Have the Membership & BuddyPress 1.5 non-integration issues been sorted out yet?

We have been running BP 1.5 and the Premium Membership plug-in for a while now. We have had such hassles (which I have written about in this forum before), that my community has now basically been trashed by hackers. getting in and my
We uploaded the RC2 when it became available, but that still did not solve our problems. I see that other people are having the same problems:
1. When a user registers, they have total carte-blanche to what they will until they log-out for the first time. (The BP user registration is turned off and the Membership is turned on.)
2. Any details that the user puts into their profile when they first register, doesn't get transferred through to the profile.
3. I have had so many spam attacks where the spammer gets in (I am not notified by e-mail), they don't have to be activated; and yet they send spam e-mails to everyone in the community!
Even I - as the administrator - cannot e-mail the whole community - so how on earth do they get in and do so!
This has totally destroyed a community that I have taken a lot of time and effort to build and I have no idea how I am going to recover their trust!
This never happened with the previous Membership widget (I got spammers but I could see them immediately and delete them.)
I have had to now take out all messaging (so that the members don't get sent spam e-mail for online sex as if it is coming from me as the administrator), as well as automatic registering (ie. basically I now don't have a functioning community).
So I just don't know where to turn at the moment and whether these issues have finally been resolved (I just couldn't see anywhere in the forums where they have been).
Thanks

  • Timothy Bowers

    How did hackers trash your site?

    How did they gain access, can you give explicit code examples of how they hacked in please?

    RC is a release candidate and was for testing, not for use on a production site. The same for betas.

    3. I have had so many spam attacks where the spammer gets in (I am not notified by e-mail), they don't have to be activated; and yet they send spam e-mails to everyone in the community!
    Even I - as the administrator - cannot e-mail the whole community - so how on earth do they get in and do so!

    Thats a good question but our plugin doesn't give them that ability unless you somehow assign them as an admin with the role options of the advanced settings?

    Or you have some plugin allowing them to send emails?

    Membership doesn't deal with spamming or spammers, so nothing will have changed in that respect but it's near impossible to prevent, even Facebook get its fair share, I receive messages almost daily about some free iPad or something from friends.

    There are a number of plugins which might help, like Askimatt for example. If its automated then maybe something like Play Thu could help.

    Thats available in our AntiSplog plugin for multisite or on its own from them:

    http://wordpress.org/extend/plugins/are-you-a-human/

    Hope this helps.

  • Ann Williams

    Hi Timothy

    Please, I have a very real and serious problem that I have written about more than once and which is just getting worse. So please don't jump all over me - try and help me solve this geniune problem! (I have put an example of one of these messages at the end.)

    I was told by your staff to put in RC2 because the Membership widget had some problems and you guys weren't ready with the upgraded widget yet. I have also seen other WPMUDev members trying to get info about some of the things that I have a problem with, but which have not been sorted out yet.

    Firstly - I have no idea how they got gained access - that is what I am asking you guys.... And I have no idea what code they are using.

    Secondly - I have NOT given them admin access (how they are getting in is the whole problem). Only my husband and I have admin access. What is even more frustrating is that even I as the administrator cannot send messaging e-mails to ALL the members at once so how on earth are the hackers doing it?

    As I have said - they just appear as signed up users and send out messages (with the subsequent e-mails being sent out) to all my members.

    If I am lucky I catch them in the Inactive list before they have a chance to send out e-mails to everyone. I have set it up that I have to activate new users before they can do anything - not that that stops them doing anything they please when they register for the first time. (See below for more on this open access to do everything when first registering.)

    What would usually happen is that the new 'member' would sign up late on Friday, and if I had not spotted them by Sunday afternoon, they would then send out a message to ALL the users using the BuddyPress messaging system. So if I didn't see them in the front-end Members list in BP over the weekend and delete them, I was in trouble. (And I had NOT activated any of these people - that was the first thing I checked - but they could STILL send messages anyway!)

    But now they have even gotten to the stage in the past few weeks where I have found some "active" users which don't even show in the BP membership list! I had NOT activated them, and they now did not even show up on the 'inactive' list in the back-end. They were already fully active - and messaging. (The first time I know about them is when everyone gets these ghastly e-mails and I get a bunch of members phoning me or writing me to whinge - or asking me to delete their memberships.) THEN I can finally pick up the name and delete the user from the user list.... But of course the damage is already done.

    Which is why I have now take down both the BP messaging system completely and why I have taken the Membership registration down completely as well. So I currently am sitting without an active forum...

    I think they are getting in inbetween the Membership plugin sign-up and and the BP sign-in. (We have disabled the BP sign-up and used the Membership sign-up).
    When a real person signs up (using the Membership registration), they are given full access to everything! ALL the sites' content, all the profile fields to fill in (which is a real problem because that information doesn't get placed into the profile fields in their BP profile which I use a profile fields widget for), AND they can also WRITE ANYTHING, ANYWHERE.
    It is only once they have logged out after their first use that they cannot get in again until I have 'activated' then using the user admin area in the back-end.
    This is why I think the hackers are getting in 'inbetween' the Membership registration and the BP membership.

    Why I am also looking at the BP/Membership widget interface, is because when we first started the site I had no problems with invasions like this. Sure, I got spam registrations but they were very easy to spot and remove (I ask new registrations to fill in their name and surname using the profile widget and spam users would put in garbage for these fields making it easy to see them immediately). These spam accounts also could NOT send out messages to anyone who was not specifically signed up as their BP Friend.

    We then downloaded an upgrade to the Membership widget, and it was from then that we started having these hassles....

    Which is why I have identified that Membership / BP widgets are probably where the problem lies.

    Ps. I have AKsimet - but that is for blog post comments particularly - not for membership hacking. (And it does a very good job at stopping these posts. (I have also had a huge rise in the number of spam comments for my main posts lately.)

    Pps. We do not use the e-mail plug-in. The only e-mailing that we are doing is the BuddyPress messaging which is part of the BP widget.

    ppps. The Are You Human thing wouldn't work because they don't seem to need to fill in the form anyway (and the extra profile fields that have to be filled in make the user spammers easy to spot because they put in garbage in those fields.)

    Thanks

    An example of what gets sent out:

    joy sent you a new message:

    Subject: Hello

    "Hello Dear Friend

    Am Miss Joy,and i view your profile today at http://www.2bbiz.co.za and i was interesting in getting to know you more for us to build a relationship from here,And i will like you to write me back through my email address for telling more about me and my picture as well,(joy4u34@yahoo.com)and know that distant or language those not matter,but true love matters most,Await your lovely respond soon.
    Best Regards
    Miss Joy
    "

    To view and read your messages please log in and visit: http://2bbiz.co.za/members/coach/messages/

    ---------------------
    To disable these notifications please log in and go to: http://2bbiz.co.za/members/coach/settings/notifications/

  • Timothy Bowers

    Please, I have a very real and serious problem that I have written about more than once and which is just getting worse. So please don't jump all over me - try and help me solve this geniune problem! (I have put an example of one of these messages at the end.)

    I'm sorry if you took my words as jumping all over you, I can assure you they were not.

    Often with forums on the internet words and texts can be misconstrued because they can lack feeling and empathy.

    So again please excuse my tone if you believed it to be abrupt or off. It wasn't my intension.

    Firstly - I have no idea how they got gained access - that is what I am asking you guys.... And I have no idea what code they are using.

    Your hosting company will have access logs, this should help you to determine how they gained access. They should be able to go through for you. It should be in there interest to to do this as the security risk could potentially be at the server level.

    We wouldn't know for sure, as it isn't our server so we have no root access.

    Secondly - I have NOT given them admin access (how they are getting in is the whole problem). Only my husband and I have admin access. What is even more frustrating is that even I as the administrator cannot send messaging e-mails to ALL the members at once so how on earth are the hackers doing it?

    This would be hard to know without seeing those logs. Your host should be able to see where the mail was sent from, which php script.

    I know on my servers, I have limits on the amount of mails a client can send. If they want it removing they us to discuss the purpose further.

    I couldn't comment on your host or how they run things though, but again they should be able to see in the logs where the mail came from.

    You could check though to ensure that you don't assign them the admin role whilst signing up. This can be done when creating a level and only appears in the Advanced area of the Level creator/editor.

    In any case, please ensure all your WP, Themes and Plugins are the most current version.

    From what you're describing though, I don't think this is hacking. I think it's just spammers signing up and using the internal mail options of BP. Usually hackers will do more damage than spamming.

    In fact you can actually buy spam software for systems like Joomla and WordPress where it automates the signing up, the commenting, the messaging, etc. They try to bypass any captcha or similar systems.

    I get it on a couple of my own sites. I just keep banning em - Marking as spammer. You could also block IP ranges from countries known for this, but keep in mind this could ban potential genuine users as well.

    Take care.

  • aecnu

    Greetings Ann Williams,

    We have not heard back from you as to the status of this issue.

    If you are still having an issue please let us know so that we may try to get you fixed up as soon as possible by choosing to check mark this ticket as unresolved below and posting any new errors or symptoms you are noticing.

    This action will also bring your ticket up front back in plain view again within the ticket system.

    Thank you for being a WPMU Dev Community Member!

    Cheers, Joe

  • Ann Williams

    Right....

    We can't trace back logs as our host only keeps recent history.

    We've now totally upgraded the site:
    - Latest WordPress
    - Latest BuddyPress
    - Latestest Membership widget
    - Latest membership and BP supporting widgets....

    I am also NOT using the automated registration modules at all. (I ask them to fill a form that I have placed on the site seperately, and then will make a new user myself and send them the details once they are in the system.) ie. the registration functions on both the Membership widget AND BP are turned off.

    But I still had a spammer/hacker who signed up as a new member! (Go figure.)
    I have deleted them immediately before they even tried to send out automated e-mail messaging to all my community members. (I've switched the BP friending and messaging back on again.)

    What we have now done (after the new user hack), was to change the names of the following pages:
    - 'Register' in BP.
    - 'Activate' in BP.
    - 'Registration' in the Membership widget.

    If this doesn't help then I am absolutely @#$$ as I cannot then even hope to make use of the automatic sign-up and payment part of the Membership widget and may have to just close the community completely (which will be a huge blow to the site).

    So let's see what happens. I'll let you know how it goes...

  • aecnu

    Greetings Ann Williams,

    Thank you for the feedback, it is certainly appreciated and valuable to the point of trying to resolve this issue.

    In an effort to help, do you folks have "Enable incomplete signup accounts" unchecked?

    Logged into the admin dashboard go to --> Membership --> Options --> Enable incomplete signup accounts --> and be sure that it is not check marked.

    Please advise.

    Cheers, Joe

  • Ann Williams

    Hi Joe

    Not sure if you can see our site: http://www.2BBiz.co.za

    Oh yes. It's definitely unchecked.

    When I first loaded WP and BP I kept the enable incomplete sign-up checked as it meant that I didn't have to activate everyone (which is of course also a pain.) It worked fine.

    At that stage I could see if any spam users registered because I also made sure that they had to fill in the extra fields when they registered. So if I had user had something like XYZK in one of those fields I immediately deleated them. Thankfully they couldn't send automated messages to anyone else though.

    Then the Membership widget was updated and two things happened:
    1. These new users (spam users) didn't always show up on in the Members section of BP. (Thankfully an e-mail was sent though.)
    2. Some of these spam users started posting junk in the community page.

    So I immediately unchecked the box.... This way I at least could identify them by going to the inactive queue in Members. (However, I didn't always manage to get them in time.)

    We then downloaded the RC2 release - and then the fun REALLY started.
    From then on there were two more major issues:

    1. Some of the spam users weren't even showing up in the Inactive queue - they were already Activated! (Despite the box being Unchecked.) And they didn't show up on the BP Membership list either.

    What this also meant was that I didn't get to see anything eg. funny XYZKA in the required fields because they now didn't show up in the BP Members list....

    2. These users could now send out BP messages (which were then sent via e-mail EEEKKK!!!) to ALL the members of the community. As you can imagine - this created a storm of my members calling me, writing back and wanting to be deleted from the site.

    I suspect that the reason why they could do this lies with a 'mismatch' / 'open door' between the BP and the Membership widgets. Why I say so is because when a new user first registered, they filled in their details - and then they could have access to ANYTHING (including all the posts behind URL groups / levels / hidden, as well as to their User profile fields etc) - until they logged out for the first time.

    After that, they could not log back in until I had Activated them in the Membership module.

    Also, that anything that they new user wrote in their User profile fields during their registration visit, was not passed through to the BP profile that appears in the BP community (which of course is what I would like to happen.)

    So in desperation I took out ALL of the friending and messaging in BP - which pretty much defeats the object of getting hold of other entrepreneurs in the community....

    Currently - after upgrading everything - I am still leaving the 'Enable incomplete sign ups' box Unchecked. We have now:
    - turned off User Registrations on the main control panel settings;
    - emptied the Subscription Plans on the Membership widget;
    - changed the names of all of the registration pages (both on the Membership AND the BP modules);
    - and not put a front-end link to any kind of registration page on from the site.
    (We have Aksimet active instead of SPLOGS as we don't run blogs for other users - just the community forum. And of course Aksimet and AntiSPLOG don't play nice together so you get one or the other.)
    I have however, put back the BP send messages and friending systems so that our Members can talk to each other.

    Re: registration
    I have now put up a php form that I made in FormFields (ie standalone from the site). New members will have to fill in the form with their details. I will then copy them from the e-mail the form will generate, allow New User Registrations, make a New User, fill in their details - and actually send them an e-mail giving them details of their new Login and Password, and then switch off the Allow New User Registration in the main control panel again. Ie. NOTHING automated at all.

    So let's see what happens.... Right now I am totally petrified to even try anything else in case I get another message sent out to my members, because if that happens I can just pack up what I am trying to do.

  • Tom Eagles

    @Ann Williams

    sorry to hear about all your troubles, it may be worth you looking at the following two plugins designed to help minimise suspicious activity on your site, both keep an active list of know ip addresses used by spammers etc, and anyone trying exploits also gets blocked,

    they are

    http://wordpress.org/extend/plugins/wordfence/
    http://wordpress.org/extend/plugins/avh-first-defense-against-spam/

    both do an awsome job, my sites not even set to allow registration yet and they are already blocking exploit attempts and blocking the IP addresses automatically plus send a warning email to you when it happens.

    Hope this helps.

  • Ann Williams

    Thanks Joe. I'll be very interested to see what happens here as well....

    Tom. Hi. Thx. I'll give this go - it will be good to get hold of IPs as I suspect it is the same people who have been sending me huge numbers of spam comments on my posts (we had Aksimet off for a while and landed up with a dozen or two spam comments a day).
    So definitely worth a try - I hope it plays nicely with the other widgets I already have....
    Cheers

  • PC

    Hiya,

    Greetings and thanks for being a great community member.

    We haven't heard from you on this one for long and I am doing a regular followup to see if there is still something we can assist you on this thread.

    Just to manage the support issues more efficiently, I am marking this thread as resolved for now however this is not being done to avoid your questions in any ways.

    Please feel free to mark this is "Not resolved" in case you have further questions and we would be back on it.

    Thanks a lot for being with WPMU DEV.

    Cheers
    PC
    Sales &Support

    Did you know we offer FREE lifetime memberships? Click here to learn more.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.