Best Practices for Preventing BuddyPress Spam User Registrations

The BuddyPress plugin turns any WordPress installation into a rich social networking site complete with forums, friend requests, and ... countless numbers of fake bot users that will comment spam you to death unless you protect your site. Although you probably installed BuddyPress to allow more engagement and interaction among your visitors in the hopes of creating a thriving community, you will soon rue the day you installed it unless you take precautions to prevent fake users.

A disclaimer: there cannot truly be a definitive guide to stopping user-agents and spam bots, as the methods of attack are ever-evolving. As soon as a solution to block them becomes widespread, new threats arise to bypass these safeguards. Nonetheless, here are a few best practices that will safeguard most BuddyPress installations from spam bots while still allowing legitimate visitors to comment and register.


Remove the Default Footer Text

Most spammers do not specifically target BuddyPress installations through manual search and registrations. That is a lot of work, and they prefer to release their bots to search for specific criteria that indicate BuddyPress installations, find default registration pages, and sign up accounts by the dozens or even hundreds.

The first level of security is to change the footer text to remove mentions of WordPress and BuddyPress. Spammers target the words "proudly powered by WordPress and BuddyPress" in search engines to find sites they can compromise. See for yourself by performing the following search in Google: "inurl:/register/ Account Details Proudly powered by WordPress and BuddyPress" and see how many targetable sites show up. The search string gives us a clue to another fix that we we'll address in the next section, but first let's fix the BuddyPress footer file.

The location of the code will vary based on the theme you are using, but you are looking for something like:

Delete this.

You might have to dig a little to find this code. As an example, in Themekraft's popular Custom Community theme, you would navigate to theme-generator.php found in your "wp-content -> themes -> custom-community -> core -> includes -> theme-generator" folder and delete the following:

Note: many themes require their own links be left alone as a condition for free use of the theme, so make sure you do not delete any of their links without checking the terms of use.

"Spammers target the words 'proudly powered by WordPress and BuddyPress' in search engines to find sites they can compromise."


Rename the Default Registration Slug

In BuddyPress, the default URL for the registration page is "http:/yoursitedomain.com/register". This is why spambots include the "insite:register" when performing the search described in the above section. Make it harder for them to find your site by easily changing the default slug for BuddyPress in your wp-config.php file. Simply insert the following anywhere above the line that says /* That's all, stop editing! Happy blogging. */ towards the bottom of the file:

This will block the page from showing up in "insite:register" searches and seamlessly direct your visitors to "http://yourdomain.com/your-new-slug" when they wish to register.


Add a Security Question to Your Registration Page

A Captcha or other security question adds a field which helps thwart automatic bot registrations. I personally dislike those indecipherable squiggly-letter Captchas and avoid using them whenever possible, as they might interfere with the user experience and cause some legitimate users to avoid registering on a site that takes two or three attempts to do so.

I prefer the use of easy questions written in legible letters, such as simple math problems. One plug-in that provides this is the fittingly titled Captcha.

Here is another Captcha tool that takes a different approach, allowing registration only after a visitor chooses and drags the correct icon, called Sweet Captcha.


Tweak Your .htaccess File

The .htaccess file located on your site's root folder is used to control how your visitors interact with your site. It enables you to block IP addresses and even entire domains from accessing your site, a very useful thing to do against known bots trying to create fake BuddyPress user accounts.

Once you have identified a specific troublesome IP address, say by looking at the access logs on your server, block them from accessing your site again by adding this to your .htaccess file, replacing the 0s with the IP address you want to block:

Lists of domains known to harbor spam bots have been published by various developers and WordPress experts. One excellent basic one is the Ultimate htaccess Blocklist by Jeff Starr of Perishable Press. Jeff provides the entire code that you can copy and paste into your own .htaccess file to greatly reduce your BuddyPress bot registrations, comment spam and other unwanted activity. For an even more extensive list, check the 4G list which has over 8000 spammers on it.

Another BuddyPress-specific .htaccess tweak is provided by WordPress Must Use Tutorials. Replace the "yourbpsignupslug" and "yourhomedomain" with the appropriate data for your site. You can also choose where to send the attacking bots by modifying the "http://die-spammers.com/" with whatever URL you like.


Keep Up to Date With Security Exploits and Defenses

Stay educated on the latest exploits affecting blogs and plugins. A blog owner is ultimately the only one responsible for maintaining the various layers of protection needed for site security. This can only be done by staying well-informed and keeping up-to-date on what the rest of the WordPress and BuddyPress community is experiencing and their solutions. Visit the WordPress Support forums and the Buddypress Support forums regularly. Follow @buddypressdev on Twitter.

Spy on the Enemy

Another excellent source of information is to visit hacker/blackhat SEO forums, if you are brave. Spammers do not do what they do just for fun, spamming is serious business, and it pays to know their motivation and see the conversations they are having among themselves. This will help you understand their mindset and see some of the programs and scripts they share, allowing you to better protect your site. I won't link to any of these sites directly, but performing a search for "blackhat SEO" will bring up quite a few. Make sure your antivirus program is up to date and that your browser is protected against malicious scripts ... just in case.


Use Security Plugins

Be wary of trying every single security plugin under the sun, as this slows down your site and adds to your maintenance workload by having more things to update and go through if something breaks. At first, stick to the highest rated ones that have proven themselves over time with a lot of users. One such plugin, which is highly recommended by many BuddyPress and WordPress users, is Bad Bahavior. This plugin will not only block a lot of spam, but will make your site invisible to many bots in the first place and thereby prevent fake registrations.

A good place to start exploring plugins is the Wordpress Plugin Directory.


Conclusion

The liability of putting together a Best Practices article like this is that some angle is bound to be missed, as black hats are always eager to develop exploits for BuddyPress and WordPress due to the number of users and ease in locating their websites. Although the tips in this article will go far in protecting your site from the most common threats, the only real way to protect a BuddyPress installation is, unfortunately, constant vigilence against unwanted activity and education on new defenses.

Tags:

Comments

Related Articles