spam registrations - does anyone hav advice? :)

1. This has nothing to do with buddydev plugins or anything, but i just wanted to ask in case any of you all have advice or tips.

   I keep getting spam users joining the site. maybe 20 per day. I assume they are not human spammers because they ALL populate the profile fields with random letters.

   The thing is, that i have recaptcha on.. so I thought that recaptcha would prevent robots from registering.

   well anyway, just wondering whats steps you all do to prevent spam registrations. thanks for any help or advice. :)

   Posted 1 year ago #

   

   Shane_NY_777
   

2. hi Shane,
   I am too feeling the same, tried to handle the spam multiple times(even on buddydev.com) but it is really an issue. In the current update of bpdev, I am putting a plugin for marking spam as one click from the members directory and profile using ajax, that will at least allow me to combat it, not in the actual ways, but at least to some extent I guess.

   I too, will love to hear what other people around, are doing to combat spam.

   Posted 1 year ago #

   

   Brajesh Singh
   

3. So far, I've tried the usual stuff:
   1- Delete or change the "Powered by..." text in footer.php
   2 - Change the "register" slug
   3 - Add a captcha to login/registration (I use WP-Super-Captcha)
   4 - Ban email domains (in "Dashboard" > "Options")
   5 - Ban specific IP addresses (I use Wp-Ban)

   Despite all the above, I still get an average of 5 or 6 spam registrations per day.

   This morning, I found an interesting post over at buddypress.org:
   http://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/buddypress-spam/?topic_page=2&num=15#post-60177

   The interesting part about that post is this link:
   http://www.askapache.com/htaccess/blocking-bad-bots-and-scrapers-with-htaccess.html#badbotlist

   It's a .htaccess-formatted list for "Blocking Bad Robots and Web Scrapers with RewriteRules"

   I've updated my .htaccess file with that list, and I'll post the results (if any).

   Posted 1 year ago #

   

   Patrick
   

4. hi Shane,
   i had same problem with spammers, i used WP Super-Captcha, but was some which still registred.
   The final method was that to allow for register only emails from domains like:
   gmail.com
   yahoo.com
   umablu.net
   windowslive.com
   hotmail.com,
   Of course you may add other domains you can trust
   Go to superadmin, options, Limited Email Registrations and place there allowed domains.
   Well. for those who want registration whith email adress from other mail providers, mail support... :))
   At this moment i have no spam registration.

   I hope that will help.
   http://www.umablu.net

   Posted 1 year ago #

   

   Bodhisattva
   

5. I tried just about every idea ever mentioned and none really seemed to work. I even went as far as to purchase a copy of xrummer to see how this was being done. (believe me.. it's one seriously powerful program that wp can't even hope to keep up with unfortunately).

   In the end the one thing that ended up working for me was registration through obscurity.

   Let me explain what I mean by that.

   I have a site that uses multiple different pieces of software, wordpress, vbulletin, photopost, and a few others. Every single one of those software pieces all have the same problem with spam registrations.

   It wasn't until I actually bridged all the scripts together with my own custom home-made registration/login system that my spam problem went away. I even made sure to leave in the meta values saying the engine is wp,vb,photopost,etc.. that way all the bots believe I am using that software, which I am.

   The only problem for the bots is that my registration page links are completely custom. This means that the 'bot' comes to my site, sees wordpress in the header and then uses its 'wordpress' logic to attack the site. The problem is my registration is different so the bot's engine does not work.

   Now xrummer could always program in a new set of algorithms that would break right into my site should they want to. The only saving grace is my sites all use different custom registration systems, and they are not large like facebook. Mean's I am a target so small that they don't even bother with me.

   The only system I have ever come across that works nearly 100% of the time is one using voiceprint authorization. I won't mention the site, but basically the first time I went there I had to enter my phone number. A few minutes later I received a call from a bot that had me repeat a sentence. That got me into the system.

   When I was 'promoted' as an owner of the software I received a call again and had to repeat the sentence again. It took 2 attempts because the software was making sure the voice matched.

   Another option is to require sms verification. There are a number of companies providing this service for a fee.

   hope these ideas help to provide some inspiration

   Posted 1 year ago #

   

   shawn
   

6. Hello again.. Im thinking I may have found somewhat of a break with the spam. although Im probably just overly happy because its my first day without spam. lol.

   I did two things..
   (1) I found an article by D’Arcy Norman where it showed some htaccess rules where it would redirect any person that is trying to register, WITHOUT first visiting your site. Im wording it wrong, but If its a real possible member, they woudl have visited your site first before going to register... if not, then the htaccess redirects them to a url of your choice. :) I like it..

   # BEGIN ANTISPAMBLOG REGISTRATION
   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} POST
   RewriteCond %{REQUEST_URI} .wp-signup.php*
   RewriteCond %{HTTP_REFERER} !.your-site.com. [OR]
   RewriteCond %{HTTP_USER_AGENT} ^$
   RewriteRule (.*) http://your-redirected-page-for-spammers.html/ [R=301,L]

   And
   (2) I removed the option to create a blog at signup. Went to my Child theme / registration.php file & I commented out the whole blog section so that it doesn’t even allow you to create a blog at signup. a Real member would have to create a blog later, once account was activated.

   so far no splogs and NOT EVEN ONE phony registered spammer. I feel good. :) lol
   (knock on wood).

   Posted 1 year ago #

   

   Shane_NY_777
   

7. has anyone tried using this

   http://buddypress.org/community/groups/bp-registration-options/

   Posted 1 year ago #

   

   gwu
   

8. that sounds like it would work, but I think when someone signs up, they expect immediately to be able to participate. i would worry about losing members like that.

   at least, when i join forum sites, if im not able to 'continue' asap, i just move to the next forum site.
   but maybe im impatient. lol. :)

   but fyi, i still hav not gotten anymore spam registrations or sblogs since i did the things i mentioned above. (1) htaccess (2) commented out blog creation at sign up.

   Posted 1 year ago #

   

   Shane_NY_777
   

9. I'm trying like shawn and basically making my registration process unique so bots just don't care enough to figure it out.

   In my case, you either have to have a very specific referral URL to get in (which the bots won't likely know). If you don't have that, then I have to ask them to choose some of the details that the specific URL would have (for example, the group they want to join when they signup).

   So far so good. We'll see over time.

   Posted 1 year ago #

   

   techguy
   

10. @shane

    I'm liking the htaccess redirect idea a lot but have one question:

    I'm using Boone Gorges's Invite Anyone plugin. When invitees click the email invitation link, they're immediately directed to a page like this:
    http://site.com/register-slug/accept-invitation/invitees-email-address

    Hopefully, these nice folks would NOT be shipped off to the page-for-spammers. What do you think?

    EDIT: lemme try it...

    Posted 1 year ago #

    

    Patrick
    

11. Drat! My test (as below)is spitting out an Internal Server Error:

    # BEGIN ANTISPAMBLOG REGISTRATION
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-signup.php*
    RewriteCond %{HTTP_REFERER} !.nowrecovery.com. [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$http://nowrecovery.com/access-denied-page/ [R=301,L]

    I'm obviously doing something wrong. Anyone care to clue me in?

    Posted 1 year ago #

    

    Patrick
    

12. @patrick, I'm new at the whole htaccess thing, but yeah it looks like they might get shipped to the spam page since they are heading directly to your site without first visiting the site.

    also, unless it was intentional, it looks like you mixed up the last two lines...

    you wrote:

    RewriteCond %{HTTP_USER_AGENT} ^$http://nowrecovery.com/access-denied-page/ [R=301,L]

    When it should be:

    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://nowrecovery.com/access-denied-page/ [R=301,L]

    Posted 1 year ago #

    

    Shane_NY_777
    

13. Just found this post.

    http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/

    Posted 1 year ago #

    

    gwu
    

14. Does confirming that the email address used during registration truly exists help in reducing spam?

    When the activation email is sent, can we check if it was successfully sent? if not, we can kick the user.

    Posted 1 year ago #

    

    gwu
    

15. @gwu
    No having confirmation of the email makes zero difference to the bots. People use products like xrummer for auto registration and email validation is easy to overcome.

    Say I wanted to spam your site, I would simply have zombie email servers setup that automatically click the email registration links for me. It's completely automated.

    Posted 1 year ago #

    

    shawn
    

16. @shane

    you wrote:

    RewriteCond %{HTTP_USER_AGENT} ^$http://nowrecovery.com/access-denied-page/ [R=301,L]

    When it should be:

    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://nowrecovery.com/access-denied-page/ [R=301,L]

    Oops... ;-)

    Posted 1 year ago #

    

    Patrick
    

17. if anyone has experience using reCAPTCHA to block spam? I heard a lot of big sites using reCAPTCHA.
    a few days ago I tried using reCAPTCHA, but I still not understand how to make it work. I have inserted the code for the client side from here http://code.google.com/apis/recaptcha/docs/php.html on my registration.php, but I am confused where I should paste the code for the server side,reCAPTCHA image has appeared, but people can register without writing captcha on reCAPTCHA, please help me
    thank's

    Posted 1 year ago #

    

    jeremy
    

18. @jack

    There's a Wordpress reCaptcha plugin... should make things easier :-)

    http://wordpress.org/extend/plugins/wp-recaptcha/

    Posted 1 year ago #

    

    Patrick
    

19. @Patrick
    I've tried it but the captcha doesn't appear in registration page(i'm using cosmicbuddy theme), so i've tried manually but the captcha doesn't work, i don't understand where i must paste this code to make it work:
    <?php
    require_once('recaptchalib.php');
    $privatekey = "your_private_key";
    $resp = recaptcha_check_answer ($privatekey,
    $_SERVER["REMOTE_ADDR"],
    $_POST["recaptcha_challenge_field"],
    $_POST["recaptcha_response_field"]);

    if (!$resp->is_valid) {
    // What happens when the CAPTCHA was entered incorrectly
    die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
    "(reCAPTCHA said: " . $resp->error . ")");
    } else {
    // Your code here to handle a successful verification
    }
    ?>

    I don't know where the server side file in cosmicbuddy theme

    thank's

    Posted 1 year ago #

    

    jeremy
    

RSS feed for this topic

Reply

You must log in to post.