BuddyPress.org

Well, I pretty much tried most of the suggestions here on this thread, and for a couple of days it was quiet. But since yesterday a new and much more aggressive wave is battering my poor little site with as much as 70 new accounts and blogs per hour.

The last wave started shortly after this log entry:

http://www.webwarper.net/ww/~av/www.google.com/search?hl=en&q=site:.NET%20inurl:%22register%22%20intext:%22Registering%20for%20this%20site%20is%20easy,%20just%20fill%20in%20the%20fields%20below%20and%20we%27ll%20get%20a%20new%20account%20set%20up%20for%20you%20in%20no%20time.%22&start=10&sa=N

These accounts don’t have ANY fields filled out from the BP registration form. Even if I re-write that page they’ll just pick something else to hunt for. I’m back to asking folks to contact me if they want to join the site, but that’s a major deterrent for most, understandably.

Hi,

This was an issue with looking for spam and deleted fields in the db. They were not there in wordpress install so I removed this contraint. I just checked in version 1.1.8 to fix this.

Thanks,

Dave

I don’t know if you’ve found a treatment, for this, but I’d suggest a plugin named HashCash from Donncha:

http://wpmu.org/wp-hashcash-for-wpmu/

Unfortunately I have the same problem as the two of you. I am running fresh installations – newest WPMU and BP.

It was running all fine.

Now I (admin) get no email notifications at all – users do not receive any either. The activation emails are not being sent. The WPMU ones are not sent out either.

I am using a catch-all email on my email host to be able to sign up with different emails on the same domain.

First thing I was thinking was whether BP or WP was thinking all this signup from the same email domain was SPAM and therefore closing down signups from my IP or whatever.

I have searched for answers and found this: https://mu.wordpress.org/forums/topic/13039

Apparently some hosts do not allow automated emails to be sent out.

(However, if my host do not allow this, how come it worked fine for two weeks?)

Only plugin I have installed is the cets-blog-defaults. I have tried to deactivate it, but it does not help.

This is really frustrating

In SocialGo’s defense, there’s nothing wrong with asking money for a service/product. SocialGo and Ning are good solutions for a certain class of users. The difference is “software as a service” vs self-hosted.

Another option is SocialEngine, which is self-hosted but not free and probably a bit more business-ready than Buddypress because of it – better member mgmt, anti-spam, photo + event plugins, etc.

My solution against spam:

I replaced the whole content of wp-signup.php with

header( ‘Location: http://mysite.com/register’ ) ;

Since than no more spam

Think it through … it is a kind of Microsoft moment

Spamming WPMY/BP is only popular enough because there are significant numbers of unmodified installations going on.

Because there are a significant numbers of unmodified installations going on we … and our servers … all take a hit on this crap.

So … disincentivize the platform by making that custom modification obligatory … for all … during the installation process.

Spammers would face a pretty impossible or unrewarding task and move their attentions elsewhere.

Does that work logically and technically?

It is not good enough just to point out one can change it … the problem is not enough people are and hence we are all paying for the vulnerability of the platform.

So shut that vulnerability off. Simple, no?

Use captcha, have one profile field be required and change the slug.

define( 'BP_REGISTER_SLUG', 'name-this-something-unique' );

oh and if you are on WPMU then you need to disable the ability for blog owners to add users via their admin section. This is an easy way for spammers to get entry.

Thanks everyone for the tips and tricks, I’ll be checking this page again!

It’s strange but the moment I upgraded to WP2.9.2 and BP 1.2 spam started again.

Previously, I just added SI Captcha and I went from getting 10-20+ spam registrations to none. I added WP-hashcash now and I’ve only had one registration since.

I’ve just disabled the blog registration on the signup page, hopefully that’ll help too.

By the way, there’s also a meta tag in the header of many templates :

<meta name="generator" content="WordPress 2.9.2" />

Removing that may help too….

the activity means someone who is active on the site… registrations have to be complete before being considered active… this is to avoid spam bots to be considered active on the site… so when the new members visit the site back and “do” something, they are tracked by the actvity stream.

I’ve now deleted the register pages inside the bbpress folders, and that seems to have halted the spam registrations for now. Fingers crossed

If you’re a site admininstrator, there should also be a menu called “Admin Options” when you’re on any profile.

In this menu, there are links to edit a user’s profile and avatar, marking the account as spam and deleting the account.

JImgroom, how did you hack the theme? I’m having the same trouble.

.. I forgot to add, we’ve also disabled blog administrators from adding new users

I’m getting about 50 spam registrations a day on one client site since the start of this week.

We’ve modified the register slug, changed text on the register page, deleted the wp-signup.php file, and implemented the following in our .htaccess file:

# BEGIN ANTISPAMBLOG REGISTRATION

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} .join-lorem*

RewriteCond %{HTTP_REFERER} !.*mydomain.com.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) http://mydomain.com/spam-prevention [R=301,L]

# END ANTISPAMBLOG REGISTRATION

Still the spammers are getting through.

Turning off blog creation / new user registration is not an option… otherwise, there would be no point in trying to offer a blog platform / social community.

Asking users to wait until their application to join is approved, or asking them to fill in additional fields at signup will just hamper the chances of them signing up and using the site.

Anyone have any suggestions?

I don’t want to tell clients: “we’ll build on BuddyPress for you, but you might have to remove 100s of spam blogs every week”

Note: the problem is worse than just the backlinks they create, it also reflects badly on the professionalism / appearance of your site, as their spam posts show up in activity streams, in aggregators (such as showing recent site wide posts and so on).

This is a serious problem.

Note: a lot of these registrations come from a small number of IP addresses, is there anyway to block certain IP addresses from registering?

sorry, I have missed that this has been posted in the “ideas forum”.

I am definitely not against any new features & Supergroups is a great idea from Bowe.

Thanks for outing me as a spammer

Why are you spamming every feature request post erich73?

This the “Ideas” forum, and it where people post new ideas. Just because you have your opinion that devs should “stop all new features” that doesn´t necessarily mean that everybody shares your opinion. Please stop forcing your opinions on others….

@Michael Removing via CSS is not the same as dealing with it server side. CSS is simply a presentational language which is applied to the DOM, in order to have been able to remove via CSS requires that the elements had been outputed by the server, i.e sent to the browser; the form elements still exist. If grabbing the page using CURL or some similar means you would have that section of the form available.

Wrapping the form section in a php conditional means that as normal the file is passed to the parsing engine to process and compile into the final file to send to the browser, it sees my instruction to ignore that section so simply never includes it in final output.

I do not claim this is the best approach but it works, I do not want users to take a blog initially I would rather it a considered decision once members. Using this approach I have had no further spam blogs (other than real human twits signing up) still get user signups but at least no blogs are created.

@Andrea_r

Thanks wasn’t aware of that plugin, however do think that given the options exist exist in the backend that they could have been better thought through or even simply better worded.

“As there were no sensible options for allowing users to signup but not take blog until a member “

There’s a plugin for that:

http://wpmututorials.com/plugins/socialpress-user-signup-plugin/

Yes – I did it once in a similar way by removing it with css…

I just noticed I failed to read you entire question there. Correct, they will target wp-signup.php and you can modify this file name too, if you wish. It is a bit involved though and may I suggest this article if you would like detailed information about how to do so ~ http://wpmu.tripawds.com/2009/12/12/the-ongoing-fight-against-spam-blogs/

keep in mind those instructions are for MU 2.8.6 and if you decide to edit wp-signup.php ~ don’t forget to change it in these places ~ wp-signup.php, wp-login.php,wpmu-settings.php and bp-core/bp-core-templatetags.php

Have to admit I had no idea there was another registration.php page and it would have never have occurred to me to look in the bbpress folder.

This kinda worries me really why is this required and also a password reset file, it feels as though it’s a bad hangover from earlier days and ought to be removed.

Is it not time that this bbpress thing be integrated fully or at least forum capabilities simply part of BP core .

I have deleted this registration file and will be interested to see if it clears up the remaining few spam signups still being received

@Michael

The options for account registration control are odd and do not do what they suggest (I mentioned that on another thread, but it’s a WPMU issue!)

As there were no sensible options for allowing users to signup but not take blog until a member I simply saw little choice but to remove the section of the form that dealt with the blog signup so I wrapped the fieldset in a conditional that just checked whether I had set a variable to disable or allow thus preventing that section from being returned from the server.

I found this plugin and it seems to allow you to moderate new users I think this will help everyone a lot:

http://webdevstudios.com/support/wordpress-plugins/buddypress-registration-options/

All in all, here’s my approach that I use on MU/BP sites ~

1) modify the register/register.php wp-signup.php hardcoded default text and url slugs.

2) enable xprofile and require additional fields upon registration.

2) use a captcha ~ i’m fond of ReCatcha

3) make sure you and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”

4) I ban or limit the registration domains (also in Admin > Site Options) so that the commonly used spammer domains are blocked from registration and then I add an email contact for owners of these addresses to manually request registration. I hide the email address from bots with HiveLogic EnKoder

5) I then firewall off entire blocks of IP’s from my servers from commonly used spammer IP ranges you can find at sources like spamhaus.org .. and considering that these are one language sites, the need for access for the IP blocks on the pan asia network or eastern europe are unlikely. If you have a multilingual site, this might cause issues to very few users. Cpanel, Plesk, BSD, etc have tools to do this.. if you’re on a shared server, ask your hosting provider if they can do it for you, and they may be likely doing it already.

6) I also recommend using Askimet.