Skip to:
Content
Pages
Categories
Search
Top
Bottom

BuddyPress Spam

  • @wordpressfan

    Participant

    I’m about ready to ditch BuddyPress. I installed the latest trunk and have the BPDEV anti-spam component with a captcha. Still, people continue to register, bypassing required fields.

    The least that could happen is either BuddyPress become compatible with Akismet or enable some registration approval step, where an admin could delete accounts with empty profiles before they go “live.”

Viewing 25 replies - 26 through 50 (of 87 total)
  • @hnla

    Participant

    Not sure of the process but even if you haven’t got bbpress running locate and remove the file. If spambots are managing to get around hidden fields that should remain empty it suggests they are not using whatever form that protection is on.

    For CURL try adding this: (but check carefully things still work!)

    # trap curl registration downloaders – block in allow,deny rules
    SetEnvIfNoCase User-Agent “^curl” blog_spammer
    Order Allow,Deny
    Allow from All
    Deny from env=blog_spammer

    Be careful about blocking IP ranges it’s a difficult practice and one that technically you are supposed to notify about in case innocent yet important sites get blocked, you can add further rules to the deny lines above but unless there is a very persistent IP it’s probably not worth it and likely spoffed anyway.

    @filmplayer

    Participant

    is there a plugin that i can use to simply ban certain keyphrases in email addresses from registering? most of my spam signups have the below phrases in their urls, as well as others, i’d like to simply block all of the below them from signing up at all.

    buyfioricetnow
    junklessmail
    trophaeum
    picture-movies
    stampfreemail
    supermailpro
    designersmail
    freeeeemail
    hothdvids
    travel1234
    freemailme
    hotbabesonly
    informaniac
    belzy
    watchathf

    @hnla

    Participant

    Oh there are many more than that as soon as you start to try and block them a new address will be used

    @rogercoathup

    Participant

    everyone wants a plugin to solve this. Remove that register.php in the bbPress folder… go on, trust me, it really helps! :-)

    @intimez

    Participant

    So other two register.php not be deleted? Want to make sure.

    @mark211

    Participant

    FYI, I deleted the register.php file in bbpress last night and I had another 7 spam accounts in the morning so that didn’t work for me. I then installed humanity this morning and I’m using it with the si captcha plugin and the two combined seem to be ok so far. I’ll keep you guys posted.

    @rogercoathup

    Participant

    @mark211 – did you change the register slug in BuddyPress as well? Also, changing the default text that appears on the register page?

    @intimez – I think there should only be one register.php, in your theme’s (or the defaults if inheriting) register folder

    @mark211

    Participant

    @rogercoathup no I didn’t change the slug or the default text. I’m not a developer and wasn’t 100% sure how to change the slug. I looked at the wp-config.php but it looks a lot different than Andy’s example on BP org I read. Would I change it under wp-config still? Andy’s posting is from 09. I will go ahead and change the default text. I’ll do anything to keep those bot ******* away. lol. So far Ive been good with the two plugins even though it looks like overkill to my visitors.
    Side note. I’m having a problem with viewing status on my activity feed. When someone joins the site or posts a notification and I go to click on view next to the notification, the page it takes my to has issues with the theme. I assume it has to do with my themes template file?. here’s the snipit of code View Any thoughts on how to fix it? Thanks.

    @rogercoathup

    Participant

    @mark211 – You can change the slug just by adding the one line to wp-config.php

    define( ‘BP_REGISTER_SLUG’, ‘join-up’ );

    This thread tells a little more about potential problems: https://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/defining-new-register-slug-not-working/

    ON the View problem – I think you have posted the wrong URL – it gives a 404 error

    Ask this question as a separate thread in support though. Search the forum first of all though, because I think there are some existing threads on this type of problem (view permalink)

    @mark211

    Participant

    @rogercoathup Thanks for the info. I’ll try the some other forums for the other issue.

    @tedmann

    Participant

    I deleted the registration.php file (and have the alternate slug). Still getting slammed with spam signups and posts. Switching to the si-captcha plugin (though I suspect that won’t do anything since the spammers are bypassing the reg form). Any other ideas?

    @hnla

    Participant

    @tedmann have you added all the tricks mentioned? changed footer links? added referer rule to your .htaccess

    @rogercoathup

    Participant

    @tedmann – and changed the default text on the register page?

    @antonrsa

    Participant

    si-captcha doesn’t work on my sites. I’m using https://wordpress.org/extend/plugins/wp-recaptcha/ and it seems to stop some of them. Still not a spam free solution.

    @pisanojm

    Participant

    Have you tried the plugin “Humanity”? Also you can try to add an extra xprofile field that needs to be filled in. We validate e-mails on our site…

    @footybible

    Participant

    @tedmann when I had the rogue bbpress register file and I was getting spammers sign up I could identify them because under ‘users’ they were listed only as users of their subsites rather than my main site – (which I dont believe is possible through legitimate registration?)

    However, last night I had another such registration. Granted, its only one, but I dont understand how they can sign up for a sub-blog without being added to the main site. Which makes me also worry there is another ‘backdoor’ somewhere….

    @tedmann

    Participant

    I’m using a custom child theme, so the footer copy has been changed. At the risk of inviting more spam, here’s my signup page: http://injersey.com/join-injersey
    I’ve got si-captcha, Humanity, alternate slug, htaccess tweak, and 2 required profile fields. At this point it’s just getting kind of absurd. There must be some kind of backdoor that’s letting them in. Like Matt ( @footybible ), every single one of these spam signups is registering for a sub-blog. Unlike Matt, I offer the ability to register for a town via the Group Registration Options plugin ( https://buddypress.org/community/groups/bp-registration-options/ ) developed by @Messenlehner. Worked pretty well until 2 weeks ago, when we started getting slammed every day at about 2am with spam signups and posts.

    @pcwriter

    Participant

    I was having 5 or 6 sploggers sign up daily no matter what I did until about 2 weeks ago when I revamped my tactics. Since then, I have had 0 spam signups… not one. Fingers crossed ;-) Here’s what I’ve done:

    – Removed references to WP/BP in footer text
    – Changed the register slug to something unrecognizable that has no bearing whatsoever to the concept of signing up (so even those grossly underpaid 3rd-world human spammers can’t figure it out)
    – Installed WPMU Super Captcha to let the nice humans through: https://wordpress.org/extend/plugins/super-capcha/
    – Installed WP-Ban to block the not-so-nice ones: https://wordpress.org/extend/plugins/wp-ban/
    – Installed Buddypress Humanity as a double-check: https://buddypress.org/community/groups/buddypress-humanity/
    – Blocked lists of bad bots in .htaccess as suggested in this post: https://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/buddypress-spam/?topic_page=2&num=15#post-60177
    – Added “deny from all” in .htaccess for wp-config.php
    – If someone does manage to access the register page through a direct url (without visiting any other page first), they are bumped to a GOAWAY page with the following in .htaccess. .

    # BEGIN ANTISPAMBLOG REGISTRATION
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-signup.php*
    RewriteCond %{HTTP_REFERER} !.examplesite.com. [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://examplesite.com/goaway.html [R=301,L]

    So far, so good. As I mentioned, not a single splogger has managed to get through in about 2 weeks. If they do, there are 2 ingredients in the above recipe that can be adjusted:
    – the captcha image is fully customizable to render bot algorithms redundant (hopefully)
    – the register slug can be changed as often as you change socks

    On a final note, there are also some interesting tweaks to be found here: http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/

    @thelandman

    Participant

    @pcwriter. That is quality. Thanks for the tips!

    @tedmann

    Participant

    @pcwriter, you rock. Going to try all of these. Few quick q’s:
    1. With the list of bad blocks, you added all these to your HT access file? Is there any downside to having such a lengthy htaccess? Could you anonymize yours and post it?

    2. What does “Added “deny from all” in .htaccess for wp-config.php” mean?

    3. When you say you changed “register slug to something unrecognizable,” what sort of thing did you use? Garbledygook, or just something like “/whats-up”

    @pcwriter

    Participant

    @TedMann

    This is what I’ve added to .htaccess to block bots:

    # IF THE UA STARTS WITH THESE
    RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]
    # STARTS WITH WEB
    RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]
    # ANYWHERE IN UA — GREEDY REGEX
    RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
    # ISSUE 403 / SERVE ERRORDOCUMENT
    RewriteRule . – [F,L]

    To help block spam registrations, add the following to .htaccess, then create a simple GOAWAY type html page and upload to your root directory:

    # BEGIN ANTISPAMBLOG REGISTRATION
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-signup.php*
    RewriteCond %{HTTP_REFERER} !.yoursitehere.com. [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://yoursitehere.com/yourgoawaypage.html [R=301,L]

    Add the following to .htaccess to deny access to wp-config.php to anyone who doesn’t have your ftp details:

    order allow,deny
    deny from all

    Instead of example.com/register or example.com/sign-up, use something like example.com/unb2x-2010 for your register page. If you were a spammer, would that look like an inviting url to hack?

    Hope this helps :-)

    @pcwriter

    Participant

    Oops! That last bit didn’t post correctly. Enclose the first and last lines in < brackets.

    files wp-config.php
    order allow,deny
    deny from all
    /files

    @tedmann

    Participant

    Thank you so much, @pcwriter
    I’ve been using IP banning now for two days, and that has virtually eliminated most spam signups. Much as I hate to go that route, it’s great to have something that finally works. Will make the htaccess and wp-config changes today, too. Thanks again.

    @tedmann

    Participant

    So, I have a question re: the htaccess tweak to block spam registrations. If I type http://mybuddypressite.com/wp-signup into my browser, I should get automatically redirected to my GOAWAY page, right? If that’s not happening, am I doing something wrong?

    @pcwriter

    Participant

    @TedMann

    If you’re using the same machine that you normally use to access that page, it’s highly unlikely that you get redirected, ‘cuz as site admin, your IP has already been “goldlisted” and you’re known as one of the good guys.

    To really test if it’s working properly, and there’s no reason it shouldn’t be, try accessing the url directly from an airport or internet café with wifi. Or, better yet, through a proxy server.

    You could also have some fun and try this:
    Set up 2 email accounts at any test site you’ve got going (the weirder the names, the better). From a different IP (another computer), email your wp-signup link from one account to the other, and click on it. If you’ve never sent emails to your buddypresssite from the test site (thus, sender unknown), that access attempt would probably be flagged and you’d probably get bumped. Just my thoughts…

Viewing 25 replies - 26 through 50 (of 87 total)
  • The topic ‘BuddyPress Spam’ is closed to new replies.
Skip to toolbar