All in all, here’s my approach that I use on MU/BP sites ~
1) modify the register/register.php wp-signup.php hardcoded default text and url slugs.
2) enable xprofile and require additional fields upon registration.
2) use a captcha ~ i’m fond of ReCatcha
3) make sure you and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”
4) I ban or limit the registration domains (also in Admin > Site Options) so that the commonly used spammer domains are blocked from registration and then I add an email contact for owners of these addresses to manually request registration. I hide the email address from bots with HiveLogic EnKoder
5) I then firewall off entire blocks of IP’s from my servers from commonly used spammer IP ranges you can find at sources like spamhaus.org .. and considering that these are one language sites, the need for access for the IP blocks on the pan asia network or eastern europe are unlikely. If you have a multilingual site, this might cause issues to very few users. Cpanel, Plesk, BSD, etc have tools to do this.. if you’re on a shared server, ask your hosting provider if they can do it for you, and they may be likely doing it already.
6) I also recommend using Askimet.
@windhamdavid – thanks for the hint about bbpress… didn’t know, that the register-file was still there… Now I deleted it (just in case) – although forums are not even activated in my install. By now, still no spammers registering… could be that activating hashcash again did the trick (although I really don’t get it why, for as far as I know it just protects the register-form, right? and it seems, that wasn’t even used…
@chouf1 On the install I am havong troubles with there is NOT ONE spammer for sure. I know all of them personally! In my other install (I have 0 troubles until now, I will check back on that. thanks for the hint)
PS: Chouf1 – wow, do you speak swissgerman 
für ä’biräbitzeli drischnure…
Did you show into the comments or posts on the different blogs ? There are sometimes strange links that can appeal to spammers. Some long post with many links inside or many Viagra words. You see what i mean…
I recently did such a search and find some on my “trusted members” blogs.
für ä’biräbitzeli drischnure…
Did you show into the comments or posts on the different blogs ? There are sometimes strange links that can appeal to spammers. Some long post with many links inside or many Viagra words. You see what i mean…
I recently did such a search and find some on my “trusted members” blogs.
let’s continue this thread over here ~ https://buddypress.org/forums/topic/how-to-control-spam-registration/page/2
and did you try that recommendation regarding bbpress?
I’ve already answered this question.
If you have a spammer with admin access on a blog, they can add new users to that blog. They are then new users in the system since WPMU shares a global users table. So essentially once a spammer has a blog they can get others in.
This is simply the way WPMU works, and if I try and change that, people shout and scream at me. The reality is, if you want to use WordPress MU and BuddyPress along with it, you are going to have to manage this somehow. Otherwise, just use standard WordPress since it doesn’t have these issues.
I don’t quite understand these spam posts since I’ve run ten to twelve mu sites for several (4+) years with no splog/smap exploits (knock on wood) and some of them are outdated installs with very little protection. If buddypress is in fact, the culprit, perhaps it’s related to the registration in bbpress if you have forums installed? @micheal ~ perhaps you should try removing register.php from the buddypress/forums/bbpress/ ~ and/or buddypress/forums/bbpress/templates/kakumei/register.php to see what happens…
I just tested on a local install with no conflicts and thanks for investigating.
Just another little update: To me it seems that there are two different spam-signups (at least )
The ones, that come in through the registration-form
I could handle those with all the tipps (for me this worked best):
– change the slug
– additional-fields
– change some text on the registration-page
– change footer-text
– SI-Captcha didn’t really work, so I used the modified invitation-code-plugin mentioned before
– wp-ban did help, too (often wasn’t really needed – just left it there in case…)
– changing/deleting wp-signup.php (which led me to this connected issue/question: https://buddypress.org/forums/topic/wp-signupphp-redirects-to-registration-slug-why)
The ones, that don’t seem to use the registration-form or wp-signup.php at all
– never had this problem before, so it hit me… Further described here with a open question for me: https://buddypress.org/forums/topic/is-there-a-backdoor-in-wpmubuddypress
– This morning I found out, that I had deactivated the hashcash-plugin because I had comment-issues (didn’t come through anymore). I think the spam-flood came after deactivating it. Right now I have activated it again (just for signups) and no spam came in for a couple hours now (even with deactivated wp-ban, without captcha or invitation-plugin, wp-signup.php still there)
So far my forther journey with this issue
@hnla how did you deactivate blog-signup? If I use that option in the backend, registration does not accur at all. If I choose “only Useraccounts” they cannot create a blog in a second step (no new blogs at all)
Definitely remove the footer link if you haven’t already.
I noticed a issue with spammers using CURL to download /registration so blocked that in .htaccess (It’s been mentioned on a thread somewhere how to)
renaming the slug ‘registration’ is supposed to help.
For me deactivating blog signup improved things significantly. Didn’t need users to be able to register for a blog at initial sign up they can take a blog once they are members.
Despite all efforts and much study and approaches instigated one after the other to gauge effectiveness before adding next one I still am not sure how a few of the automated bots get through, human signups there isn’t much you can do about them apart from delete manually.
All my efforts still result in around 10 signups daily that require dealing with manually.
This is getting worse and worse. I just launched my first BuddyPress site and am getting spammer registrations although I have additional required profile fields and SI Captcha installed.
Sadly, the article mentioned (linked) above is not available anymore (I guess the spammers took down that site) and judging by the responses here there still seems to be no known solution to the spammer problem with WPMU/BuddyPress.
I spoke to someone on Twitter who confirmed that the spam problem started when activating BuddyPress – this would be in contradiction to remarks from Andy, I’m afraid. Anyhow: after reading comments here there seems to be a hole in the system somewhere.
(I guess the spammers have been clever enough not to spam testbp.org )
is there a way to get the member id in a member loop?
<?php while ( bp_members() ) : bp_the_member(); ?>
<input value="<?php bp_member_id(); ?>" name="ids[]"> ids </input>
<?php endwhile; ?>
bp_member_id() is not working, is there a way to achieve this?
otherwise i would have to match the members with their name when doing the database query, and that can be a long string which takes too long to evaluate when compared to an int.
i guess the answer to this question will be an obvious one, as soon as i read it, but right now i am confused
good bye and thanks for all the fish
spammie
I use this plugin instead of captcha:
https://wordpress.org/extend/plugins/invitation-code-checker/
You can set an ivitation-code and everyone who wants to register has to write the code in a registration-field.
I changed the plugin a little bit for my needs so the code to write is seen on the registration-page.
Some of you guys must check your Private Messages …
You must identify the spam blogs and remove them. Once a spammer has admin access they can add new users to that blog. Those users can then create new blogs.
It really is Crazy!!! Where and how do they get in, that they can Register like that? Every couple of minutes One signup…. HELP! Nothing seems to stop them… I Even disabled any registration and they keep on signing up – really Strange to me!
Thanks for another hint
No, actually I was talking about http://www.prisma-online.org – but same thing with the slug. I just guess it’s not that, because if they would come in normally, they would have to put something in the additional field, wouldn’t they? (at least, that’s what they always did before I stopped them the first time…
I now added again the .htaccess rules you described (didn’t change there the changed registration-slug…)
Does that look right (sorry – on that level I have no idea anymore ):
# BEGIN ANTISPAMBLOG REGISTRATION
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .registrieren*
RewriteCond %{HTTP_REFERER} !.*prisma-online.org.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]
# END ANTISPAMBLOG REGISTRATION
The limitation of WP-Ban is that it’s not working at .htaccess level, so it only really does it’s thing if a spammer is polite enough to access your site normally. You might want to look at something like a plugin that’s going to ban IPs and referrers at the .htaccess level.
Also, had a quick look at your site – I presume you’re talking about http://young-people.ch ? I notice your register page is still /register (albeit translated) – have you tried changing this to something else? There’s eevery chance that the mere translation of the standard ‘register’ slug won’t slow the spammers down.
thanks mlovelock – this sounds good. All of this has worked with me before.
BUT now,
even that I have blocked with WP-Ban *.info – the spammers with that email get through
even that I have additional required field (lots of) – the spammers can register just with a name (nothing else)
even that I have changed, deleted (whatever) wp-signup.php – spammers can register
MY QUESTION IS: Where do they get in??? Did I overlook a loophole???
Please – any further help would be much appreciated!!!
I’ve no doubt they’ll return, but I haven’t had a spam signup for a fair while. The odd one creeps in, but you can’t stop a determined ‘real’ person. But I haven’t been subject to the continuous signups I used to get when I first started my site.
The steps I’ve taken are:
Rename (not remove) wp-signup.php
Use custom bp-register slug
Removed “powered by” type text in the footer and other obviously WP / BP phrases
Installed NoSpamNX
Installed WP-BAN
Installed SI Captcha
Employed the .htaccess rules explained here: http://wpmututorials.com/how-to/spam-blogs-and-buddypress/
Nothing’s perfect against spam, but certainly for me, these things have helped.
Update: Even with an “empty” wp-signup.php they are still registering… really strange! Where could they come in, for they don’t need to fill out any required addition fields…?!?! Any ideas????
Sorry to pick that up… I thought I won with the spammers for I did what stwc wrote in his article (by the way – the site there is down 
)
But yesterday until now I got about 100 spam-registrations. I did not delete wp-signup.php anymore, because the “reigster” in the admin-bar anywhere else but on the root-blog needs that file… So I thought it’s not a good idea.
BUT now, the spammers registered with just the name. Although I have alot of additional, required field… How is that possible? I guess, they didn’t come in through the bp-register. Maybe the wp-signup.php directly?
I have forums disabled altogether and as far as I know this issue with registering through bb-press should not be an issue anymore.
Would appreciate if someone could give me a further tipp what to do or where they could come from.
PS: @andy (or the developers): Why is it, that on subblogs the admin-bar “register” doesn’t point to the register-slug but is somehow a redirect from wp-signup.php (which doesn’t work anymore, when I delete or empty the file…)
There is a new plugin I just found called BuddyPress Rate Forum Posts — https://wordpress.org/extend/plugins/buddypress-rate-forum-posts/. I haven’t tried it yet, but I plan to. It allows thumbs up/down voting on Forum posts and in the process users receive “karma points” for the quality and frequency of their posts. So, in theory, spammers would get bad karma scores from other users, and you could search for users with bad karma and then delete them.
