BuddyPress.org

The users who register need to activate their accounts. They are not marked as a spammer (user_status = 1) they are marked as not active (user_status = 2). Until they activate their account they cannot log in.

If your emails are being marked as spam or phishing then this is likely something to do with the domain or IP address of your site. It has probably been black flagged.

If you are on Wordoress Mu

Dashboard->SiteAdmin->Users

search his username and check it, then there is a button above the listing for Not Spammer, that should do it.

I wonder if attempting to rename bp-core-signup.php might help. Who know how many things I could break though. LOL.

Anyway, I just duplicated the /registration/register.php file in my child theme and completely deleted this line… maybe that will help

<p><?php _e( 'Registering for this site is easy, just fill in the fields below and we\'ll get a new account set up for you in no time.', 'buddypress' ) ?></p>

Okay… I am STILL getting SPAM registrations. I’ve done the following:

• Changed signup slug
• Installed hashcash (works with BP now)
• Disabled “Allow blog administrators to add new users…”
• Deleted BuddyPress credit in footer.php
• Deleted wp-signup.php
• Created a robots.txt file to disallow robots from my signup slug

Any more ideas? Short of Catcha? Altho’ I’m thinking even that won’t work.

FYI… Elliot updated wp-hashcash for BuddyPress.

https://wordpress.org/extend/plugins/wp-hashcash/

“It’s not any ONE fully qialified domain for me… it’s dozens of different domains all ending in .info.”

Yeah, I know, Believe me, we’ve gone around in circles over that one issue in the mu forums. I’ll have to dig up the command.

A lot of plugins like hascash are recommended because they work. I see a lot of people not try them because they think it’s just for comments. On most sites I’ve tried it on, it just works.

You might like to get some anti bot plugins from wordpress. I have WordPress MU and Buddypress and use the following plugins to prevent bots from joining my site.

WP-SpamFree – An extremely powerful anti-spam plugin that virtually eliminates comment spam. Finally, you can enjoy a spam-free WordPress blog! Includes spam-free contact form feature as well. http://www.polepositionmarketing.com/library/wp-spamfree/

WPMU Super Captcha – Custom captcha program made to stop spam bots cold in their tracks. Features audio, word files, or random text. You configure it! https://wordpress.org/extend/plugins/super-capcha/

Or go to http://www.wordpress.org, click on extend and find them there.

Okay… I just installed wp-hashcash and pasted in the function mentioned near the top of page 1 of this thread. Let’s see if that stops the *$^#%&@ SPAMers :o)

Thanks Andrea_r

So can you tell me how to block signups from anyone with a domain that has a .info extension? I’m sure that 99.9% of people with .info domains are SPAMers. I found the “Banned Email Domains” setting in WPMU but cannot find any documentation about how to use a wildcard or regex in that field. It’s not any ONE fully qialified domain for me… it’s dozens of different domains all ending in .info.

I’ve done everything in my list above (except CAPTHA or Hashcash) and I’m STILL getting signups from these bastards. Maybe I should try Hashcash. You’re right, the htaccess rule above did nothing. Driving me CRAZY!!! Buggers.

In MU, there *is* an option to block certain email domains. There’s a funny way to put in wildcards though.

,

Thing is Andrea that doesn’t appear to make a blind bit of difference, we had a number of signups from half a dozen email domains repeated over and over, easy I thought, first line of attack drop those domains in the block list. Didn’t do a thing those same email domains kept coming through. I suspect that when someone looks into it they will find that BP registration bypasses this check somehow! sadly!

That won’t harm anything, but it won’t stop signups from that domain, just requests.

In MU, there *is* an option to block certain email domains. There’s a funny way to put in wildcards though.

This should probably happen. Even so, if you mark the blog author as a spammer, it will also mark the blog as spam and remove all the posts.

@Peterverkooijen

as has been said to you many times before. if you don’t want to use forums, then turn them off. and please don’t spam the forums every chance you get with your comments about forums and bbpress. by now we’re all well aware of your opinion. cheers!

So to sum up:

• Change your signup slug
• Add some required custom profile fields (or use the hashcash trick posted at the start of this thread)
• Disable “Allow blog administrators to add new users to their blog via the Users->Add New page”
• Delete BuddyPress credit in footer.php
• Delete wp-signup.php
• Create a robots.txt file with User-agent: * Disallow: /register/ (or whatever your slug is)
• If all else fails, use CAPTHCA or preferably a simple random question (what colour is snow)

Am I wrong or missing anything?

Also… all of my SPAM registrations were coming from .info domains. I added this to my .htaccess file but I’m not sure it’s correct. I found a million examples via Google search for how to ban full domains or subdomains… but nothing about blocking an entire extension (i.e… whatever.info). Anyway, this is what I wrote:

RewriteCond %{REMOTE_HOST} \\.info$

RewriteRule .* - [F]

This is currently done when a user is marked as a spammer; this probably is best to go on https://trac.buddypress.org/ as an enhancement ticket.

When a user is marked as a spammer, all of their Activity data is deleted in the database. There’s no way to retrieve. They essentially start out as new users as far as BuddyPress is concerned; they’ll need to log in or edit their profile, etc, in order to appear throughout the site (on the members directory, for example).

“The only other way I can think of is that a member is “inviting” them via the “Allow blog administrators to add new users to their blog via the Users->Add New page.” on the WPMU options page, so I’m going to disable that as well now.”

That’s one of the first things I turn off.

I must be overworked or hallucinating. Signups are disabled, wp-signup was deleted some time ago, and they are still creating new accounts and blogs as we speak! How is this possible? For a while I kept entering the ip s in wp-ban and had given up on that plugin, but I noticed it caught about 600 attempts in the last 24 hrs. Still, a few dozen got through anyway.

The only other way I can think of is that a member is “inviting” them via the “Allow blog administrators to add new users to their blog via the Users->Add New page.” on the WPMU options page, so I’m going to disable that as well now.

We’re still a relatively small and young community and all these restrictions and jumping through hoops is hurting us.

I’m starting to get hit now :o( I have had a custom slug for weeks. I added a robots file today disallowing bot access from /my-signup-slug/ and also installed invisible defender but I’m still getting spam registrations. I also just deleted my wp-signup.php file. I’m going to try hashcash. I’m also considering a htaccess file that simply bans ALL traffic to the entire website from Russia, China and any .info domains.

Google ‘robots.txt file’ for starters

@Andrea_r good thought, how would that look like?