Hardening BuddyPress Against Spammers
One of the first major issues that hits anyone who has set up a public social networking site with BuddyPress is the about of spam that you have to deal with. Unless you have taken steps to prevent spammers getting access to your site then your life could be hell! This article explains how to configure your WordPress/BuddyPress site in order to avoid the maximum amount of spam.
What is Spam?
Spam is where people post content on your site with the intention of advertising/promoting another site, usually this is content that has little to do with your site and once spammers have gained access to your site then they can flood it with spam information, making your site undesirable to members and creating a lot of work for you deleting the unwanted content.
There are different types of spammers, there are spam bots and also humans, and hybrids of the two. The method of spamming also varies, some spammers target comments – for sites that have enabled public comments and there are also social network new user spam (Registration Spam). This is where bots and humans attempt to gain access to your site in order to create posts, groups, forum topics etc that advertise one site or another. Often these spammers post in different languages to the site in question and can go to great lengths to make their content not look too spammy, they may even hide their links on your site by creating hidden content.
Spammers are not the only unwanted visitor to your site, there are also hackers…..
How can we prevent Spam?
There are a number of ways to prevent spam content from appearing on your site, there are plugins that use a variety of techniques to filter out spammers, for example they reference databases with the addresses of known spammers, they also reference login names and email addresses used by spammers, making sure these are genuine addresses. There are “honeypot” traps for Bots where invisible fields are placed on the registration page which only bots would fill in.
On top of these measures there is also the measures that you as site admin can put in place to minimise the chances of a spammer getting onto your site – moderation is key – making sure that untrusted sources are not allowed onto your site unless approved and making sure that you have sufficient information to enable you to make a moderation decision.
WordPress is the underlying platform that BuddyPress sits on, if WordPress is weak them your BuddyPress install will be weak. Here are some measures to harden your WordPress:
Do not use admin as an administrator login name
This is a well known default for many WordPress sites – the administrator login name is admin, hackers know this and will randomly try to login using this name on your site. You can avoid the danger of them finding out your password by not using this login name on your site.
Use a different display name to your admin user name
Make sure that all admin users set a display name that is different to their login name, this avoids advertising the login names of administrators around your site and is general good practice. On a BuddyPress network this does not completely mask your username but it does minimise it’s display.
In Dashboard>>Settings>>Discussion make sure that new commenters are moderated and have to be approved before their comments will show.
Install Limit Logins Reloaded
This plugin prevents someone from running software to try and guess your login name. It will lock out a user making incorrect password attempts progressively, locking them out for 24 hours at a time, even if that username does not exist.
To install this got to Dashboard>>Plugins>>Add New and search for Limit Logins Reloaded. Then install and activate the plugin. Once installed you can go to Dashboard>>Settings>>Limit Logins in order to set your preferences regarding the number of failed attempts that will result in the the user being locked out.
Anti Spam/Hacking Plugins
You should consider installing all of these on your site for maximum protection however on smaller sites not all will be needed.
This plugin checks for comment spam, when you activate the plugin you will need to sign up to the Akismet website in order to get an activation code. Whether you choose to detect for comment spam depends on whether you choose to allow comments from all or just your logged in member base, and also how strongly you are vetting your members.
To install Akismet go to Dashboard>>Plugins>>Add New, Akismet is typically already displayed but if not then you can search for it, once located you can install and activate the plugin. The rest of the plugins mentioned here are activated in the same way.
With Akismet you will need to sign up to the Akismet web site and get an application key in order to get this plugin working, this is a simple case of registering with the site and following the instructions to get the key.
Whilst not strictly anti-spam this plugin will allow you to remove the ability for members to comment on your site pages, most social networks do not allow comments on site pages (but will for posts) in order to keep them clean and uncluttered, so this is a good option to have, the alternative would be to turn off comments on a page by page basis which can be tedious. Once activated this plugin will display a message asking you to go to the configuration page to set it up. The configuration for most sites is to disable comments on pages.
Protects against various forms of spam, including comment and registration spam. If you go to Dashboard>>Stop Spammers>>Protection Options all of the anti spam measures put in place by Stop Spammers are clearly explained and settable.
Prevents User Enumeration hacking attempts, there is no configuration for this, you simple install and activate it.
Protects against higher level spammers who may have gained access to your site by including a report button on content, also prevents many spammers from registering to your site in the first place. You will need to register with Wanguard in order to get an Activation key for this plugin to work. Once you have activated it there are a range of configuration options that you can set but in general the default options are suitable for most social sites. One of the checks Wangguard puts in place is to check the new members email address comes from a valid domain name at registration. Another feature is adding a “Report User” button to BuddyPress Status updates and comments so that users can report other users in case of spam activity.
A Very rich featured anti hacking and site monitoring system, live traffic feature is a must as is the firewall. When first activated, Wordfence gives you the option to sign up to their mailing list and to take a product tour, these are recommended.
On activation you will also be asked to set up the firewall, it will ask you to backup your .htaccess file in case there are problems as it modifies this file, which controls access to your site.This is simply a case of copying it to your local storage, after which it will make the modifications and you can continue to looking over the configuration options.
When configuring this do not forget to select for warning emails to be sent to admin, this is a useful feature in that it warns you exactly when your site is under heavy threat. You can then go to the Live Traffic feature and block the IP addresses of the hackers manually.
Blocking IP Addresses with Wordfence
Once Wordfence is installed, one of the tasks that you can perform is to permanently block IP addesses that are trying to invade yur site. Typically there are two types of rogue traffic – bots trying to force a login to your site and bots trying to register on your site. You can see this traffic by going to Dashboard>>Wordfence>>Live Traffic. On this screen you can view live traffic as it is hapening with the options to block any offending traffic. Note that this is only a temporary block and you will need to make your blocks permanent by going to Dashboard>>Wordfence>>Blocked IPs and clicking on the button to make all temporary blocks permanent.
Blocking entire Countries from accessing your site
Sometimes it is easiest simply to block access to your site for entire countries. For example you may be getting a large number of logins from Russia but your site is aimed at English speaking countries such as UK and USA. In this case manually blocking IP addresses can become cumbersome and an easier method of blocking is called for. This can be acheived with the IP Geo Block plugin, which allows you to whitelist or blacklist particular countries from either the frontend and or the backend or your site.
Many of the plugins that I have already mentioned also support BuddyPress, so much of the job of protecting BuddyPress is done. However there are a few aspects of your BuddyPress network that you might like to consider, for extra protection.
Install BuddyPress Registration Options.
After installing this plugin there is a new Dashboard menu item, Dashboard>>BP Registration>>BP Registration. Here you get to turn on moderation for all new member registrations. You can also use it to set your site to be a private network, which is handy if you feel you need additional privacy.
Moderation of new members is your last line of defence against spammers accessing your network, you get to decide if they should join of not, and in order to help you make that decision, you need to get them to provide you with some information.
Add extra fields to the registration page questions
You can make your life a lot easier by getting your would be new members to tell you a bit about themselves, to help you decide if you should allow them to join or not. Spammers often have little to say, or try to spam you from the start so ask your new members where they live, how old they are, to tell them a bit about themselves and why they wish to join your network. That kind of thing. This all makes your life easier in the long run, Make sure a good few of these new informational items are “Required”. Required fields are those that must be completed at registration.
You add these extra fields to the registration page by going to Dashboard>>Users>>Profile Fields. In here you can choose to add extra fields into the registration group (Main), you can also choose the order these fields appear on the page top to bottom.
Give members the ability to block other users where you can
One additional optional item is to give your members the ability to block other members, this is not universally doable, one plugin BP Block Users gives users the ability to prevent other users from messaging them. It does not do that for any chat plugin you may have installed so your measures are not going to be a universal fix all but giving your member this ability is something worth thinking about while you are reviewing what to do about The wide range of spam threats you may face.
There will be some who get by your defences, and having those Block and Report buttons may be important to them.