spam user being created even after renaming wp-signup , how?

how are spam users still being created? I renamed wp-signup.php

Also can I enter IPs in the banned domains.

I want to use this list http://mu.wordpress.org/forums/topic.php?id=817

  • drmike
    • DEV MAN’s Mascot

    That list is probably very out of date. Usually most hosts will (finally) shut down boxes after enough complaints. I know we have a similar thread over my way where we trade IP addresses and will usually send off a complaint after noticing a pattern. (And if they don't there's always a block at the routers.)

    As noted in that thread, I'd just ban via denys (however you spell it) in your htaccess file.

    As to your spam user. it's either someone doing it manually or someone who's found your page either via Google or did it manually.

    I did note that the wp-signup.php page now displays a 'noindex,nofollow' meta line. Hopefully that'll help a bit.

    I usually suggest to our clients that they go in and change the wording of their wp-signup.php page every so often. It's been noted that the signup page can be found quite easily via a simple google for the text on that page.

  • drmike
    • DEV MAN’s Mascot

    Just to mention in passing, you;re never going to get rid of splogs. To be honest, I tell my clients to brag every so often how many splogs that they shut down. In fact we have code that counts and outputs the number of blogs marked splogs. Some in fact even have it on their front page of their sites.

  • anointed
    • Flash Drive

    I may have a 'possible' solution to the splog problem.
    For the past number of months I have been running vbulletin with wordpress via a bridge setup. Basically vbulletin handles the registration and sessions etc for wordpress.

    Within vbulletin I am able to setup additional 'security' questions, recaptcha etc. I also changed all the wording on the page so it does not show up for the 'bots' to attack.

    By using this route I have only had a total of 2 spam users throughout the past number of months. And even those 2 were caught by other vbulletin measures when it looked at their posts and determined that they were spam links.

    Now I don't expect anyone else to run out and install vbulletin with a bridge to solve this issue. BUT, it may open people's eyes for writing custom login scripts for wordpress. At the very least the bots won't recognize your login script and will pass you by. Of course this would have to be custom per site, otherwise the bots will simply adapt to a new login plugin etc.

  • drmike
    • DEV MAN’s Mascot

    Rewording the signup page seems to be a very big help. I have a couple of installs where that's done nearly every week and splogs are pretty much non existent on them. Of course we also keep track of IP addresses and block on sight when possible.

    Have to admit that I'm half tempted to submit a ticket to make that text editable from the Site Admin pages although I know it'll be sent over to the regular wp trac and we all know how well that'll go over.

    edit: Do remember though that if you rename the signup page, the link is present elsewhere and has to be changed. Some themes have it. The simple forums plugin has it. (Actually it has an incorrect link for wpmu if I recall.)

  • ron_r (aka Mr. Andrea)
    • Design Lord, Child of Thor

    @johnnytee - have you turned off registrations in the site admin options?

    We were able to eliminate splogs by creating a custom moderated signup process and have not had a splog in about 2 years. Not everyone agrees with that method, but it's effective and it takes less time than cleaning up splogs.

  • johnnytee
    • Design Lord, Child of Thor

    @drmike thanks for all the help and suggestions, I'm just trying to figure how to accomplish what they are doing. I think if I could figure out how they are being registered I could come up with a solution. Any ideas o how to recreate? They create a user and I'm not notified? Is this a possible security hole? No blogs are being created just users.

    @ron_r I do have registrations open. I want to try and keep it that way if possible, I have a TOS where they have to click agree , so I'm not sure it's automatted or a person doing it. Like I said I don't get an email. I'm about to start digging through code to see if I can find out how it's being done.

  • Luke
    • The Crimson Coder

    ... "I have a TOS where they have to click agree" ...

    Which ends up as a posted value. In general, a bot can scan a page and circumvent those, and most other values which appear in a page.

    One way to accomplish something, which helps a LOT, is to create a form element... but with javascript.

    In a nutshell, you would have a function in the header (or through an included js file). This function contains say, 6 or 8 variables. Each variable making up a piece of the resulting HTML for the form field. As the last step of that function, you piece together the variables in a document write.

    Finally, where you want that field to appear in your document, you call your script function instead.

    End result is that the bot won't pick it up, as it's not in the outputted source of the document.

    You can put a little creative juice into it, and call a php file with the script tag in the header and do some other things with it, or whatever.

    Now, you're also going to have to make sure you are validating the new js field value on the backend as well, and setting an error condition if it fails.

    Another option is if you have a site that isn't targeted to a global audience. If not, and only desire registrations from a certain country or countries, then you can also block IP's which are not from the desired country/countries.

    Everything posts through the wp-signup.php page, so you could call a function within that page to validate the country, and if it's not what you want, unset $_POST variables, and display an error message. Not too descriptive, as you don't want them to then start using an open proxy in a place you're not blocking, but it could be something as simple as, "We're sorry, but we are not currently accepting new registrations."

    I've used a combination of the above (and a few other things) on several sites. Splogs: 0;

  • johnnytee
    • Design Lord, Child of Thor

    @luke thanks I plan on validating countries, I just found the issue. I have bbpress integrated, and the spam users were coming through bbpress registration.php. I only will have users that can user bbpress if the are a wpmu subscriber, therefore i can delete registration.php on the bbpress side.

    I have not had any splog created yet, so I think I'm good to go for the time being.

  • rfair404
    • Flash Drive

    I'm getting screwed on splogs! I just created a site, and have ntoo even got my first real user yet. We are not even close to promoting it yet. For some reason though, I get doxens of splogs per day. I usually wind up deleting them 10, 20 or 30 at a time every day.

    They are all coming from a user that creates somerandomname1957 or 1972 etc @myspacee.info - or at some other crap domain.

    I have tried to do a lot to obfuscate the process. Included an image captcha on the signup form, and used wp-hashcach no luck.

    Help please.

  • mirozake
    • New Recruit

    I've gotten two over a month fitting that desc. After the first, I installed si captcha and maybe 24 hours later got the second. that was maybe 2 weeks ago. They were both the same name setup. one was @host-my-site.info , the other was @websouthafrica.info.

    So lets hear it guys, which captcha plugin/mod is your pick?

  • af3
    • Design Lord, Child of Thor

    Splogs reduced significantly after I did the ,.htaccess tricks for both wp-signup and /register (using bp social theme) AND i added limit signup by country using geoip as well as moderated blog approval (duh!). Whatever captcha didnt help much before.

  • drmike
    • DEV MAN’s Mascot

    One new thing we've done is added a list of ip address matches to the emailed notice the site admins get when a new blog is created. That's a quick and easy way to tell if you've got a bot creating accounts.

    If there's no matches listed, chances are it's a real person creating that account. If there's five blogs listed, (we max the list out at five) chances are it;s a bot.

    We also include the rDNS for that IP address and the timestamps when those blogs were created.

  • Kristina
    • Site Builder, Child of Zeus

    @ron_r (aka Mr. Andrea)

    We were able to eliminate splogs by creating a custom moderated signup process and have not had a splog in about 2 years.

    I would KISS you :slight_smile: if you could shed some light on this. I would LOVE to do a custom sign up process frankly.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.