Hi @russadams,
on any WordPress site, once a new user registers, the user is created in
the database. That’s why site admin can see him in the control panel. This is normal.
Here default WordPress registration process:
- User registers.
- User is shown message to check email.
- Login credentials are sent to new user in an email.
- User logs in to site using login credentials.
- Admin is notified of new user sign up via email.
This doesn’t change when BP is installed, as BP doesn’t handle registration.
Guess your issue is due to browser session. Make the following test.
Create a new user from frontend.
Close the browser or clear cookie and nav history.
Don’t use activation key yet.
Reopen the browser, and see if the user can login. Normaly he can’t as he hasn’t use the activation key.
Hi!
I recently upgraded my site with a new theme (BuddyBoss Boss. theme) and am running WP 4.1.1 and upgraded from BuddyPress 1.9.2 to 2.2.1.
I have a setup where I redirect the activation e-mail to the site admin to be able to manually control new members and verify their information before activating them and letting them log in. This is a cruical function for my site since it’s a private network.
After the upgrade I noticed that some spam users were automatically activated and able to log in without my manual activation. The users are automatically activated, the same issue as @RussAdams is experiencing. I’ve tried deactivating a few plugins (BuddyPress Pending Activations, BuddyPress Auto Group Join) but this issue persists. In BuddyPress 1.9.2, everything was working as expected.
Browser sessions doesn’t seem to be the issue since clearly people on other computers have been able to create accounts which were automatically activated as well.
This is a very serious issue for my site since I no longer have the control over new users and spam users can log in after activating. Did you get this sorted out?
Spam is an endless plague… and there is no radical solution, but only a set of combination for minimizing it, or at least to slow down that phenomenon..
For example, changing the default wp_ table prefix is a good practice which i would recommand to any site owner touched (or not yet) by spammers.
Even if you already use another prefix, but spammers found your site, you have to modify it again. Sounds a bit stupid, but the gain will be effective for a while.
Other tips are avaible on WP Codex.
In some case, you would prefer to use a plugin. See BuddyPress Registration Option.
But in any case, you have to found your own combination.
@danbp True indeed, but with my previous setup with BuddyPress 1.9.2 I was able to control the spam registrations since they were never activated (I used BuddyPress Pending Activations to manually activate new users) and therefore they could never log in. They were not seen in the activity stream either.
This is my setup: https://buddypress.org/support/topic/create-private-membership-site-with-buddypress/
I’ve now upgraded s2Member which had no effect, and also deactivated the BuddyPress Automatic Friends plugin which didn’t have any effect either. The new user shows up as pending in the Users screen for about 1 minute after registration, but is then automatically activated.
@RussAdams What theme are you using? I haven’t figured out a solution to this problem yet so I had to turn off new member registration and created a Gravity Forms form for new users instead. Will have to manually register each user but my community is rather small so that shouldn’t be a huge problem. Will continue to search for a solution though.
