those seem like some great tips especially the last two thanks for sharing!
@mattt55
Good info, thank you for sharing!
@mattt55
Hi, I used your 3rd method registration honeypot to create a small plugin. I don’t really know how to test its effectiveness but here is a link for anyone that is adventurous and would like to give feedback to that effect:
https://github.com/bphelp/bp-spam-killer
Credit goes to @mattt55 for the code and idea.
I could not get the 4th method using jQuery to work. It always sends every user to the spam-prevention page. If you can give more detail as to how to get this working I would like to use both methods in one plugin for better spam registration prevention. Thanks!
@bphelp
Please don’t give me any credit for the honeypot idea – I got that one from someone else (I don’t remember who or where) and I probably almost completely copied the code as well…
The 4th method (jquery, cookies and the “10 second rule”) is, as I indicated, torn from an existing project and strung back together in a way that (despite not being tested) is intended to work. It probably doesn’t at this juncture π
Let me know how you went about it and what’s happening, and I’ll try to help you get it working. It seems (today) to be the killer method for curbing the spam π
Cheers,
Mattt.
@mattt55
Well I gave you credit because you was my source, if you ever come across the original author then I will credit them. As for the jQuery method see:
http://pastebin.com/kzxCqSb8
I added a _inc file to the plugin that contained the my.js file. See line 33 as to how I implemented it. Really not sure what I did wrong so have a look and see if you notice any errors.
@mattt55
Per your request I removed your credit for the plugin.
i’d buy that for a dollar!
π
@bp-help – I tested your plugin and for whatever reason on my site it prevented good registrations. I will isolate exactly why that is on my particular site.
@matt55 – I did some more research and built on your .htaccess code. A php error was occurring due to using Server Protocol so per jdMorgan “the htaccess Master” π the better condition check is The Request.
Special thanks to jdMorgan a true htaccess Master
# BuddyPress Anti-Spam Registration
RewriteCond %{REQUEST_METHOD} ^POST
# only match the register page URI
RewriteCond %{REQUEST_URI} ^/register/$
# domain referer is better than IP - allows for subdomains
RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
# Blank or single hyphen user-agent spoofers or curl
RewriteCond %{HTTP_USER_AGENT} ^(|-?|curl)$ [OR]
# HTTP request header
RewriteCond %{THE_REQUEST} HTTP/1\.0$
RewriteRule ^(.*)$ /spam-prevention [R=301,L]
@aitpro
Are you using the plugin on github?
https://github.com/bphelp/bp-spam-killer
Or Are you using the code on pastebin which I could not get valid users registered either.
http://pastebin.com/kzxCqSb8
On my test server the github plugin allows registration for valid users but I am not really sure how effective this method would be at preventing spam registrations. Any feedback is appreciated!
Yep, I downloaded it from github. I have a bunch of customized security things going on so most likely one of the other security measures I have in place is causing the issue/problem. I will figure this out tomorrow when I have some more spare time.
Lately the Spam Registrations were getting way out of control – 1 per minute – so I had to get something in place quick. Yuck.
@matt55 – The php errors still continued so it was not due to using Server Protocol. I am not exactly sure what action the spammers are doing in combination with the .htaccess code that is generating the php errors, but for now I just suppressed them by adding an @ symbol infront of strstr below until I can analyze this some more. /buddypress/bp-core/bp-core-template.php code line 864.
if ( !empty( $page_template ) && @strstr( strtolower( $page_template ), strtolower( $component ) ) ) {
@aitpro
Yeah spam is no good and can get out of control real quick. JFYI on my test server when I pull up the source I can see where the plugin creates the hidden field but like I said I honestly don’t know how effective this method would really be at preventing spam registrations. I just through it together as a plugin merely out of boredom. π
What is awesome is this. The spammer registation counts as a new registered member, but the “new member registered” notification in the Activity feed does not display the spammer. Thanks spammers. LOL
This jack@$$ is the worst of them, but now I get credit for a new registered member and do not have to deal with anything else. I now love this spammer. Keep on spamming you make me look good. Ha ha ha.
Not Locked 3678 Affekagf vrvivyey i.nst.inctmocu@gmail.com subscriber May 17, 2013 12:51 pm NA 59.60.112.49 49.112.60.59.broad.pt.fj.dynamic.163data.com.cn /wp-login.php
Not Locked 3677 skdiejdbokg ypxridnj bar.r.elbxme@gmail.com subscriber May 17, 2013 12:51 pm NA 59.60.112.59 59.112.60.59.broad.pt.fj.dynamic.163data.com.cn /wp-login.php
Not Locked 3395 Alioizadk qxftzRepgb floo.dbnwk@gmail.com subscriber May 17, 2013 12:53 pm NA 59.60.112.92 92.112.60.59.broad.pt.fj.dynamic.163data.com.cn /wp-login.php
Status update:
This htaccess code reduced the number of Spam Registrations from 1,500 per day to 50. So now to figure out how the other 50 Spam Registrations are being performed. π
