BuddyPress.org

I had a similar issue, and this is how i fixed it. Maybe it will help.

BTW, using WPMU 2.8.4a and BP 1.1.1.

bp-core-classes.php: around line 224:

$total_users_sql = apply_filters( ‘bp_core_users_by_letter_count_sql’, $wpdb->prepare( “SELECT DISTINCT count(u.ID) FROM ” . CUSTOM_USER_TABLE . ” u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE u.spam = 0 AND u.deleted = 0 AND u.user_status = 0 AND pf.name = %s AND pd.value LIKE ‘$letter%%’ ORDER BY pd.value ASC”, BP_XPROFILE_FULLNAME_FIELD_NAME ), $letter );

$paged_users_sql = apply_filters( ‘bp_core_users_by_letter_sql’, $wpdb->prepare( “SELECT DISTINCT u.ID as user_id FROM ” . CUSTOM_USER_TABLE . ” u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE u.spam = 0 AND u.deleted = 0 AND u.user_status = 0 AND pf.name = %s AND pd.value LIKE ‘$letter%%’ ORDER BY pd.value ASC{$pag_sql}”, BP_XPROFILE_FULLNAME_FIELD_NAME ), $letter, $pag_sql );

For me, it was the pf.name in the WHERE that was coming back with nothing. I understand the MYSQL, but not understanding the logic behind that. I changed it to what I was hoping to nail in the first place:

$total_users_sql = apply_filters( ‘bp_core_users_by_letter_count_sql’, $wpdb->prepare( “SELECT DISTINCT count(u.ID) FROM ” . CUSTOM_USER_TABLE . ” u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE u.spam = 0 AND u.deleted = 0 AND u.user_status = 0 AND pf.name = ‘Last Name’ AND pd.value LIKE ‘$letter%%’ ORDER BY pd.value ASC”, BP_XPROFILE_FULLNAME_FIELD_NAME ), $letter );

$paged_users_sql = apply_filters( ‘bp_core_users_by_letter_sql’, $wpdb->prepare( “SELECT DISTINCT u.ID as user_id FROM ” . CUSTOM_USER_TABLE . ” u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE u.spam = 0 AND u.deleted = 0 AND u.user_status = 0 AND pf.name = ‘Last Name’ AND pd.value LIKE ‘$letter%%’ ORDER BY pd.value ASC{$pag_sql}”, BP_XPROFILE_FULLNAME_FIELD_NAME ), $letter, $pag_sql );

Works fine for me. I’ve heard the latest edge version of BuddyPress fixes this somehow… but this worked at install for me so something must of changed. I have ALOT of custom profiles and the member import was a-typical so maybe in my case that had something to do with it.

Some member profiles on my site are starting to become garbled …

The way you state the issue, you make it seem as if members’ profiles that were once correct are being changed into a “garbled” set of strings. However, if what you mean is that new registrants profiles appear as garbled strings, then I would assume it is spam as well.

First thing to do is upgrade to the latest WPMU and make sure you are using some form of anti-spam protection–Akismet, captchas, etc. Also, spammers many not be the only unwanted entities targeting your site. If you are not using the latest version of WPMU, then you are greatly exposing your site to attacks from more malicious parties who target older versions of WP, exploiting any recently-announced security issues in older version.

Next, you will want to upgrade BuddyPress to the latest version. Once you’ve done that, you will need to update your theme to work with BuddyPress. you can either do that yourself or contact the designer of your theme to find out if the theme you are using works with BP 1.1.2.

More information about theme changes in BP 1.1.x:

https://codex.buddypress.org/how-to-guides/upgrading-a-buddypress-1-0-theme-for-buddypress-1-1/

Yep, that’s spam. Seeing quite a few of these, with the ‘real’ name and realish email address.

BeLogical… I am also unable to beat those suckers. But unless u have tons of registrations, you may want to follow what may be my final option, and that is to install a separate registration form, may be even a simple email form, and then select who I allow in and who I should delete. This means disabling WPMU/Bpress registration at this stage. This way at least, I can check my email in the evening and inform those allowed. Otherwise, I spent my entire week checking my blackberry only to notice a mountain of unwanted blogs. If you are looking for a simple free email form with the ability to include attachments (like avatar), I’ve tested this one and it is just a one minute install and works just fine. http://www.maianscriptworld.co.uk/free-php-scripts/maian-mail/free-contact-form/index.html – At least I may (not sure yet) get spammers in my inbox as opposed to allow them in.

@chouf: hmmmmm, ok. By now it’s getting worse… not because of your htaccess-thing, but it doesn’t really seem to do anything. Did I get that right: I just take the code above as it is and that should do the trick?

They keep on coming. Thsi should really get some attention from Andy & JJJ. Just check out the http://testbp.org website. The entire homepage is 9and has been for at least several days) filled with spam (from sidewide activity), so they apparently cannot stop it either.

It is not a good sign to have the public testsite full of splogs and spams methinks, but at least it is truthful as it shows what it is like: BP & MU attract spammers who cannot be stopped easily…

@michael -> de nada

Attempt will continue a few days after you did changes. The time spam robots refresh their attack strategy, heu, their cache…

I couldn’t say to you “be patient”, i know you are, but…wait a little ? This is not Nescafé, but computing…

count me in…

brentschroeder1963

Some month ago, I change my registration process, and become spam free.

Just sometimes, I had a spam registration, but thy never had a user role.

Also I never get a registration mail.

And they not able to create a blog, or even post.

But this morning I have a new user: brentschroeder1963

Also with registration mail, a new blog …..

brentschroeder1963

“if he does get to a new version, that we have the option of suppressing the flurry of emails sent to the user when the Welcome Pack kicks in (or maybe there’s an easier way”

Hehe, when we first enabled the plugin on one of our sites, it created a mail queue so long, that due to our host’s spam-prevention mail limitations, it took three days to send out all the mails. Not a complaint though, Achievements is a fun plugin, and we have it on three of our installations.

Back on topic though. There was a forum post somewhere about how to write defaults into a plugin, but I can’t find it. Any ideas? I might just use Welcome Pack for self-educational purposes, but need it to do some more specific things.

Thanks Chouf

I just implemented the code above (just like it is, is that correct???) a couple minutes ago… Since then I already have to spam-registrations and blog-creations…

So, I will try the wp-ban also…

I have had the same issues as you all these summer.

Since approx. 2 mounth i have nomore fake user or fake blog. And no spam too !

I erased daily and manually all spammer reference in my DB. Mail adrress, blog content, names and so on… An endless job with no success at least. And i don’t use Askimet. I can’t explain why (or only in french), but i don’t.

I’ve installed wp-spamfree (who blocked 45 spam comments since i installed it in july), invisble-defender (who blocked 76 spammer in the same period) This is really less

I use also wp-ban, here i have given some ip ban’s instructions, banned some referrers like these:

http://*.onlq.com

http://*.myspacee.info

http://*.host-a-site.info

and some wildcarded user agents like zhanglingjuan*

in my htaccess i have this, wich is very powerfull(i think it is this who reduced mostly my spammers)

Test it and see in your log file how many “libwww-perl” call you receive in a day and see what is in the url. You will stunning !

# Blocking access from libwww-perl, and blocking urls that include “=http:” to eliminate bot attacks



RewriteCond %{HTTP_USER_AGENT} libwww [NC]

RewriteRule ^(.*)$ - [F,L]



RewriteCond %{HTTP_USER_AGENT} www-mechanize [NC]

RewriteRule ^(.*)$ - [F,L]



RewriteCond %{REQUEST_URI} !(wp\-login\.php|\/wp\-admin\/) [NC]

RewriteCond %{QUERY_STRING} ^(.*)=http [NC]

RewriteRule ^(.*)$ - [F,L]



# END ANTISPAMBLOG REGISTRATION

I don’t have that sentence in my footer, but same problem. They come past the captcha. I deleted the wp-signup.php. Changes nothing. Htacces-Trick doesn’t help.

I would be also very interested in a solution!

Same problem,started about a few days ago. Bots are signing up a few times a day, firstnamelastname19xx.

Interesting is that I notice in my stats some ip found my site by searching for “proudly powered by WordPress MU and BuddyPress”.That could be a reason that this particular bot is finding and attacking bussypress installs.

If this bot is getting past Captcha, I would recommend applying a reverse Captcha technique. Just do a bit of Googling on this, it uses a hidden field as a honey pot which bots will fill in, but normal users will not. When filled in you can redirect them to a page of your choosing.

Please report your findings and how you deal with this as it would be very helpful.

Me too. Same issue. They even tick a checkbox and get past a Captcha . BP User ID and required text field entry contain a short random string like A6vLtHqlgT.

The .htaccess modification described by D’Arcy Norman doesn’t work in these cases.

Make that 6.. oh, and they are all from different IP’s as well, so wp-ban also does not much good.

Yep, I had 5 like these today and several before past weeks:

firstnamelastname19xx as usernames, all from different email domains.

They did not post, but also did not have much time to do so.

I mark them as spam immediately, but am tired of doing so, so hope a splog solution is nearing…

how about checking all blog posts and all pm to akismet/typepad antispam?

only certain trusted group are excluded.

or perhaps after the user post a dozen good, non-spam content…

oh yes, there is an entire industry in especially central Asian countries (Bangladesh is huge) where halls of people solve captcha’s for $1 per 1000-5000 captchas.

See http://ha.ckers.org/blog/20080311/human-captcha-breaking/

Don’t forget to read the last 5 comments or so

Though I am in favour of having spammers employ and pay poor people in Asia, I hate spam even more and have abolished all captchas from my site as still too many people cannot read them, so it is chasing people away. And, as the link above proves, they do not help anyway.

possibly, there exist new semi automatic method?

a spambot that present to human a captcha so that the spammer only need to enter the captcha and everything else is automatic…?

@ Peter – sure certainly not, but each incoming door need to be monitored

since i use the trick i have no more splogs or spammer registering !

wp-ban works nice, invisible defender also and wp-spamfree did correctly his work too….

a little additionnal htaccess hack and the wp-login file hack make things going right for me.

I put some emails in the wp ban admin but i don’t know if this works correctly.

I didn’t use captcha or similar techniques.

Unless you have 1 million splogs sign up a day, you can always manually check and delete each splog. Trust me, you can discourage spammers to splog you, but you won’t be able to get rid of new spammers and new splogs. Unless you have a smart programmer that programs a good algorithm in recognizing splogs and spammers, but it probably gonna cost ya big time.

r-a-y, I’d like to try the .htaccess solution, but the instructions are very ambiguous:

# BEGIN ANTISPAMBLOG REGISTRATION

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} .yourbpsignupslug*

RewriteCond %{HTTP_REFERER} !.*yourhomedomain.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) http://die-spammers.com/ [R=301,L]

# END ANTISPAMBLOG REGISTRATION

Should I leave the dots (.) and stars (*) around ‘register’ and ‘mywebsite.com’?! What would be mybpsignupslug if I have the registration form on my homepage as well as /register?