recaptcha for Buddypress login

Hello, @marxmann

The Wordfence captcha is for the default WordPress login and registration pages as well as for use with WooCommerce login/registration. If you’re not seeing the captcha load in the bottom right corner of the page on your custom login form, it is best to consider disabling the captcha functionality to avoid any conflicts.

Let us know if you have any questions.

Thanks,
Scott

So this thing is useless. Your ‘host blocking’ doesn’t work either. Adding known spammer host names like *.clergent.online, ?*.rigdong.online, does absolutely nothing to stop these from registering. Nor does *.club, *.store, *.site, *.fun. NOTHING STOPS THEM.

So does Wordfence have anything that actually can prevent these spammers from registering that works?

It sounds like you set up a block for those hostnames in the Custom Pattern section of Wordfence > Firewall > Blocking. Can you confirm if you’re seeing traffic with the blocked hostnames still hitting the site via Live Traffic (Wordfence > Tools > Live Traffic)? If so, please expand and screenshot those, as well as the block you set up.

Overall, for spam registrations, the best option will be finding a captcha that is compatible with BuddyPress.

Thanks,
Scott

Same problems – blocking a custom domain like this *.domain.com appears to be working, but these scammers use domains like below and blocking the root domain doesn’t do anything:

107-175-109-253-host.colocrossing.com

I am getting bombarded with these bot signups by the hundreds every day and your recaptcha does not work although the recapthca badge is appearing on the bottom right corner of screen. What is the solution to prevent spambot signups?

Thanks for getting back, @marxmann

The best option is to look for a captcha solution specific to BuddyPress to confirm that it is compatible.

Per our captcha documentation: https://www.wordfence.com/help/login-security/#captcha-options

“Please note that our Google reCAPTCHA feature currently only works for the default WordPress login and registration pages and may not work on custom login and registration pages generated by other plugins.”

Unfortunately, we cannot guarantee our captcha will work with other plugins. The best option will be to check with BuddyPress to see which solution they recommend.

Thanks,
Scott

I tried 5 BuddyPress recaptcha plugins and none of them work or have even been updated in years. Big mistake using these plugins. I would think a good security plugin would work for all login types. Another mistake on my part.

Custom block not working:

This spambot still registered [email protected] although the host name is blocked:

Advanced BlockHostname – *.buymail.site

Custom block not working:

This spambot still registered?778mpvqi @buymail .site?although the host name is blocked:

Advanced BlockHostname – *.buymail .site

Hello, @marxmann

I will need to see Live Traffic screenshots showing the blocked hostnames successfully accessing your site in order to help going forward. The email from the spam registration alone will not confirm the hostname they accessed the site with.

Please note that the Wordfence Custom Pattern blocking for the hostname prevents visits from certain hostnames from accessing your site. Hostname blocking is not for blocking certain email address domains from registering on your site via a membership plugin.

You mentioned “This spambot still registered 778mpvqi @ buymail . site although the host name is blocked: Advanced BlockHostname – * . buymail . site” The visitor would have had to have accessed the site from the hostname *. buymail . site in order to be blocked. You can check via Live Traffic and see the following information for some traffic that includes the hostname — for example:

IP: 1.2.3.4.5 Hostname: spamsitehosttraffic . site
Human/Bot: Bot

In this case, if you had a hostname block on spamsitehosttraffic . site, that hit would be blocked.

Overall this will not be an effective way to block spam registrations unless you can confirm there are a large number of hits all using the same hostname/referrer/IP range for the actual visit to the site and also confirm they are spam hits/not valid traffic.

Thanks,
Scott

They are spambots I am now getting dozens from .ru domains, among .site, .fun, etc,. What is an effective way to block these host names from registering and clogging up my pending users list and destroying my mail server, since most, if not all, are fake addresses?

Hello, @marxmann

The best option will be to check with BuddyPress for their recommendations, as this is a spam registration issue and outside of the scope of what we can typically help with being that you’re not using the default WordPress registration functionality.

The reCAPTCHA is the most effective option that Wordfence would offer to prevent spam signups, and it is not guaranteed to be compatible with any registration outside of the default WordPress registration functionality, and more recently, WooCommerce.

Thanks,
Scott