Contaminate?
-
For many months I had really massive spam registrations. Using captcha via Youzify + Buddypress.
Now I deactivated all plugins and activated one after another.
And when I activated your plugin spam registrations came quickly again π
Now also with other plugins no more spam.
I guess there is some failure in your plugin but don’t know which I could use to have countries by registration
-
Hi,
I am sorry but your claim is incorrect. The plugin is clean. If you believe otherwise, Please check the code available on wp.org svn(you can find that by visiting Development tab) and provide the proof.
Your issue seems to be caused by adding a field which might be used by bots to search open registration pages. This plugin only adds addition field to registration page, the actual registration is handled by BuddyPress/BuddyBoss(which is known for being spammed)!Regards
Brajesh
Open registration is common.
It worked since 2016 correctly but now since moths spamming.
So please explain me why it is now only when your plugin is activated? Checked several times.
I really need this country field but get with plugin activating immediately spam.
Hi,
Thank you for the reply. We do not have an answer what could be causing that. The best way to spot would be to check the traffic to your registration page and see the referral links. Is it some search engine? If you say that spam spiked after installing this plugin, yes that is feasible. Probably adding a field with this plugin allowed bots to spot the page.
As far as you allegation is concerned, if you believe our code is contaminated, Please get it checked by any authentic entity/service and you will find that is not the case! We never ever collect any user install data and we have no way of knowing where and how are you using this plugin.
Regards
Brajesh
You miunderstud me.
Issue is not after installing your plugin.
It worked for years, I have nothing changed.
User search is working but now without country π
I tested all again and again. Also only with buddypress without youzify.
As far I activate your plugin, spam registerings are coming π
What I wonder about is taht field gender is there even when plugin deactivated.
As I remember it was not this cace to begin
Hi,
I understand that you started facing spam after activating this plugin and adding some fields. The only way to investigate would be to check what is causing bots to find your registration page(are they coming via search engines?)
My reply was regarding the issue that this plugin is contaminated(you posted here as well as in review), which is incorrect.
I am not sure why you had no spam earlier, but it is serious issue in the the whole BuddyPress/BuddyBoss eco system. Depending on your use case you may restrict IPs, deny/allow by email, etc., to limit this.
Regards
BrajeshRegistration should be found as I want registerings π But it is not extra page included. With youzify will https://rainbowsongs.org/register/ (normaly opening buddypress standard page) . be redirected to youzify registering with captcha as always before. But only when now with your plugin there is an extra field for country spamming are coming π
I can’t understand this.
This is what chgpt write as known issue:
Why do I get spam registrations only when BuddyPress XProfile Custom Field Types is active? Short answer
Because this plugin adds extra registration/profile fields that bots can easily exploit, and these fields often bypass or weaken existing anti-spam checks. Why this plugin increases spam registrations 1. More form fields = larger attack surface
The plugin extends the BuddyPress registration form with custom xProfile fields (text, URL, social links, etc.).
Many of these fields:
- lack strong server-side validation
- are processed before final registration checks
- are easy for bots to auto-fill
Bots actively scan for such forms. 2. Registration happens before anti-spam checks
In BuddyPress, xProfile field handling often runs earlier than:
- reCAPTCHA
- honeypots
- WordPress anti-spam plugins
Result:
β‘οΈ Bots can complete registration before spam protection fully triggers. 3. Certain field types are bot magnetsEspecially risky field types:
- URL fields
- free-text fields
- social media fields
- required fields without validation
Bots are specifically designed to detect and exploit these patterns. 4. The plugin is often poorly maintained
Many versions of BuddyPress XProfile Custom Field Types:
- are not fully compatible with modern WordPress / BuddyPress
- use outdated hooks
- unintentionally bypass newer security mechanisms
Spammers know this and target such setups. Why spam stops when you deactivate the plugin
When the plugin is disabled:
- fewer form fields exist
- BuddyPress falls back to its default registration flow
- anti-spam plugins start working correctly again
β‘οΈ The attack vector disappears. What you should do (recommended) β Immediate actions
- Keep the plugin disabled if possible
- Require:
- reCAPTCHA v3 and
- a honeypot and
- email activation
π§ If you really need this plugin
Add extra protection:
- Avoid URL fields
- Do not make custom fields required
- Enforce server-side validation
- Require email activation before login
- Add rate-limiting to registrations
π Better alternatives
- Use default BuddyPress profile fields
- Or switch to a well-maintained profile field plugin
Final conclusion
The plugin itself doesnβt create spam β it opens a door that bots can walk through.
Your observation is technically correct.If you want, tell me:
- your WordPress version
- your BuddyPress version
- which profile fields you actually need
I can recommend a safer setup or a better alternative.
WORKAROUND:
Got it β with latest WordPress + latest BuddyPress and you only need a βCountryβ field, the good news is:
π You do NOT need BuddyPress XProfile Custom Field Types at all. Best & safest solution (recommended) Use native BuddyPress profile fields
BuddyPress already supports a βDrop-down Select Boxβ field type β this is perfect for Country selection and much safer than custom field plugins. How to set it up
- WP Admin β Users β Profile Fields
- Create a new field:
- Field Type: Drop-down Select Box
- Name: Country
- Required: β No (recommended)
- Add your country list (one per line)
- Save
β This field:
- Is fully supported by BuddyPress core
- Works with the registration page
- Does not bypass spam protection
- Is maintained and future-proof
Why this stops spam
- No extra plugin hooks
- No early xProfile processing
- No vulnerable field rendering
- reCAPTCHA / honeypot works again
β‘οΈ Bots lose their easy entry point. If you want the country list auto-generated
If you want a prebuilt country list:
- Copy a standard ISO country list (safe)
- Or I can generate one for you (English or localized)
Just tell me. Extra hardening (highly recommended)
Even with core fields:
- Enable email activation in BuddyPress
- Add honeypot (e.g. WP Armour)
- Use reCAPTCHA v3 or Turnstile
- Limit registrations per IP
Summary NeedBest choiceCountry field onlyBuddyPress core dropdown fieldSpam protectionCore + captchaPlugin neededβ No Final advice
Delete BuddyPress XProfile Custom Field Types permanently.
For a simple βCountryβ field, it is unnecessary and risky.If you want:
- a ready-to-paste country list
- validation (e.g. block certain countries)
- or UX improvements (flags, search)
Just tell me π
Hi,
Thank you for checking with ChatGPT.
As you can see from the reply:-- It says exact same thing as I did. Adding additional field makes your form more discoverable by bots.
- And as you can see from its response, It does not know which Xprofile custom field types it is talking about(many versions it says). The xprofile data (we only save it when BuddyPress saves data) may be saved on user creation or registration(BuddyPress allows registration without creating users initially) and we do not do anything to weaken the registration process.
- Link it to this plugin as ask it for the proof of weak validation/sanitization. You will see the response and understand better. Also ask it, does this plugin deviate from what BuddyPress/BuddyBoss does for validation? Isn’t field types job is to validate format only(e.g a URL is actually a valid url). How can it be strengthen by this plugin( tell it that plugin author claims to provide server side validation for data format/data types).
- I definitely agree with its immediate suggestion, that may help you in this case.
- It’s claim of outdated hooks is funny as our plugin does not have any such code.
Overall, If you give a theory to ChatGPT, It will try to justify it, that doe snot make it always correct. You should check its confidence by prodding further to have better idea.
For the time being, since you only need country field, I will also suggest using a select field if this plugin is being targeted for spam.
Regards
Brajesh
You must be logged in to reply to this topic.
