Skip to:

Is there a backdoor in WPMU/Buddypress?

  • To make it clear: This is not a “methods-for-stopping-spammers” question. I stopped with the methods mentioned here most of the spammers coming through the “normal” way. Additional fields, changed slug, captcha, etc etc… All the spammers I once had, filled in the required field some dummy information.

    BUT here is my question: Is there another way to get through and create users and efterwards blogs. I know once there was, through a bbpress-loophole. But I think this is not an issue anymore (without a seperate bbpress installation)

    Here is what let’s me ask this question, because I think it is strange:

    – I get ALOT of spam-registrations with just the name/username – no required fields are even touched or filled in any way

    – I deleted wp-signup.php (because I guessed they could use that)

    – I even deactivated any form of registration/creation from the backend

    – there is not one spam-user already in the system (I know them all personally)

    – occasionally I got a real human registration, not assigend to any blog, no required fields filled out (which is really strange)

    –>My conclusion after this: It is possible to register without even touching the registration-form or the wp-signup.php, right?

    So, my question is: Is there ANY way of registration that goes around everything mentioned? Then I guess: THERE IS A BACKDOOR?!

    Please don’t answer with use this captcha, this method, etc…

    This is a question, so that I understand how it works and if I miss something (which really would be possible :-))

    Thanks to all the WPMU/Buddypress-Gurus, that could answer this question!!!

    Greez, Michael

Viewing 9 replies - 1 through 9 (of 9 total)

  • helmi


    just a thought: How about the intruder coming from another end than wordpress? There are so many theoretical ways to enter some data in the database.

    Of course that doesn’t mean it’s not a wordpress problem – just to keep an eye on other things too.

    I’ve already answered this question.

    If you have a spammer with admin access on a blog, they can add new users to that blog. They are then new users in the system since WPMU shares a global users table. So essentially once a spammer has a blog they can get others in.

    This is simply the way WPMU works, and if I try and change that, people shout and scream at me. The reality is, if you want to use WordPress MU and BuddyPress along with it, you are going to have to manage this somehow. Otherwise, just use standard WordPress since it doesn’t have these issues.



    ~ also might want to make sure and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”

    Good call Windhamdavid.

    Yes i disabled that Option already… Don’t think they come in that Way… :)

    my question is just: is there another possible Way to signup (besides the Register-page and adding through admins)



    let’s continue this thread over here ~

    and did you try that recommendation regarding bbpress?



    für ä’biräbitzeli drischnure…

    Did you show into the comments or posts on the different blogs ? There are sometimes strange links that can appeal to spammers. Some long post with many links inside or many Viagra words. You see what i mean…

    I recently did such a search and find some on my “trusted members” blogs.

    Have to admit I had no idea there was another registration.php page and it would have never have occurred to me to look in the bbpress folder.

    This kinda worries me really why is this required and also a password reset file, it feels as though it’s a bad hangover from earlier days and ought to be removed.

    Is it not time that this bbpress thing be integrated fully or at least forum capabilities simply part of BP core .

    I have deleted this registration file and will be interested to see if it clears up the remaining few spam signups still being received



    Michael, could you have a look at the invisible-defender plugin?

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Is there a backdoor in WPMU/Buddypress?’ is closed to new replies.
Skip to toolbar