Skip to:

BuddyPress Spam

  • wordpressfan


    I’m about ready to ditch BuddyPress. I installed the latest trunk and have the BPDEV anti-spam component with a captcha. Still, people continue to register, bypassing required fields.

    The least that could happen is either BuddyPress become compatible with Akismet or enable some registration approval step, where an admin could delete accounts with empty profiles before they go “live.”

Viewing 25 replies - 1 through 25 (of 87 total)

  • r-a-y


    Hey wordpressfan, understand that BuddyPress runs on top of WordPress MU so any spam issues are still, at its core, a WPMU issue.

    The WPMU readme.txt has some info on how to counter spammers: (read line 165 and on)

    For the Darcy Norman link, use WPMUTutorials’ variation for BuddyPress:

    Also, for your suggestion on moderating signups, WPMUTutorials also has an article on that:

    Read the last comment in that post for info on modifying the article’s instructions for BuddyPress.

    You might also want to check out SI Captcha:

    The beta version has support for BP as well.

    Hope that helps in some way!



    Just an update, Matt Kern just made a post on the BP forums about his manually-approve signup plugin for WPMU:



    @r-a-y: I added the .htaccess commands to avoid robot registrations. We’ll see how that works.



    I use reCaptcha with askiment in a bundle, well….i will see the result after launch the site ;-)



    Askimet does great catching spammers comments on regular WordPress installations, but WordPress MU is commonly the target of spam registrations, which is my problem. I tried reCaptcha and the same day had to delete spammers.

    I’m hoping a future version of BuddyPress or WPMU will include finer security, allowing admins to block access to only humanly-registered users, rather than either shut off all registrations. Another possibility would be to follow the example of WordPress and allow admins to relocate or rename the registration component.



    @ wordpressfan

    Did you read this post ?

    I give a solution. Not perfect but it works



    I read your example. I need something with a wider net. First off, the robot registration never leave an e-mail address. Unlike WP comment spam, WPMU registration robots appear able to bypass required fields, including e-mail address.

    I receive e-mails announcing new registrations that contain only IP addresses. Meaning I would need to include hundreds of IP addresses in your code.

    The real solution is somehow create a bullet-proof required registration field or move the registration page behind a firewall. I’ve seen single-user WordPress installations that move the wp-admin or wp-signup pages to avoid robot attacks using the default name and location of these pages.

    Ruth Maude


    I’m struggling with a lot of spam registrations.

    – a lot list country entry as random characters “Ot9XLfiFD7WNCu” Is there a way to set Country so it has to be a legit one?

    – a lot come from email addresses such as “” “” Is there a way to force email confirmation … so they have to receive an email and click on a link to confirm registration?

    – is there a way to mark someone as a spammer and delete them at the same time in the admin?

    Sigh… I don’t have time for this so I may give up.

    Would be nice if a site user can “Flag” a spam entry to disable the user.



    My spammers all sign up with .info email addresses. Is there any way to just block all .info?

    Legitimate members should use normal .com emails, like normal people. ;-)



    I changed the signup page name, stopped all new registrations across all blogs, added to the htaccess page and STILL get signups.

    I asked over at wpmu and they say it is Buddypress causing this and to ask here but I see that BP blame WPMU.


    I havent had a spammer registration since i used the “WMPU block spam by math” plug-in. i was getting 20 a day, and now absolutely zero.



    captcha and math tools do not really help fighting spam.

    spammer register manually and then feed your blog automatically remote via xmlrpc.

    i am running a wordpress mu + buddypress site and had about 40 spammer-registrations a day with lots of spam. then i deactivated xmlrpc via renaming xmlrpc.php in wp-root, result was only user registrations (without content spam). about four days later spammer registrations were reduced from 40 to about three a day (easy to delete), seems that the spam-apps noticed that the rpc doesn´t work and deleted my site from their targetlists, entering their messages manually is to complicated for them….

    Sam Steiner


    Wouldn’t it be cool for a plugin to remove wp-signup.php and xmlrpc.php from a BuddyPress installation in a way that these changes would be kept through an upgrade of WordPress (which now of course replaces the deleted files)?



    Okay! This is pathetic. Spam is a real problem for literally all community websites on the internet. Ever since I’ve updated to WP 3.0, spam has become a pain in the anus! So this is my solution, I’m building a spam prevention plugin that is built in flash. Its all using AS 3.0. I’m having issues with Internet Explorer 6. If you use IE 6 or you don’t have a flash plugin or something for your browser then I don’t care. SPAM IS A PLOBLEM. 90% of the people using my site have flash and don’t use IE6. The 10% have to just deal with it.


    a few things i’ve done

    removed the powered by in the footer (just changed up the wording to WP/BP)
    block the crappy browser MSIE ([3456]).
    block a bunch of bad bots (something like: )
    block a bunch of CDIR ranges (something like: )

    Our site is for one UK county only, so would it be possible to put a rule in .htaccess to block any connections not from the UK? (Not brothered about search engine spiders, as it’ll be local word of mouth advertising). Or, is it possible to just block anyone from outside of the UK from signing-up? That would allow others to read, but not register or post.



    @thelandman maybe build in something like this,

    I read about the plugin in one of my smashing mag books, somewhere.. But they really recommend it. It advises the user to try a different browser if they cant upgrade ie6 due to using windows 2000

    Ted Mann


    Here’s what I don’t understand: All our recent Spam registrations are completely bypassing the BP registration form. I’ve got a tricky Humanity plugin question on there, as well as several required fields. But when I look at the accounts the spammers are creating, they have none of those fields filled out.

    Is there some kind of backdoor registration option in BP or WPMU? How are they getting in?!

    Roger Coathup


    @tedmann – there was a register file kicking around in the bbPress forum files, and I think that was the back door into the BuddyPress system. I don’t know if that issue has been addressed in the latest BuddyPress / bbPress releases.

    We stopped spam registrations almost completely on Hello Eco Living by removing the register file in the bbPress installation, and changing the url of the BuddyPress registration page.

    Thought the stray registration file had been dealt with.

    As well as rename the register slug, rename the footer links as they are searched out in their default form. I also added a rule to htaccess that checked the referer page and if it wasn’t the site chucked the request to somewhere else (do need to make that somewhere interesting) also blocked any CURL requests for the register page, finally made the decision that blogs could not be created during sign up, once registered members could create blogs and this made a difference.



    I had lot of problems to stop spamblogs from signing up than I have installed Buddypress Humanity plugin and its been a month and i have not got a single spamblog signup as this plugin lets you set your own question and answer.



    I have the latest version of buddypress and I had to delete the register.php from bbpress, as is suggested above. This reduced my spam signups from around ten a day to none.

    You’re quite correct it does still exist which I find very odd as I seem to have a recollection of comments that said it would be / was removed.

    Ted Mann


    I’ve got the Humanity plugin running on our site, with a semi-difficult question. Likewise, I’ve done the htaccess trick, register slug, and so on. Haven’t blocked CURL requests (how do you do that?).

    I never configured bbpress for our site. Even if I haven’t done that, is it possible that register.php file is still lurking somewhere on the site? Are there any more drastic measures I can take? We’re getting killed every morning — not just with spam signups, but spam blog posts. Would blocking the offending IPs (quite a few) be a viable solution?

    Roger Coathup


    @tedmann – have a search on your install for the bbPress folder and remove the register.php file. I guess it doesn’t have to be activated for the file still to be there and therefore usable by the spammers.

    It worked like a treat for myself and @footybible

Viewing 25 replies - 1 through 25 (of 87 total)
  • The topic ‘BuddyPress Spam’ is closed to new replies.
Skip to toolbar