Best Practices for Preventing BuddyPress Spam User Registrations

Best Practices for Preventing BuddyPress Spam User Registrations

on Mar 31st 2012 with 28 comments

The BuddyPress plugin turns any WordPress installation into a rich social networking site complete with forums, friend requests, and … countless numbers of fake bot users that will comment spam you to death unless you protect your site. Although you probably installed BuddyPress to allow more engagement and interaction among your visitors in the hopes of creating a thriving community, you will soon rue the day you installed it unless you take precautions to prevent fake users.

A disclaimer: there cannot truly be a definitive guide to stopping user-agents and spam bots, as the methods of attack are ever-evolving. As soon as a solution to block them becomes widespread, new threats arise to bypass these safeguards. Nonetheless, here are a few best practices that will safeguard most BuddyPress installations from spam bots while still allowing legitimate visitors to comment and register.

Remove the Default Footer Text

Most spammers do not specifically target BuddyPress installations through manual search and registrations. That is a lot of work, and they prefer to release their bots to search for specific criteria that indicate BuddyPress installations, find default registration pages, and sign up accounts by the dozens or even hundreds.

The first level of security is to change the footer text to remove mentions of WordPress and BuddyPress. Spammers target the words “proudly powered by WordPress and BuddyPress” in search engines to find sites they can compromise. See for yourself by performing the following search in Google: “inurl:/register/ Account Details Proudly powered by WordPress and BuddyPress” and see how many targetable sites show up. The search string gives us a clue to another fix that we we’ll address in the next section, but first let’s fix the BuddyPress footer file.

The location of the code will vary based on the theme you are using, but you are looking for something like:

<?php printf( __( 'Proudly powered by <a href="%1$s">WordPress</a> and <a href="%2$s">BuddyPress</a>.', 'BuddyPress' ), 'http://WordPress.org', 'http://BuddyPress.org' ); ?>

Delete this.

You might have to dig a little to find this code. As an example, in Themekraft’s popular Custom Community theme, you would navigate to theme-generator.php found in your “wp-content -> themes -> custom-community -> core -> includes -> theme-generator” folder and delete the following:

<div class="credits"><?php printf( __( '%s is proudly powered by <a class="credits" href="http://WordPress.org">WordPress</a> and <a class="credits" href="http://BuddyPress.org">BuddyPress</a>. ', 'cc' ), bloginfo('name') ); ?></div>

Note: many themes require their own links be left alone as a condition for free use of the theme, so make sure you do not delete any of their links without checking the terms of use.

“Spammers target the words ‘proudly powered by WordPress and BuddyPress’ in search engines to find sites they can compromise.”

Rename the Default Registration Slug

In BuddyPress, the default URL for the registration page is “http:/yoursitedomain.com/register”. This is why spambots include the “insite:register” when performing the search described in the above section. Make it harder for them to find your site by easily changing the default slug for BuddyPress in your wp-config.php file. Simply insert the following anywhere above the line that says /* That's all, stop editing! Happy blogging. */ towards the bottom of the file:

define( "BP_REGISTER_SLUG", "your-new-slug" );

This will block the page from showing up in “insite:register” searches and seamlessly direct your visitors to “http://yourdomain.com/your-new-slug” when they wish to register.

Add a Security Question to Your Registration Page

A Captcha or other security question adds a field which helps thwart automatic bot registrations. I personally dislike those indecipherable squiggly-letter Captchas and avoid using them whenever possible, as they might interfere with the user experience and cause some legitimate users to avoid registering on a site that takes two or three attempts to do so.

I prefer the use of easy questions written in legible letters, such as simple math problems. One plug-in that provides this is the fittingly titled Captcha.

Here is another Captcha tool that takes a different approach, allowing registration only after a visitor chooses and drags the correct icon, called Sweet Captcha.

Tweak Your .htaccess File

The .htaccess file located on your site’s root folder is used to control how your visitors interact with your site. It enables you to block IP addresses and even entire domains from accessing your site, a very useful thing to do against known bots trying to create fake BuddyPress user accounts.

Once you have identified a specific troublesome IP address, say by looking at the access logs on your server, block them from accessing your site again by adding this to your .htaccess file, replacing the 0s with the IP address you want to block:

deny from 000.000.00.000

Lists of domains known to harbor spam bots have been published by various developers and WordPress experts. One excellent basic one is the Ultimate htaccess Blocklist by Jeff Starr of Perishable Press. Jeff provides the entire code that you can copy and paste into your own .htaccess file to greatly reduce your BuddyPress bot registrations, comment spam and other unwanted activity. For an even more extensive list, check the 4G list which has over 8000 spammers on it.

Another BuddyPress-specific .htaccess tweak is provided by WordPress Must Use Tutorials. Replace the “yourbpsignupslug” and “yourhomedomain” with the appropriate data for your site. You can also choose where to send the attacking bots by modifying the “http://die-spammers.com/” with whatever URL you like.

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .yourbpsignupslug*
RewriteCond %{HTTP_REFERER} !.*yourhomedomain.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]
# END ANTISPAMBLOG REGISTRATION

Keep Up to Date With Security Exploits and Defenses

Stay educated on the latest exploits affecting blogs and plugins. A blog owner is ultimately the only one responsible for maintaining the various layers of protection needed for site security. This can only be done by staying well-informed and keeping up-to-date on what the rest of the WordPress and BuddyPress community is experiencing and their solutions. Visit the WordPress Support forums and the Buddypress Support forums regularly. Follow @buddypressdev on Twitter.

Spy on the Enemy

Another excellent source of information is to visit hacker/blackhat SEO forums, if you are brave. Spammers do not do what they do just for fun, spamming is serious business, and it pays to know their motivation and see the conversations they are having among themselves. This will help you understand their mindset and see some of the programs and scripts they share, allowing you to better protect your site. I won’t link to any of these sites directly, but performing a search for “blackhat SEO” will bring up quite a few. Make sure your antivirus program is up to date and that your browser is protected against malicious scripts … just in case.

Use Security Plugins

Be wary of trying every single security plugin under the sun, as this slows down your site and adds to your maintenance workload by having more things to update and go through if something breaks. At first, stick to the highest rated ones that have proven themselves over time with a lot of users. One such plugin, which is highly recommended by many BuddyPress and WordPress users, is Bad Bahavior. This plugin will not only block a lot of spam, but will make your site invisible to many bots in the first place and thereby prevent fake registrations.

A good place to start exploring plugins is the WordPress Plugin Directory.

Conclusion

The liability of putting together a Best Practices article like this is that some angle is bound to be missed, as black hats are always eager to develop exploits for BuddyPress and WordPress due to the number of users and ease in locating their websites. Although the tips in this article will go far in protecting your site from the most common threats, the only real way to protect a BuddyPress installation is, unfortunately, constant vigilence against unwanted activity and education on new defenses.

 
Enjoyed this Post?

Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!

By

Rollover to read this author's bio or click through to see a full list of posts by this author.

Willie Pena is a New Media Content Producer, Writer and Marketer who runs several WordPress blogs. He enjoys sharing tips and tweaks as well as learning from the other members of the WordPress community.  

Plus Premium
 
 
Note: Want to add some source code? Type <pre><code> before it and </code></pre> after it. Find out more
  • http://www.wpfix.org Wpfix

    Thank you for the tips Willie we will use on our buddypress powered websites.

    • akash nimare

      How can i remove the header,search field,and other (home,activity,member..etc) from my registration page?It is annoying me anybody can see all the activity even he/she is not a member.is there any way not to show this features to logged out user?

  • Pingback: Best Practices for Preventing BuddyPress Spam User Registrations | Shadowtek | Hosting and Design Solutions

  • http://www.tweaktag.com tweak tag

    Really awesome collection to stop spammers, Daily my buddypress will affect with this spammers, Each and every time i have to remove them manually,

    But this article really helpful to me, hereafter my site onward protects itself,

  • http://shabushabu.eu Boris

    There really is no need to define BP_REGISTER_SLUG anymore. That constant is only there for backwards compatibility. All you need to do is set the slug for the registration page that has been created. If you’re on BuddyPress 1.5+ that is.

    Captchas? Seriously? Talk about a sure way to annoy the hell out of your users.

    • http://williepena.com Willie Pena
      Author

      Good points, Boris. I especially hear you on the Captchas…they are annoying to end users, but not as annoying as getting a user list filled with dozens of “mike.jones.sell.viagra@internetmarketerspam.com” permutations on a daily basis, in my opinion. Captchas do slow things down for spammers, and that is good enough for me. Like I mention in the article, I do prefer the non-squiggly letter, more human readable variety, like a simple math question or easy puzzle. I would even rather use Solve Media’s “play this little video advertisement to unlock the captcha” model than an illegible ReCaptcha, but that doesn’t mean regular Captchas don’t have some value in preventing spam registrations.

  • http://www.adventurebimbling.com Andrew Murray

    Thanks for these pointers. I’ve just put a load of these measures in place due to the spam I’m getting across our network of sites. The worst is our buddypress install. Incidently, there is a new version of the Blacklist at Perishable Press, they have recently released the 5G Firewall version!

  • David

    How would you write those .htaccess lines for a web.config file?

  • MickeyRoush

    I haven’t been keeping up with BuddyPress, but do people still have problems with spammers targeting the included bbpress register.php file? If so, it may be wise to still rename that file as well.

  • Pingback: WordPress Community Roundup for the Week Ending March 31 - Charleston WordPress User Group

  • Joe

    Hi, after look for a solution for sploggers, I found WangGuard Plugin http://wordpress.org/extend/plugins/wangguard/. It’s amazing:

    - Block new sploggers
    - Clean the old ones
    - Advanced Users admin
    - Security questions
    - and much more

    Since I installed it, 0 sploggers.

    • http://twitter.com/vfowler Vernon Fowler

      It’s also compatible with WordPress 3.5 and BuddyPress; well supported and maintained; and doesn’t dampen the UX with CAPTCHA on new user registration. Also, crowd sourcing/reporting of sploggers helps everyone.

  • http://harounkola.com Haroun Kola

    Thanks for this post. I’m creating my second BuddyPress site, and finding more spammers joining than real people. I’m hoping this stops with these tips!

  • http://www.tech-squawkers.com Toby Brommerich

    Another good way to relieve unwanted visitors is setting up http://www.cloudflare.com. It has helped us cut down the comment/user spam for our clients.

  • http://pixeljar.net Brandon Dove

    I’ve always thought that impacting the user experience by requesting that the user fill out more fields than necessary sucks. We use the honeypot technique to thwart spambots and it has worked pretty well from our experience. I didn’t invent the idea, but I built this implementation for BuddyPress and it works like a champ. Here’s an example:

    In functions.php (or a small utility plugin):

    /**
    * Adds a hidden text field. Spambots love to fill out all fields
    * on registration forms because they assume everything is required
    */
    add_action( ‘bp_after_signup_profile_fields’, ‘mmmm_honey’ );
    function mmmm_honey() {
    echo ‘<div style=”display: none;”>’;
    echo ‘<input type=”text” name=”oh_no_you_dint” id=”sucka” value=”" />’;
    echo ‘</div>’;
    }

    /**
    * Checks to see if the hidden text field was filled out.
    * Since it was hidden with CSS, only spambots would know it’s there
    * so it should be empty
    */
    add_action( ‘bp_signup_validate’, ‘sting_like_a_bee’ );
    function sting_like_a_bee() {
    global $bp;
    if( isset( $_POST['oh_no_you_dint'] ) && !empty( $_POST['oh_no_you_dint'] ) )
    $bp->signup->errors[] = __( “You’re totally a spammer. Go somewhere else with your spammy ways.” );

    // secondly, check it the domain of the email has been blacklisted by the network admin
    if ( is_email_address_unsafe( $_POST['signup_email'] ) )
    $bp->signup->errors[] = __(‘You cannot use that email address to signup. We are having problems with their mail servers blocking some of our email. Please sign up using another email provider.’);
    }

    This tactic reduced our spam registrations from 100s per day to 1 or 2 per week.

    • http://www.facebook.com/Imfromio Andy Johnsen

      Great addition Brandon. I have seen just as much success using the honeypot method as captcha code and it’s far less…annoying. Thank you.

    • http://twitter.com/newleveltraders New Level Traders

      Love this idea. Should I be able to put this into bp-core-function.php?

  • http://williepena.com Willie Pena
    Author

    Brandon, that is great, thanks!

  • valentine

    hi brandon , i love your posts and guideline about buddy press spam prevention,and other great minds who contributed to it. i want to create a social network with buddy press because of its good features and plugins and i am a starter when its comes to it, i want u to assist me in doing it with guidelines as u have always done with others. love to heat from u, GOD BLESS.

  • David Z

    I’ve tried redefining the BP_REGISTRATION_SLUG in the wp-config.php file but it is not changing and if I go to the Register page with the new defintion I get 404′d.

    Could this have anything to do with deprecated registration.php? The “Register” link sends you to login.php?action=register

  • Daniel M

    David Z, That change no longer works. Change the slug by editing the page named “Register.” You can go to BuddyPress >> Pages to confirm that this page is assigned to the process.

  • http://www.webonate.co.za Deon

    Thank you for this post. I have applied the Capcha plugin, however it does not appear on the Register Page.

    From the settings, how does it know which page is the registration page?

    Regards
    Deon

  • http://hustlemonth.com Dan Hefferan

    This article was brilliant, thanks!

  • Coen

    Hi Brandon/ Willie,

    Could I just copy/paste the code from Brandon’s comment into my buddypress ‘functions.php’ file?
    If yes, is there a specific point it should be inserted, (top / bottom / after a certain other piece of code?) or could it just paste it anywhere?

    I’m a beginner coder, never written anything myself yet, but I just seem to be getting a hold of the structure of code and sometimes edit certain things in the code myself (with success :)). Help is thus still very much appreciated at this point.

    Thanks so much, I’m receiving over 20 new fake subscribers a day promoting cigarettes and other crap at this point and removing them manually … grrrr.

    Thanks again!

    Cheers, Coen.

  • http://www.whattaf.com/ Pressa

    I use wp-security, it have helped me a lot, just after launch of my 1 month website, it have helped me from 2 attacks and 1 lockout from people trying to enter the admin page!!

  • http://www.radmacdaddy.com Randy

    Excellent article Willie! Thanks. Am implementing your suggestions now.

    @Coen Brandons’ great suggestion is a function or call up that I believe can be placed just about anywhere in functions.php .
    If you look in that file you’ll see many such call ups for WP or BP to access.

    @Brandon, clever, thanks for sharing. It seems this should be the regular non-captcha (annoying those) way of checking on who is filling out the form… honeypot… nice.

  • http://www.gaijingojapan.com GaijinSan

    Great Article!
    I installed both Akismet and Bad Behavior on top of removing references to buddy-press and changing the register slug. I now have only 2-3 bot/day registering to my buddy-press. I’ll try making the settings of Bad Behavior more strict to see if I can get that to 0!

  • Pingback: Weblog Bass Jobsen – Spammers, bots en alle andere ongewenste gasten

  • http://www.escort5.dk escortpiger

    Thanks , I’m receiving over 15 new fake subscribers a day promoting cigarettes and other crap at this point and removing them manually … grrrreart work.

  • Izumou

    Thanks for the tutorial. Spammers are killing Internet and must be stopped. Please is there no plugin that ask question e.g the capital of US instead of 2 + 2 ?

  • http://www.facebook.com/eric.sherwood1 Eric Sherwood

    I’ll try the Sweet Captcha. Most Captchas don’t seem to work well, I find. There are a number of ways around them, including capturing the Captcha image and applying it to a porn website that requires you to enter that Captcha image to see a nude picture. They have now gotten your Captcha answered because someone did it for them. Pretty sneaky.