3635122Inactive
Hi
I posted this 3 days ago and received several responses (thanks!) but never received a follow-up on my question regarding how/where I go to check the wp-signups or wp-users thingie.
Also, I was hammered again by a spammer/bot yesterday and this time, it wasn’t through FaceBook. Any ideas on how/why this is happening and what I can do to prevent it from happening again in the future?. For more info/details, please scroll up to see my origin post(s).
Thanks again, Steve
All of the *Press forums use Akismet. When you have as much activity as these collective forums get, you’ll have the occasional false positive from time to time. The algorithm that Akismet uses is always being adjusted to accommodate for this, but thankfully as we unmark posts that were incorrectly marked as spam, it learns as it goes and usually doesn’t happen again for that user.
Hey John,
Regarding the spam comment, do you know if these forums are using the bbPress Akismet plugin?
You bet. Some of your posts were getting marked as spam, along with some other users. Happens from time to time. I’m marking as resolved.
Perhaps, but personally I dislike spam inviter tools (see what I did there?).
3635122Inactive
Hey, thanks for the replies.
Looks like you folks may be onto something. How/where do I go to check the wp-signups or wp-users thingie though?. Is this something I can check from the admin center?.
Thanks again!, Steve
Some people have suggested installing WP Hashcash to block signups, though I haven’t tried it myself.
But you’re saying that someone signed up on your BP install with the Facebook Connect plugin?
So it sounds like a problem with the FB plugin… not sure though.
Sounds like DJPaul suspects the same thing!
FB-Connect isn’t my favourite bit of software in the world as I spent some time checking out the code once, so there may be a hole there. </randomguess> Certainly my money is on a plugin.
Have a look at the record in wp-signups or wp-users; any clues or differences vs a user who registered properly? Any clues?
Totally clear. Thank you so much!
When you are installing Buddypress, the only plugin you want in your /plugins folder is buddypress itself. Nothing in /mu-plugins either. Your plugins which run on buddypress are causing this error.
I have a few plug-ins running, but without the admin back end working, I can’t deactivate them. Can I place them in a separate folder temporarily without causing even more havoc? i.e. welcome pack, monty spam, wp ban, limited log in attempts, askimet, etc.
Hey Jfcarter,
Sorry for not being clear there.
If you’re using the default BP member theme, I replaced instances of bp_send_message_button with the newly, created bp_send_message_to_friend_button in these files:
* /bp-themes/bpmember/activity/just-me.php
* /bp-themes/bpmember/wire/latest.php
* /bp-themes/bpmember/profile/index.php
Keep in mind that if you’re using a different BP member theme, that those template links might be different.
Hope that was clear enough!
@r-a-y,
Thanks for this information. It was a manual signup.
I like what you’ve suggested and plan to use the code in my bp-custom file.
But what did you mean by this: “Then I edited the template files mentioned above with the new function call – bp_send_message_to_friend_button().”?
What exactly did you add to the templates, and which templates were you referring to?
Much, much appreciated.
Thx
I liked this idea, so I implemented it on my BP install.
I decided to do step #2.
Here’s what I added to my /wp-content/plugins/bp-custom.php:
function bp_send_message_to_friend_button() {
global $bp;
if ( bp_is_home() || !is_user_logged_in() || !friends_check_friendship($bp->loggedin_user->id,$bp->displayed_user->id) )
return false;
$ud = get_userdata( $bp->displayed_user->id );
?>
<div class="generic-button">
<a class="send-message" title="<?php _e( 'Send Message', 'buddypress' ) ?>" href="<?php echo $bp->loggedin_user->domain . $bp->messages->slug ?>/compose/?r=<?php echo $ud->user_login ?>"><?php _e( 'Send Message', 'buddypress' ) ?></a>
</div>
<?php
}
Then I edited the template files mentioned above with the new function call – bp_send_message_to_friend_button().
Now, the “Send Message” button only shows up if you are a friend of said user.
I’ve added a trac ticket about this issue as an enhancement, so maybe the above change will be built into the bp_send_message_button() function in the next BP release instead of having to add your own function.
—
There’s still the autocomplete feature in the “My Messages > Compose” area, as well as the wire and group wire to worry about though… one step at a time!
Is this a bot or a manual signup who manually sends messages to the users?
Anyway, the way I see it, there are two ways to combat this problem in the interim:
1) do a check to see if the logged-in user is a friend of that user, if so run the bp_send_message_button() function
2) code own function based on bp_send_message_button() and do the check within this function
Either option will require modifying the Buddypress member theme template in three places:
* /bp-themes/bpmember/activity/just-me.php
* /bp-themes/bpmember/wire/latest.php
* /bp-themes/bpmember/profile/index.php
(I’m using the default BP member theme as an example)
This is only for the “Send message” button though… how did the person spam your users?
John – thanks for the reply!! 
I’ll check with my host about the memory… that’s something new to me… hmm.
All the files are in the correct locations, triple and quadruple checked. Buddypress 1.0.2 was working fine, it’s the upgrade to 1.0.3 that caused this. It was never activated, got a fatal error on activation so I clicked deactivate and then POOF. It said that it could not activate the plug-in when i clicked activate. But, white screen of death before I could try to delete it or do anything. It really didn’t like that update.
I have a few plug-ins running, but without the admin back end working, I can’t deactivate them. Can I place them in a separate folder temporarily without causing even more havoc? i.e. welcome pack, monty spam, wp ban, limited log in attempts, askimet, etc.
Just really want to get my blogs back in action. Don’t want people hating on me for losing all their data… although data is all still there, it’s just invisible. bizarre indeed!
Thanks so much for responding. really appreciate it.
3635122Inactive
The FB-Connect issue was successfully addressed by removing the $DIM variable from fbconnect.php. However, this no longer seems to be effective and the error message I’m receiving seems to be complaining that out of 5 variables in fbc_get_avatar(), one is missing ie;
Missing argument 5 for fbc_get_avatar()
There are 5 variables here and I’ve removed one. However, even if I replace it so that there are now “5”, I still get the same error.
– Steve
Nope, Im afraid there´s not a newer version.
1.1 was coded by Andy himself, and there are no signs that it is going to be updated. He has made clear many times that its up to Buddypress community to continue with the update of Facebook connect plugin.
If I had coding skills, I would have updated it a long time ago, but I am still busy understanding how BP works ! ;-(
3635122Inactive
Hey, thanks for all the great help!.
I’ve installed reCaptcha and it works good. Won’t reCaptcha interfere with Askimet though since they are both anti-spam plugins (just wondering)?.
I couldn’t find any place in the latest version of BBPress to disable new registrations. Where would I go to find this option?.
I’m still stumped on the FB-Connect error. I’m currently using version 1.1. Is there a newer version (or an easy-to-install patch available?.
Again, thanks so much, Steve
If you have disabled registration on your WordPress MU installation, and users are still signing up, you may have forgotten that if you are running group forums you have a bbPress installation that synchronizes users with the WordPress MU installation. Disable registration in bbPress and you should be good to go.
the fbc_get_avatar() error is from the facebook connect… it’s been addressed somewhere else in the forums. ..it’s been fixed. The spam.. the user “LnddMiles” is not just on buddypress sites, so it’s a spambot that looks for open registrations.
You should add a captcha or math problem to your registration page to divert these.
It’s important to note that BuddyPress is an opensource project, just like all of the other WordPress related ones. That being said, if you find something isn’t working up to your expectations you are free to develop or contribute to the project to make it work how you wish. As it stands today, BuddyPress does a good job of keeping tidy and cleaning up after itself; better than most plugins in my opinion. The signups table is specific to MU and is a new addition, so you can expect it’s functionality to be misunderstood. When a user is deleted, the idea is that their signup remain in the signups table as proof of their previous registration. One could even argue that removing all user data is a bad idea in the event someone ever needs it later, say for law enforcement purposes.
Regarding blocking spam registrations, read some articles about Twitter. Some analysts have said that nearly 50% of all registrations on Twitter are spammers. Crazy eh? There just isn’t a fool proof way to prevent it from happening unfortunately.
Also, while none of the moderators are directly employed by Automattic, it’s about the best internship I think anyone in our respective businesses can hope for. We all do our best to represent Automattic and are here to help to the best of our abilities.
If you can find a specific bug or flaw in how users are currently managed between BuddyPress and WordPress, you’re welcome to respond here or file ticket in the trac. If you feel your opinion warrants more attention you can message me privately if you’d like also, and I’d be happy to help further.
I really do appreciate all the work you do. I’m just really frustrated with the lack of synchronization and consistency between Buddypress xprofile and WordPress users/usermeta etc. Automattic needs to take a serious look at member management.
FYI, here’s the response from the WPMU forum:
Because if a spammer signs up, for instance, and you delete their username and blogs, if their registration member is also deleted, then they can sign up again.
I’m not satisfied with that answer. There must be cleaner ways to block/blacklist spammers.
Isn’t there a plugin that deletes users more thoroughly?
Spam signups != comment spam.
Isn’t Akismet keeping the SPAM away?
No I turned of caching. For instance, I just deleted a bunch of spam registrants. The last spam registrant with a blog, their theme is taking over my home page. I don’t have any posts in my root blog.
