Can’t keep new blogs from being created?

I had been using the signup question that I believed was created by Andrew, but I started getting more SPAM blogs so I decided to temporarily disabled registrations. They were still able to create new blogs so I deleted the wp-signup.php file and I’m still getting new blog registrations, particularly from a 21cn.com domain. I’ve now added this one domain name to the prohibited list to see if that works, but I don’t understand how new blogs are being created in my installation. I know this forum is just about supporting the premium plugins, but can anyone point me to what might be happening or the latest plugins/ways people are handling keeping blogs from being created.

Thanks,

Todd

  • Luke
    • The Crimson Coder

    Signups being created even though wp-signup.php wasn’t there?

    Interesting.

    Were they maybe blogs that had already been registered, but not activated?

    Depending on your target audience, you could do all kinds of things. For example, if your site was only for residents of Canada, you could use an IP to Country db class (freely available on the net) to stop registrations from anywhere but Canada.

    Or lots of other things, all depending on your site and target of course.

  • andrea_r
    • The Incredible Code Injector

    That prohibited list works really well, except there will always be new domains you need to block. I know luke doesn’t like my answer :stuck_out_tongue: but I did a hack to moderate the signups. It’s at wpmututorials.com.

  • TomFisher
    • Flash Drive

    I know that there are plugins that use validation. Like the login one, which stops them from posting. Aren’t there ones that use validation for the signup?

    I just assumed there were. I’d like to get one. If there aren’t, I’d like to suggest it be added to the list of projects.

    Would that solve the problem???

    Tom

  • drmike
    • DEV MAN’s Mascot

    Well the singup does have email validation already.

    There are a couple of captchas though already for signup:

    http://wpmudev.org/project/WPMU-Random-Captcha

    http://wpmudev.org/project/Signup-Security-Question

    From reading the descriptions, I’d go for #2 there as it’s a question and not an image. You won’t have to worry about folks not being able to see the image plus it’s written by Andrew which means it will probably work. :slight_smile:

  • Todd
    • WPMU DEV Initiate

    Thanks for the help. I did find the thread in the MU forums. Everyone seemed to think it was impossible without the wp-signup.php, but it did happen to me as well. I’ll admit I’m not the most sophisticated WordPress user, but my main point was that someone had found a way around the signup question to begin with. I know they could be doing it by hand, but I think it was automatically generated based on the usernames.

    Luke wrote: Were they maybe blogs that had already been registered, but not activated?

    Maybe that explains it. I hope it’s not some time of real security issue. Anyway, I’ll used the banned/prohibited domains list that was suggested and/or limit registrations and maybe check into the hack from Andrea. Thanks for all the help.

    Todd

  • TomFisher
    • Flash Drive

    I’ll check out those plugins.

    Speaking of security. This is a little off point. Sorry.

    What are the first steps to fix weaknesses in wpmu, as far as security? One that I recently read somewhere, probably here. Was to NOT use admin as username. Create a ‘new’ user with full admin rights, then delete the original ‘admin’ user. Is this correct? Anything else?

    Thanks,

    Tom

  • drmike
    • DEV MAN’s Mascot

    I’d start off with themes actually. Take a look for wp-security via google (Locked down term. can’t do it myself) and take a look at your themes.

    Gotta admit that I leave in admin. Probably should demote it to a contributor though and raise the other signins. Deleteing is bad I would think as then someone else could create the account. It wouldn’t be a true admin account then but they may try to play it off as such.

    I really need to get with James and make some suggestion on those themes if he doesn’t mind. That and page templates for them.

  • Luke
    • The Crimson Coder

    Renaming “admin” can be done without deleting the actual account, or changing the password.

    It’s an edit that’s pretty simple, really.

    FIRST: add in the “new” username to your Site Admins list under Site Admin -> Options. So, if you’re changing your username (login) to “tom”, your site admin list would look like (no quotes) “admin tom”.

    Next, go into phpmyadmin and edit the user table (user #1). Change the user_name (which is your login) from “admin” to “tom”.

    Don’t worry about the other fields, you can safely change them in your profile when you’re done.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.