30 I’m actually one of those people who couldn’t be more excited about the plugins to give sub-blogs their own bp installs. To me, that is the biggest current downfall of bp, other than privacy and spam which are being addressed.

The entire reason I went to wpmu in the first place was that it was horribly inefficient to run hundreds of separate installs. I spent way to much time having to update sites one at a time. Wpmu, literally saved me hundreds of hours a year in updating time alone. It’s only because of the plugin not being available yet that I don’t offer bp to many of my client sites. When the plugin is ready, then I hope to jump in with both feet. At least the wait has given me the time to get a real understanding of the bp code base before adding it to the mix.

Bottom line is those who run undermanned or lousy setups of bp on shared hosting, which is the majority of users, will die off very quickly. Everyone else who does it right will appear so different in both appearance and service, that the public won’t even put the two together.

Is there anyway to disable activation emails so that people do not have to click to activate their membership? We are using the s2member plugin and 95% of our paid users miss the email or it gets filed in bulk email.

Hi Jeff, I can’t make the chat Wednesday as I’m going to be on a plane between London and Hamburg, but I wanted to add to this:

1. wp-recaptcha — I’m working with the developer of this plug-in so that we have one fork that works everywhere, BP included. Given that this is the topic, let me try to get that basic code up. Even with simple recaptcha support, there’s a huge decrease in spam signups. It seems not to solve the smartest scripts, the ones that send PMs (at least not on our site), so I think once we get one recaptcha working, making the “failed” recaptchas more intelligent to avoid these automated bots would be great. Thanks for the ideas above — this is great fodder — so I’d encourage people to get involved on the same fork so we can put this into action sooner rather than later. Let me post a separate update within the next couple of days.

2. Since PMs are a big problem, and this thread is getting very, very ambitious, why not at least begin testing this with a separate plugin? I’d like to at least see something that stops mass-mailings and highlights that user, as that’d be an easy way to weed people out, at least as more comprehensive solutions are developed.

3. Reviewing core is probably worthwhile. A mistake in bp_signup_validate’s code was being exploited by hackers. I know this is part of 1.2.4, but I went ahead and applied the diff attached to this (now-closed) ticket to our current 1.2.3 install:
https://trac.buddypress.org/ticket/2289
— this made a big difference. I wonder if anything else follows this pattern, and how we might hunt it down.

Grand, wide-reaching plans sound terrific, but I’d hate if that derailed some short-term fixes; seems we can have both.

Closing this thread per Jeff’s comments, I think discussion should continue in the thread that Stas’ linked to.

As @sushkov states, the issue of spam in BuddyPress is currently being discussed in depth. Please search before you create a new thread. There are many threads on the same topic. Creating a new one does not help.

Hi,
there’s an interesting thread started on this subject:
https://buddypress.org/community/groups/requests-feedback/forum/topic/here-come-the-spammers/

Awesome.

The issue of spam will be one of the topics discussed at this week’s dev chat on Wednesday. There should be more to report after that chat.

It’s my belief that the footer link plays a bigger part in the problem than is given credit for at least it was the last thing I implemented (removing) and appeared to have a significant impact. One thing I think people should stop putting forward is this notion that adding custom fields to sign up makes a difference, it doesn’t! and is obviously and emphatically demonstrated by the fact that spam bot signups manage to fill all fields with garbage including user created ones but as you would expect.

interesting:

2) How do spammers find BP communities?
Using Google.
Example: http://www.google.ca/search?hl=en&q=%2B”is+proudly+powered+by+WordPress+and+BuddyPress”; (front page of every BP site on the net)
Example: http://www.google.ca/search?hl=en&q=inurl:%22/community/members/%22+%2Bbuddypress (members page of every BP site on the net)

I have two open test BP installs (one wp_user linked to my blog domain) and changed the standard footer. Not a single spam sign-up (just hashcash installed)

Has there been any more movement on this front?

The issue of spam registration and posting is well discussed. If you want to learn more about some proposed measures, please read this thread: https://buddypress.org/community/groups/requests-feedback/forum/topic/here-come-the-spammers/

@stwc and everyone else.

I’ve been experiencing problems with spammers constantly, I would get about 11 a day, (at the minimum). I’ve tried several things, reCaptcha, email activation, email domain blocking, etc etc and nothing seemed to help with the bot spammers.

All they were doing was creating users with a few profile fields filled out, so there was no big issue, it was just annoying seeing so many fake users on the site.

So all I did out of the suggestions here was enter the code provided for the .htaccess file :

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .yourbpsignupslug*
RewriteCond %{HTTP_REFERER} !.*yourhomedomain.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]
# END ANTISPAMBLOG REGISTRATION

And it seemed to have worked. For the signup slug, I used wp-signup.php. And so far, for about a day and a half now I’ve only found 1 bot spammer. Drastically reduced, but not quite fixed.

But we’ll see. I’ll post back if there is any change, or after a few days of no spammers.

It blows my mind that this is not a core feature of WPMU, WP, or BuddyPress. It is the most obvious first defense against sploggers and spammer-members.

There is a plugin called Pie Registration that claims to do user moderation of unverified users before they are allowed to post. It seems to be a resurrection of an older (discontinued?) plugin called Register Plus. Find it here: https://wordpress.org/extend/plugins/pie-register/

Will check it out now.

EDIT: It says that the feature “Moderate all user registrations to require admin approval” will only work when Email Verification is DISABLED. I can’t get it to work, though.

Also found this:
“Register Plus plugin seemed to be working fine in 2.9.2, with custom logo and all, but now I’ve just discovered that it only sends the registration email if the registration is done in IE. In Firefox or Chrome the mail is not sent. How can this be?”
https://wordpress.org/support/topic/376015

Had the same problem on all of my installs last night. Temp solution was to shut down all registrations while bp works this out. Between my network of sites, I would estimate 150+ spam registrations. Once in, they were also abusing the pm system. It’s ok though, I’d rather shut it all down for now then to have to manually keep deleting pm’s from the db all day long.

I know you guys are working hard on this issue. It is much appreciated!

As @r-a-y suggests, these look like spam accounts to me.

I guess these could be spam bots inputting data to pass the registration
I know a lot of work is going on now in the background to help stop this
Stay tuned

Could be spam accounts. Are these users doing anything weird on your site?