Skip to:

How to control spam registration?

  • jittopjose



    I have installed and setup my site with Buddypress 1.2 RC3 and standard WordPress 2.9.1(

    Now the problem is i am getting lots of spam registrations. daily more than 20. I controlled comment spams using bad behavior and akismet plugins. But how can i blog spam registrations?.. Any known way to avoid BP spam registration?.

    Plz help.

    Jitto P.Jose

Viewing 25 replies - 26 through 50 (of 57 total)
  • It really is Crazy!!! Where and how do they get in, that they can Register like that? Every couple of minutes One signup…. HELP! Nothing seems to stop them… I Even disabled any registration and they keep on signing up – really Strange to me!

    You must identify the spam blogs and remove them. Once a spammer has admin access they can add new users to that blog. Those users can then create new blogs.



    Some of you guys must check your Private Messages …



    I use this plugin instead of captcha:

    You can set an ivitation-code and everyone who wants to register has to write the code in a registration-field.

    I changed the plugin a little bit for my needs so the code to write is seen on the registration-page.

    Sam Steiner


    This is getting worse and worse. I just launched my first BuddyPress site and am getting spammer registrations although I have additional required profile fields and SI Captcha installed.

    Sadly, the article mentioned (linked) above is not available anymore (I guess the spammers took down that site) and judging by the responses here there still seems to be no known solution to the spammer problem with WPMU/BuddyPress.

    I spoke to someone on Twitter who confirmed that the spam problem started when activating BuddyPress – this would be in contradiction to remarks from Andy, I’m afraid. Anyhow: after reading comments here there seems to be a hole in the system somewhere.

    (I guess the spammers have been clever enough not to spam :-) )

    Sam Steiner


    Definitely remove the footer link if you haven’t already.

    I noticed a issue with spammers using CURL to download /registration so blocked that in .htaccess (It’s been mentioned on a thread somewhere how to)

    renaming the slug ‘registration’ is supposed to help.

    For me deactivating blog signup improved things significantly. Didn’t need users to be able to register for a blog at initial sign up they can take a blog once they are members.

    Despite all efforts and much study and approaches instigated one after the other to gauge effectiveness before adding next one I still am not sure how a few of the automated bots get through, human signups there isn’t much you can do about them apart from delete manually.

    All my efforts still result in around 10 signups daily that require dealing with manually.

    @hnla how did you deactivate blog-signup? If I use that option in the backend, registration does not accur at all. If I choose “only Useraccounts” they cannot create a blog in a second step (no new blogs at all)

    Just another little update: To me it seems that there are two different spam-signups (at least :-))

    The ones, that come in through the registration-form

    I could handle those with all the tipps (for me this worked best):

    – change the slug

    – additional-fields

    – change some text on the registration-page

    – change footer-text

    – SI-Captcha didn’t really work, so I used the modified invitation-code-plugin mentioned before

    – wp-ban did help, too (often wasn’t really needed – just left it there in case…)

    – changing/deleting wp-signup.php (which led me to this connected issue/question:

    The ones, that don’t seem to use the registration-form or wp-signup.php at all

    – never had this problem before, so it hit me… Further described here with a open question for me:

    – This morning I found out, that I had deactivated the hashcash-plugin because I had comment-issues (didn’t come through anymore). I think the spam-flood came after deactivating it. Right now I have activated it again (just for signups) and no spam came in for a couple hours now (even with deactivated wp-ban, without captcha or invitation-plugin, wp-signup.php still there)

    So far my forther journey with this issue :-)



    I don’t quite understand these spam posts since I’ve run ten to twelve mu sites for several (4+) years with no splog/smap exploits (knock on wood) and some of them are outdated installs with very little protection. If buddypress is in fact, the culprit, perhaps it’s related to the registration in bbpress if you have forums installed? @micheal ~ perhaps you should try removing register.php from the buddypress/forums/bbpress/ ~ and/or buddypress/forums/bbpress/templates/kakumei/register.php to see what happens…

    I just tested on a local install with no conflicts and thanks for investigating.



    für ä’biräbitzeli drischnure…

    Did you show into the comments or posts on the different blogs ? There are sometimes strange links that can appeal to spammers. Some long post with many links inside or many Viagra words. You see what i mean…

    I recently did such a search and find some on my “trusted members” blogs.

    @windhamdavid – thanks for the hint about bbpress… didn’t know, that the register-file was still there… Now I deleted it (just in case) – although forums are not even activated in my install. By now, still no spammers registering… could be that activating hashcash again did the trick (although I really don’t get it why, for as far as I know it just protects the register-form, right? and it seems, that wasn’t even used…

    On the install I am havong troubles with there is NOT ONE spammer for sure. I know all of them personally! In my other install (I have 0 troubles until now, I will check back on that. thanks for the hint)

    PS: Chouf1 – wow, do you speak swissgerman :-)



    All in all, here’s my approach that I use on MU/BP sites ~

    1) modify the register/register.php wp-signup.php hardcoded default text and url slugs.

    2) enable xprofile and require additional fields upon registration.

    2) use a captcha ~ i’m fond of ReCatcha

    3) make sure you and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”

    4) I ban or limit the registration domains (also in Admin > Site Options) so that the commonly used spammer domains are blocked from registration and then I add an email contact for owners of these addresses to manually request registration. I hide the email address from bots with HiveLogic EnKoder

    5) I then firewall off entire blocks of IP’s from my servers from commonly used spammer IP ranges you can find at sources like .. and considering that these are one language sites, the need for access for the IP blocks on the pan asia network or eastern europe are unlikely. If you have a multilingual site, this might cause issues to very few users. Cpanel, Plesk, BSD, etc have tools to do this.. if you’re on a shared server, ask your hosting provider if they can do it for you, and they may be likely doing it already.

    6) I also recommend using Askimet.



    I found this plugin and it seems to allow you to moderate new users I think this will help everyone a lot:


    The options for account registration control are odd and do not do what they suggest (I mentioned that on another thread, but it’s a WPMU issue!)

    As there were no sensible options for allowing users to signup but not take blog until a member I simply saw little choice but to remove the section of the form that dealt with the blog signup so I wrapped the fieldset in a conditional that just checked whether I had set a variable to disable or allow thus preventing that section from being returned from the server.

    Yes – I did it once in a similar way by removing it with css…

    “As there were no sensible options for allowing users to signup but not take blog until a member “

    There’s a plugin for that:

    @Michael Removing via CSS is not the same as dealing with it server side. CSS is simply a presentational language which is applied to the DOM, in order to have been able to remove via CSS requires that the elements had been outputed by the server, i.e sent to the browser; the form elements still exist. If grabbing the page using CURL or some similar means you would have that section of the form available.

    Wrapping the form section in a php conditional means that as normal the file is passed to the parsing engine to process and compile into the final file to send to the browser, it sees my instruction to ignore that section so simply never includes it in final output.

    I do not claim this is the best approach but it works, I do not want users to take a blog initially I would rather it a considered decision once members. Using this approach I have had no further spam blogs (other than real human twits signing up) still get user signups but at least no blogs are created.


    Thanks wasn’t aware of that plugin, however do think that given the options exist exist in the backend that they could have been better thought through or even simply better worded.

    Thanks everyone for the tips and tricks, I’ll be checking this page again!

    It’s strange but the moment I upgraded to WP2.9.2 and BP 1.2 spam started again.

    Previously, I just added SI Captcha and I went from getting 10-20+ spam registrations to none. I added WP-hashcash now and I’ve only had one registration since.

    I’ve just disabled the blog registration on the signup page, hopefully that’ll help too.

    By the way, there’s also a meta tag in the header of many templates :

    <meta name="generator" content="WordPress 2.9.2" />

    Removing that may help too….



    Use captcha, have one profile field be required and change the slug.

    define( 'BP_REGISTER_SLUG', 'name-this-something-unique' );

    oh and if you are on WPMU then you need to disable the ability for blog owners to add users via their admin section. This is an easy way for spammers to get entry.

    Can someone give solution that users that wish to sign up dont use buddypress signup page, instead they use regular wordpress signup which is much much safer.

    Then all you need to do is install SABRE and spammers are gone. This is urgent request because i dont wish to have spoammers on my sites, same goes for everyone else, i m getting hit by 20 spammers per hour.

    BTW nothing mentioned in this topic works!!!!



    excuse my ignorance of htaccess but is this even possible? and if so, how is it done?

    I noticed a issue with spammers using CURL to download /registration so blocked that in .htaccess (It’s been mentioned on a thread somewhere how to)



    Can someone give solution that users that wish to sign up dont use buddypress signup page, instead they use regular wordpress signup which is much much safer.

    Hmm, interesting. The generic BuddyPress register form does seem like a bit of a sieve (though it could just be my frustration talking).

    I think you would just delete/disable /registration/activate.php and /registration/register.php. You would lose the ability for users to fill out extended profile fields at signup. However, quick signups are probably preferable, with seasoned users filling out extended profile fields as needed. I’ve read at least one article via that suggests to me that signup forms need to be as simple as possible to help users focus on getting “behind the wall” fast and easy.




    I’m using these 3 plugins together and have no bot signups at all on WPMU2.9.2/BP1.2.3.

    Cookies for Comments


    WPMU Super Captcha

    The occasional stubborn human does drop by once in a blue moon, and these few only manage to get through using RPX and an existing account, or they really take the time to fill out the registration form. Email domain banning and persistent account termination seem to be the only solutions in these cases.

    Mike Challis


    FYI, Today I updated SI CAPTCHA Anti-Spam for latest version of buddypress 1.2.3 compatibility

    SI CAPTCHA Anti-Spam

    This plugin adds CAPTCHA anti-spam methods to WordPress on the comment form, registration form, login, or all. In order to post comments or register, users will have to type in the code shown on the image. This prevents spam from automated bots. Adds security. Works great with Akismet. Also is fully WP, WPMU, and BuddyPress compatible.

Viewing 25 replies - 26 through 50 (of 57 total)
  • The topic ‘How to control spam registration?’ is closed to new replies.
Skip to toolbar