Follow up comments:
I am using the theme Prose (child of Genesis) from Studio Press if that matters.
I would be willing, as a stop-gap measure to manually register people, but the spam registrations are bypassing the “registration is disabled” setting.
Rick.
that shouldn’t be possible something definitely seems up with your installation at least to me.
>Forums are enabled (it’s a primary purpose for the site)
Understood, but try deactivating bbPress.
If the spam regs stop, you know it’s a bbPress issue and you can post a bug report on their site.
If they don’t stop, at least you know it’s not bbPress.
Thanks, aces, for your question. Actually I had seen this post before I started this thread, but when I tried the link given in that post, access to index.php was forbidden. I’m assuming if I can’t get to it (with an active admin account logged in) then it’s unlikely that someone else could successfully execute that URL. Please let me know if I am wrong about that.
Here’s a followup on my progress in stopping the automated registrations. It turns out that my side issue (see my first post) was very important. I found a plugin called “unconfirmed” that gives you limited access to the user records with unconfirmed emails, including the ability to delete them. I had 7100 unconfirmed registrations. The plugin is not fully implemented, so I had to delete them about 20 at a time. (I figured I was not likely to find anything better, so I bit the bullet and deleted 300 groups of records.) Once deleted, the registrations stopped.
So here’s the analysis: there were thousands of pending registrations. For whatever reason, the automaton that started the registration process either could not respond to the email, or was designed to respond to the emails slowly.
So, now I have some time to diagnose the solution to the problem without the fear of my data base being flooded with crap.
Next I’ll try to disable bbPress to see if it’s the problem, but I really don’t want to delete it as I already have several forums configured. I’ll see if I can disable it without deleting it and then turn registrations back on at the network admin level to see if they start up again.
OK, here’s a followup on my trying to find the source of the automated registrations.
— I disabled bbPress on the network plugins page.
— I renamed the following directories:
wp-content/plugins/bbpress
wp-content/plugins/buddypress/bp-forums
wp-content/plugins/gd-bbpress-attachments
— enable registrations from the network admin settings
And… the automatic registrations CONTINUE.
— disable registrations (network admin) and the automatic reg stops
SO, it’s beginning to look like it is not bbPress. PLEASE ADVISE:
- Do you agree? Or is there some other possibility that will implicate bbPress?
- What other possibilities are there for by-passing registration protocols?
First you said:
>I disabled registrations using “Registration is disabled” from the network admin settings/network settings and the spam registrations continue.
Now you say:
>– disable registrations (network admin) and the automatic reg stops
Not sure why things have changed, but it’s a clue.
btw – did you change the salts in your wp-config ?
https://codex.wordpress.org/Editing_wp-config.php#Security_Keys
Thanks shanebp for sticking with me.
You missed the post where I explained the problem when registrations continued even when I disabled them (about 3 posts up from this one). Basically, there were thousands of pending registrations (i.e. with unconfirmed emails) that were slowly being completed by the malicious registration process. I did not want to simply delete them directly from the data base since that always carries some risk if you don’t use the API’s. I found plugin “unconfirmed” which enable me to view and delete them. Once deleted, the registrations stopped.
Also, thanks for your idea about the keys and salts. I don’t think that’s a problem since I have deleted all of the automated users AND all of the pending registrations. All of the automated registrations will have to be done again. Unless there is a reason I haven’t thought of, I’d rather not inconvenience my valid users.
Thanks again, Rick.
I beleive I have successfully worked around the problem. The solution is as simple as adding a required profile field (xProfile). Evidently, the malicious registration process is fooled by the presence of a require field that it does not expect.
Of course, this may only be a short-lived solution, and it may not prevent all automated registration engines out there, but it has solved my problem for the time being.
Thanks to all who gave me hints on how to handle this.
Rick.
OOPS… My last post was INCORRECT (there doesn’t seem to be a way to delete posts). I thought it was working to use a required xProfile field, but it just took longer to get going. The spam registrations started up again and I had to disable registrations.
SO, I’m still looking for help on how to diagnose the problem, or a work around for fixing it.
Can I re-install BuddyPress and/or bbPress without losing my settings?
Thanks, Rick.
I’m hoping that this is my final post on this thread. I found a plugin called BuddyPress Security Check that, so far, has stopped the spam registrations. Thanks to Shea Bunge for the plugin. This may be one of those short-lived fixes where the spammers figure it out eventually, but it’s working right now.
A great plugin that I use (is free) that has greatly reduced registration spamming is WANGUARD (check it out here: https://wordpress.org/plugins/wangguard/) works great with buddypress and bbpress
It seems that those spamming my site are using wordpress’ default way of creating an account and not registering through buddypress. When I go to the users admin, all of the users that used buddypress were given the default forum role of “participant”. The spammers don’t have this role.
Because of my current setup, I installed the Members plugin and created a new role. Then I made the buddypress form show up only for those that I have confirmed. I would recommend that this be added to future buddypress installs as an option.