BuddyPress.org

If you’re a site admininstrator, there should also be a menu called “Admin Options” when you’re on any profile.

In this menu, there are links to edit a user’s profile and avatar, marking the account as spam and deleting the account.

JImgroom, how did you hack the theme? I’m having the same trouble.

.. I forgot to add, we’ve also disabled blog administrators from adding new users

I’m getting about 50 spam registrations a day on one client site since the start of this week.

We’ve modified the register slug, changed text on the register page, deleted the wp-signup.php file, and implemented the following in our .htaccess file:

# BEGIN ANTISPAMBLOG REGISTRATION

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} .join-lorem*

RewriteCond %{HTTP_REFERER} !.*mydomain.com.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) http://mydomain.com/spam-prevention [R=301,L]

# END ANTISPAMBLOG REGISTRATION

Still the spammers are getting through.

Turning off blog creation / new user registration is not an option… otherwise, there would be no point in trying to offer a blog platform / social community.

Asking users to wait until their application to join is approved, or asking them to fill in additional fields at signup will just hamper the chances of them signing up and using the site.

Anyone have any suggestions?

I don’t want to tell clients: “we’ll build on BuddyPress for you, but you might have to remove 100s of spam blogs every week”

Note: the problem is worse than just the backlinks they create, it also reflects badly on the professionalism / appearance of your site, as their spam posts show up in activity streams, in aggregators (such as showing recent site wide posts and so on).

This is a serious problem.

Note: a lot of these registrations come from a small number of IP addresses, is there anyway to block certain IP addresses from registering?

sorry, I have missed that this has been posted in the “ideas forum”.

I am definitely not against any new features & Supergroups is a great idea from Bowe.

Thanks for outing me as a spammer

Why are you spamming every feature request post erich73?

This the “Ideas” forum, and it where people post new ideas. Just because you have your opinion that devs should “stop all new features” that doesn´t necessarily mean that everybody shares your opinion. Please stop forcing your opinions on others….

@Michael Removing via CSS is not the same as dealing with it server side. CSS is simply a presentational language which is applied to the DOM, in order to have been able to remove via CSS requires that the elements had been outputed by the server, i.e sent to the browser; the form elements still exist. If grabbing the page using CURL or some similar means you would have that section of the form available.

Wrapping the form section in a php conditional means that as normal the file is passed to the parsing engine to process and compile into the final file to send to the browser, it sees my instruction to ignore that section so simply never includes it in final output.

I do not claim this is the best approach but it works, I do not want users to take a blog initially I would rather it a considered decision once members. Using this approach I have had no further spam blogs (other than real human twits signing up) still get user signups but at least no blogs are created.

@Andrea_r

Thanks wasn’t aware of that plugin, however do think that given the options exist exist in the backend that they could have been better thought through or even simply better worded.

“As there were no sensible options for allowing users to signup but not take blog until a member “

There’s a plugin for that:

http://wpmututorials.com/plugins/socialpress-user-signup-plugin/

Yes – I did it once in a similar way by removing it with css…

I just noticed I failed to read you entire question there. Correct, they will target wp-signup.php and you can modify this file name too, if you wish. It is a bit involved though and may I suggest this article if you would like detailed information about how to do so ~ http://wpmu.tripawds.com/2009/12/12/the-ongoing-fight-against-spam-blogs/

keep in mind those instructions are for MU 2.8.6 and if you decide to edit wp-signup.php ~ don’t forget to change it in these places ~ wp-signup.php, wp-login.php,wpmu-settings.php and bp-core/bp-core-templatetags.php

Have to admit I had no idea there was another registration.php page and it would have never have occurred to me to look in the bbpress folder.

This kinda worries me really why is this required and also a password reset file, it feels as though it’s a bad hangover from earlier days and ought to be removed.

Is it not time that this bbpress thing be integrated fully or at least forum capabilities simply part of BP core .

I have deleted this registration file and will be interested to see if it clears up the remaining few spam signups still being received

@Michael

The options for account registration control are odd and do not do what they suggest (I mentioned that on another thread, but it’s a WPMU issue!)

As there were no sensible options for allowing users to signup but not take blog until a member I simply saw little choice but to remove the section of the form that dealt with the blog signup so I wrapped the fieldset in a conditional that just checked whether I had set a variable to disable or allow thus preventing that section from being returned from the server.

I found this plugin and it seems to allow you to moderate new users I think this will help everyone a lot:

http://webdevstudios.com/support/wordpress-plugins/buddypress-registration-options/

All in all, here’s my approach that I use on MU/BP sites ~

1) modify the register/register.php wp-signup.php hardcoded default text and url slugs.

2) enable xprofile and require additional fields upon registration.

2) use a captcha ~ i’m fond of ReCatcha

3) make sure you and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”

4) I ban or limit the registration domains (also in Admin > Site Options) so that the commonly used spammer domains are blocked from registration and then I add an email contact for owners of these addresses to manually request registration. I hide the email address from bots with HiveLogic EnKoder

5) I then firewall off entire blocks of IP’s from my servers from commonly used spammer IP ranges you can find at sources like spamhaus.org .. and considering that these are one language sites, the need for access for the IP blocks on the pan asia network or eastern europe are unlikely. If you have a multilingual site, this might cause issues to very few users. Cpanel, Plesk, BSD, etc have tools to do this.. if you’re on a shared server, ask your hosting provider if they can do it for you, and they may be likely doing it already.

6) I also recommend using Askimet.

@windhamdavid – thanks for the hint about bbpress… didn’t know, that the register-file was still there… Now I deleted it (just in case) – although forums are not even activated in my install. By now, still no spammers registering… could be that activating hashcash again did the trick (although I really don’t get it why, for as far as I know it just protects the register-form, right? and it seems, that wasn’t even used…

@chouf1 On the install I am havong troubles with there is NOT ONE spammer for sure. I know all of them personally! In my other install (I have 0 troubles until now, I will check back on that. thanks for the hint)

PS: Chouf1 – wow, do you speak swissgerman

für ä’biräbitzeli drischnure…

Did you show into the comments or posts on the different blogs ? There are sometimes strange links that can appeal to spammers. Some long post with many links inside or many Viagra words. You see what i mean…

I recently did such a search and find some on my “trusted members” blogs.

für ä’biräbitzeli drischnure…

Did you show into the comments or posts on the different blogs ? There are sometimes strange links that can appeal to spammers. Some long post with many links inside or many Viagra words. You see what i mean…

I recently did such a search and find some on my “trusted members” blogs.

let’s continue this thread over here ~ https://buddypress.org/forums/topic/how-to-control-spam-registration/page/2

and did you try that recommendation regarding bbpress?

I’ve already answered this question.

If you have a spammer with admin access on a blog, they can add new users to that blog. They are then new users in the system since WPMU shares a global users table. So essentially once a spammer has a blog they can get others in.

This is simply the way WPMU works, and if I try and change that, people shout and scream at me. The reality is, if you want to use WordPress MU and BuddyPress along with it, you are going to have to manage this somehow. Otherwise, just use standard WordPress since it doesn’t have these issues.

I don’t quite understand these spam posts since I’ve run ten to twelve mu sites for several (4+) years with no splog/smap exploits (knock on wood) and some of them are outdated installs with very little protection. If buddypress is in fact, the culprit, perhaps it’s related to the registration in bbpress if you have forums installed? @micheal ~ perhaps you should try removing register.php from the buddypress/forums/bbpress/ ~ and/or buddypress/forums/bbpress/templates/kakumei/register.php to see what happens…

I just tested on a local install with no conflicts and thanks for investigating.

Just another little update: To me it seems that there are two different spam-signups (at least )

The ones, that come in through the registration-form

I could handle those with all the tipps (for me this worked best):

– change the slug

– additional-fields

– change some text on the registration-page

– change footer-text

– SI-Captcha didn’t really work, so I used the modified invitation-code-plugin mentioned before

– wp-ban did help, too (often wasn’t really needed – just left it there in case…)

– changing/deleting wp-signup.php (which led me to this connected issue/question: https://buddypress.org/forums/topic/wp-signupphp-redirects-to-registration-slug-why)

The ones, that don’t seem to use the registration-form or wp-signup.php at all

– never had this problem before, so it hit me… Further described here with a open question for me: https://buddypress.org/forums/topic/is-there-a-backdoor-in-wpmubuddypress

– This morning I found out, that I had deactivated the hashcash-plugin because I had comment-issues (didn’t come through anymore). I think the spam-flood came after deactivating it. Right now I have activated it again (just for signups) and no spam came in for a couple hours now (even with deactivated wp-ban, without captcha or invitation-plugin, wp-signup.php still there)

So far my forther journey with this issue

@hnla how did you deactivate blog-signup? If I use that option in the backend, registration does not accur at all. If I choose “only Useraccounts” they cannot create a blog in a second step (no new blogs at all)

Definitely remove the footer link if you haven’t already.

I noticed a issue with spammers using CURL to download /registration so blocked that in .htaccess (It’s been mentioned on a thread somewhere how to)

renaming the slug ‘registration’ is supposed to help.

For me deactivating blog signup improved things significantly. Didn’t need users to be able to register for a blog at initial sign up they can take a blog once they are members.

Despite all efforts and much study and approaches instigated one after the other to gauge effectiveness before adding next one I still am not sure how a few of the automated bots get through, human signups there isn’t much you can do about them apart from delete manually.

All my efforts still result in around 10 signups daily that require dealing with manually.

This is getting worse and worse. I just launched my first BuddyPress site and am getting spammer registrations although I have additional required profile fields and SI Captcha installed.

Sadly, the article mentioned (linked) above is not available anymore (I guess the spammers took down that site) and judging by the responses here there still seems to be no known solution to the spammer problem with WPMU/BuddyPress.

I spoke to someone on Twitter who confirmed that the spam problem started when activating BuddyPress – this would be in contradiction to remarks from Andy, I’m afraid. Anyhow: after reading comments here there seems to be a hole in the system somewhere.

(I guess the spammers have been clever enough not to spam testbp.org )