ALso: you may want to install WP-Ban and watch for the IP address of those who are driving you crazy. I suspect we are getting troubled by same punks. If so, feel free to take the list of my banned IP addresses and drop them in the wp-ban section after u install it. I managed to get about 500 attempts blocked in 3 days. Her’s my list so far. http://northafricaadvisors.com/banned-ips/
Thanks arezki, but my last 15 splogs all had different IP’s and email domains, so I am not sure if this will help anything/
I also have nothing of the original message in the footer, but they keep on coming.
I notice that (with the welcome pack installed/enabled), that I receive friendship requests from, well, myslef 
whenever a splog signs up. I am not sure if this means that the email to the sploguser has bounced or so?
Seems that the banned email domains list in WPMU Admin options is not being used/checked as well, I just had a sign up from @live.cn, while I have *.cn on my blocklist…
I sent a message to Andy yesterday, as this problem is too big to ignore, see testbp.org.
Well, I don’t know — I seem to have lucked out, or it’s just that my site is too new and so-far untrafficked, but the few very simple, small changes I made last week seem to have stopped the firstnamelastname19xx signups.
1) I changed the some of the text on the /register page.
2) I removed the “powered by” text in footer.php of my child theme (someone mentioned that it was being searched for)
3) I changed the register slug in wp-config.php
4) Added a functions.php file in my custom childtheme with the following code to redirect signups for all blogs to the Buddypress register page
function rk_signup_redirect() {
if (strpos($_SERVER['REQUEST_URI'], 'wp-signup.php') !== false ) {
$url = 'http://mydomain.com/customregisterslug';
wp_redirect($url);
exit;
}
}
add_action('init', 'rk_signup_redirect');
where mydomain.com is, you know, my domain, and customregisterslug is the slug I changed in step 3.
I don’t think I changed anything else — no captchas or anything — and I’ve received zero splog signups in the 5 days since, after getting a few a day before that. Fingers crossed.
Sounds nice stwc. Can you describe 3) a little more detailed?
Yep, here.
define ( 'BP_REGISTER_SLUG', 'signup' );
except rather than ‘signup’ I used ‘jointhecommunity’ as I recall.
Don’t forget to put the define statements BEFORE the STOP EDITING HERE LINE in the config.php. That had me scratching my head for a while.
So far no luck with all of the above.
Just noticed that when changing register slug as mentioned that the link on the login page (for example after logging out: http://biketravellers.com/wp-login.php?loggedout=true) does not change, it links to http://biketravellers.com/wp-login.php?action=register which gives a 404.
(as it links to /register)
Any idea why the new slug does not work (it works on the homepage, and I also added a function to the functions page).
How to change that link on wp-login.php without hardcoding and losing it after every upgrade?
Cheers, Harry
Yep, one of the tricks on even a plain mu install is to rename signup. Stops ’em dead.
There’s a few automated programs out there that scammy people are selling to other scammy people to send out these automated signups. So, the things you can change from the defaults usually stop them.
Why can’t we just add a quiz question that has to be read by human eyes to be answered. I use that with Contact Form 7 and it works perfectly. How do I add that to register php?
stwc wrote a very good guest post for BP-Tricks where he explains the tips he gave here in a very clear and understandable way. Check out the post here:
http://www.bp-tricks.com/tips_and_tricks/stopping-the-sploggers/
stwc’s summary of methods does seem to stop a lot of spam, but I’ve still been having some. I tried SI Capthca (https://wordpress.org/extend/plugins/si-captcha-for-wordpress) but that seemed completely ineffective.
My latest weapon in the war has been to modify Invisible Defender (https://wordpress.org/extend/plugins/invisible-defender) firstly to make it work with the buddypress registration page and secondly obfuscate its hidden fields by giving them random names and values:
http://bcbc.co.uk/mu/blog/2009/12/11/wordpress-registration-spam/
@bcbccouk
That’s the exact approach I took (although I removed the admin screen because I don’t really care for it). It works wonders.
+1 for randomising the names and values. I’m going to take that bit of code! 
It works…for the moment. (There’s an obvious way around the hidden fields method). I’ve got some other ideas to make it harder to regex the html, I’ll post back when I’m done.
Thanks bcbccouk I’ve updated the post and added your information and plugin link!
Anyone have any luck using sign-up question or wpmudev’s sign-up code? They both work great on a regular MU install since the person signing up has to answer a logical question or enter a code that they have received previously. The problem is when you activate those plugins, they work on the WordPress registration page and not the BuddyPress Registration page. Those would likely solve all the problems if we could get them to work together.
I’m developing a site that we want only approved, or in some cases paid members to be able to sign up, but I can’t get either of those plugins to work with BuddyPress. Anyone been able to do that, or know how it would be done?
Signup questions and codes are a good supplement to the other methods but are also ultimately fallible. In the same way that Captcha is rendered ineffective by human relay attack, so to are questions; it will just take time for spammers to catch on.
It seems to me that the way forward is to incrementally roll out new defences, only presenting new defences when the old ones have been broken. As soon as lots of sites use a defence, that defence will probably soon be doomed to failure: spammers will only take the time to develop new exploits when a particular method of defence becomes popular. I believe this is the only reason why the hidden fields method currently works: its not sufficiently popular to bother coding an exploit for it (even though such a task would take about five minutes).
I have ask my question in other topic but they deleted it.
Anyway, is there a way i could use original wordpress signup page instead of security leaked buddypress signup page?
Please anyone know how to force peopel to signup trough original signup form.
I might be missing the point completely here, but I changed my theme’s sidebar.php code to call up the root sign-up using this;
<?php printf( __( ' You can also create an account.’, ‘buddypress’ ), site_url( ‘/wp-signup.php’ ) ) ?>
Mind you, it shows the sign-up form complete with the extra fields I added via Buddypress. Does this mean it’s still being hooked into by BP and is actually bypassing the standard WP 3.0 sign-up code? I noticed that even pulling out the php and replacing it with a normal href link, it still does the same thing.
stwc, found this post and using your method I haven’t had a spam registration yet. thanks so much.
