Stopping Spam Sign-Ups and Splogs on Your WordPress Network
If you choose to have open sign-ups on your WordPress network, any member of the public can register and create a new site on your network. At some point, automated bots run by malicious users and spammers will visit your network sign-up page and attempt to create one, or multiple, sites in your network. They do so by automated means, hoping to create links to their sites or fill their site on your network with spam posts. This kind of spam blog or site is a splog.
Spam bloggers don’t hack your system to take advantage of this; they call aspects of the sign-up page directly. You can do a few simple things to slow them down considerably or stop them altogether.
The Add New Users check box stops many spammers when unchecked. When spammers access the system to set up a spam site, they often use the Add New Users feature to create many other blogs via programs built in to the bots.
To access the Add New Users check box, click Settings on the Network Admin Dashboard.
Spammers often find your site via Google Search for the link to the sign-up page. You can stop Google and other search engines from crawling your sign-up page by adding rel=nofollow,noindex on the sign-up page link. Wherever you add a link to your sign-up page, inviting new users to sign up, the HTML code you use to add the nofollow,noindex looks like this:
<a href=http://yoursite.com/wp-signup.php rel=nofollow,noindex >Get your own site here</a>
You can add this to any page or widget area as a normal link to instruct legitimate visitors to sign up for a site in your network.
Plugins can help stop spam blogs, too. The Moderate New Blogs plugin interrupts the user sign-up process and sends you (the network admin) an e-mail notification that a user has signed up for a blog. You can then determine whether the blog is legitimate.
The Hashcash plugin was written to stop spam comments, mainly, but does also prevent spam sign-ups on a WordPress site, with, or without, the network feature activated. This plugin checks to make sure that the sign-up page was opened within a browser window, and not accessed directly.
The Cookies for Comments plugin leaves a cookie in a visitor’s browser. If the sign-up page is visited, the plugin checks for the cookie. If there isn’t a cookie, the sign-up fails. Be sure to check the installation directions on this because it requires a .htaccess file edit.
If persistent spammers still manage to sign up despite using these plugins, you can block them by their IP address. A post on the BuddyPress forums instructs you how to add rules to your .htaccess file to block spam attempts.