Occasionally we have 2¢ to add

Eliminate BuddyPress Spam Registrations

If you’ve ever managed a BuddyPress site, you know that SPAM registrations quickly became the bane of your existence. When we built NetDivvy, we were cleaning out thousands of spammy user records every single day. It didn’t take long for me to start brainstorming ways to get rid of the problem.

To solve this problem, I’ve seen people add image verification (captcha) or other user entry field to the registration process to verify that the user was human. Personally, I’ve always hated captchas, so I wasn’t about to subject our users to that torture. They’re so frustrating sometimes that I’ve made the decision to not sign up for a web site because they employed them.

So if we’re not going to burden our users with extra fields to fill out, how are we going to stop these spam bots?

We treat them like thieves. They’re stealing our most valuable asset, time. Just like in the movies, we have to outsmart them – we have to set a trap. In the computer world, we call this a honeypot. But in order for it to work, we have to get into their virtual heads and think like they do. Much like you do with a mouse trap, you have to tempt the spam bot with something they want. So, what are spam bots are looking for? Inputs to fill out.

Here’s the plan.

  1. Create an extra text field hidden via CSS
    1. Since it’s hidden from view, users won’t see it or fill it out
    2. Spambots will usually fill out all form elements so they don’t miss any required fields
  2. Upon submission, check the hidden text input to see if it has a value. If it does, it’s a spammer.

Sounds straight forward, right? After implementing this on NetDivvy, we have gone from thousands of SPAM registrations per day to one or two per week. Since it’s been so helpful to us, we’ve decided to release the functionality to the public. We’ve created a plugin that you can install and it will just work.

You can download the plugin here.

If you’re interested in seeing the code, continue reading.

First, we utilize the ‘bp_after_signup_profile_fields’ BuddyPress action to add our hidden text field.

We then check to see if the input is empty via the ‘bp_core_validate_user_signup’ filter and return an error if it is filled in. BuddyPress and WordPress take care of the rest.

If you find any errors, or have any additions, please submit an issue on the github repo.

This entry was posted in Plugins and tagged , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.


  1. Posted October 8, 2012 at 6:09 am | Permalink

    I really appreciate this plugin and you sharing it. I’m having trouble with the format of the readme file. Can you make a text file available?

  2. Posted October 8, 2012 at 10:32 am | Permalink

    @Mike, by “readme file” are you referring to the code that is shown in the post? If so, you can find that code with these two Gist links:

    https://gist.github.com/3748153 and https://gist.github.com/3748153

  3. h.a.p.p.y
    Posted November 11, 2012 at 2:48 am | Permalink


    Thank Buddha… we’ve been getting slammed off & on for months – manual approval, by sending activate link to admin instead, has been lotsa fun – your clever trick works like a charm right out of the box!

    Count me ‘relieved’ to not have 20-spam registrations per hour, all / every day, needing review.. 8-)

    Many (many-many-So-many) Thanks for sharing..

  4. Posted November 21, 2012 at 5:39 am | Permalink

    Hi there,
    Thanks for your plug in. I have a question though. How do we know who has filled in (spam bot) that field who hasnt? Where do we check that? I see nothing at the back end and under the list of users ?

  5. Brandon
    Posted November 21, 2012 at 8:52 am | Permalink

    Gregory, you won’t see them in the user table. If it’s working correctly, you will see a reduction in spam users being registered in your network.

  6. Posted November 21, 2012 at 12:06 pm | Permalink

    So we wont see anything who and how they get trapped!! Can we at least tes this? What do I look for with firebug?

  7. Brandon
    Posted November 21, 2012 at 2:29 pm | Permalink

    You won’t see any spam users in the system (that’s kind of the idea). One idea, if you really want to see them, would be to modify the validate script to set the spam flag in the users table for that user instead of denying them membership. If you end up going this route, I’d love to see what you come up with.

  8. Posted November 24, 2012 at 10:58 am | Permalink

    I did not go that way Brandon. I see some days after that spam users did not stop registering. It almosts seems to be impossible to stop this from happening and Im even more impressed how the buddypress community hasnt done something about it.

    Im using your plugin, SI captcha, AVH First Defense Against Spam and even directing traffic throug Cloudflare. No results …. spammers registering everyday.

    Do you maybe have any suggestions what else could have been tried?

  9. Brandon
    Posted November 27, 2012 at 10:30 am | Permalink

    Gregory, are you seeing all of your signups coming from a specific domain, or a common domain extension? If so, you could add some code to our plugin that would catch those domain names too.

  10. Posted December 28, 2012 at 2:51 am | Permalink

    Nice tutorial!. Nice tips to use. Spamming is bad for business and buddypress is not doing anything to stop it. I own a buddypress site and followed this tips here


    This work like a charm. No spam registration

  11. Per
    Posted January 28, 2013 at 8:11 am | Permalink

    I had tons of spam registrations coming in to my ByddyPress. At worst it made me consider shutting it down and/or swap to other platform.

    Using captchas, questions, hidden fields etc I made it to all time low to some 10-15 that made it through for manual cleaning. But even so. This caused me to once a week manually having to clean out activity, groups and accounts — besides having to understand that during this week my site had all kind of weirdo url-black-hat-seo:s going on risking google to consider the site to be a url-farm.

    The one and only turn key solution that fixed it permanently and down to a zero-spam-registration was installing the plug in Wanguard and then enabling a security question.

    Now I can see in the configuration that it kills 100 % of the spam registrations, it is a blessing and it is awesome to see that Wanguard is such a success.

  12. Posted April 15, 2013 at 7:09 pm | Permalink

    Like Per, I am resorting to WangGuard. Without security questions it keeps spam registrations at a minimum but I am now considering adding a security question. I prefer not to do this as it negatively impacts the UX at the outset but I see no other way that the spammers can’t eventually find a way through. Thanks for reminding me of the security question options. I’ll be adding some soon.

  13. Posted April 26, 2013 at 5:28 pm | Permalink

    Thanks Brandon! Like you and so many others I’ve seen crazy spam registrations on our various wordpress sites. Weirdly, it seems like over 50% of them come from .PL email addresses.

    Do you know why spambots register on sites? If you let them register as a “subscriber” they aren’t able to do anything on your site anyway (are they? :) Or perhaps they’re crawling for other treasure and just register when they come to your site.

    In any case, your hidden field trap is very clever – congrats & thanks!

  14. Josh
    Posted May 5, 2013 at 3:08 pm | Permalink

    Whats the chance of having the ID change? Just so the spammers don’t try and just block your form class/id?

  15. Funkatron
    Posted May 6, 2013 at 11:21 pm | Permalink

    I’ve made some modifications to the code that seem to work:

    -Use the ‘wpmu_validate_user_signup’ to validate if you are using a multisite:
    add_filter( 'wpmu_validate_user_signup', array( &$this, 'check_honeypot' ) );
    -BuddyPress doesn’t seem to take into account custom errors so just name the error ‘user_name’ should do the trick:
    if( isset( $_POST[$bppj_honeypot_name] ) && !empty( $_POST[$bppj_honeypot_name] ) )
    $result['errors']->add( 'user_name', apply_filters( 'bppj_honeypot_fail_message', __( "You're totally a spammer. Go somewhere else with your spammy ways." ) ) );

  16. Hamzah
    Posted July 4, 2013 at 3:39 am | Permalink

    I think this is not working, @funktron,
    where should i paste your code.

  17. Posted August 13, 2013 at 4:16 am | Permalink

    Just wanted to post and say thanks for sharing, great plugin that works without frustrating users.

  18. Posted January 10, 2014 at 4:27 am | Permalink

    An outstanding share! I’ve just forwarded this
    onto a coworker who was doing a little homework on this.

    And he actually ordered me dinner simply because I discovered it for him…
    lol. So allow me to reword this…. Thanks for the meal!!
    But yeah, thanx for spending time to discuss this subject here on your site.

    silver oak casino no deposit bonus codes, Jayne,

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>