2 Steps to Stopping Splog Registrations in WordPress MU

Comment Spammers Burn in HellI was doing some routine maintenance on all of my blogs today, when I noticed an unusual number of new blogs had been created on one of my domains. Immediately, I was filled with a feeling of pride…one of my blogs had finally gone mainstream! Out of sheer excitement, I logged in to the site to see what my new authors were posting. As the page loaded (my internet is running a tad slow tonight), I felt like child unwrapping the BIG present Christmas morning. I eagerly anticipated reading the newest blog posts, but was instead met with a stunning revelation: sploggers had invaded. Nothing, but blogs like generic_name23456 had been created. In one second flat, my enthusiasm transformed into rage. I had to do something. My knee-jerk reaction was to disable the creation of new blogs with new user registration. Ultimately, this would defeat one of the biggest advantages of having WordPress MU (WPMU), not to mention add another task to my already-too-long task list, as it would require me to manually add all new blogs for new users. Not a solution!

As usual, I turned to my Twitter pals to find the answer. The first response I received, and the one that proved most useful, was from @andrea_r, the owner of wpmututorials.com. If ever you need help with anything related to WPMU, you need to start there. It wouldn’t hurt to follow @andrea_r and @wpmuguru as well. Anyway, back to the problem at hand: how to stop sploggers. Keep in mind, the following is what I have done on my sites. It might not be the best solution for you. It is just a suggestion.

First, we need to understand what a splog is. Essentially, it is nothing more than a bot that creates “junk” blogs and embeds links to the splogger’s main site, usually for no other reason than to increase its page rank through trackbacks. They usually seek out the wp-signup.php page that is present in every default WPMU installation. One could simply change the name of the file to something like registration.php and make corresponding changes to all of the references to wp-signup.php in all of the themes used. While effective, this was not the best course of action for me, considering all of the themes used on my blogs. Instead, I dug a little deeper and found some interesting info.

.htaccess Redirect

Since this type of attack is rather prolific in the WMPU realm, several links are included in the readme.txt file installed on every default installation. Once of the links provided is an article by D’Arcy Norman titled Stopping Spamblog Registration in WordPress MultiUser. By following the instructions contained in the article, I am able to automatically redirect splogger bots to my Spam Prevention page, which was borrowed from UCalgary Blogs along with the picture you see above. Here are the steps:

Here’s the technique – just drop a modified version of this into your .htaccess file for your WPMU server:

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-signup.php*
RewriteCond %{HTTP_REFERER} !.*ucalgaryblogs.ca.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]

I put that block above the WPSuperCache block in my .htaccess file.

Modify the part that says “ucalgaryblogs.ca” to be whatever your WPMU server is (you may need to do more if you run multiple domains…), and modify the die-spammers.com part to point to wherever you want to send suspected evil spammers. I send them here.

What it does is detect any POST requests (submitting a form) for wp-signup.php, that haven’t been sent from a web page on the WPMU site or have an empty user agent string (identifying the software making the request), and sends them to a page that apologizes for any false positives (and provides a contact to get around it for valid users that somehow got sent there) and scolds evil spammers for being evil spammers.

The beauty of it is that it doesn’t require anything from WordPress. No plugins. No mu-plugins. No hacking core files. Nothing. Apache steps in and kicks spammers out before they get in at all.

Moderate New Blogs

Listed in the comments on the Stopping Spamblog Registration in WordPress MultiUser page was a link to a plugin I have since installed: Moderate New Blogs. This plugin holds all new blog registrations in moderation until approved by a site admin. When a user creates a new blog, the site admin will receive an email notifying them of the addition. The blog is created automatically, but will not display until activated. The new blog is listed in the ‘Blogs’ section of the ‘Site Admin’ menu. It adds an ‘Awaiting Moderation’ button on the blog synopsis. Until activated, all visitors to the new blog will see a message stating the blog has not been activated.

Installation. Download the file and drop it into the mu-plugins folder in the WPMU installation. There is no activation needed. If it shows in the ‘Plugins’ menu, and you have to activate it, you have installed the plugin in the wrong folder. It is in ‘plugins’ vice ‘mu-plugins’. You will notice there is now a ‘New Blog Moderation’ checkbox in the ‘Options’ section of the ‘Site Admin’ menu. Check the box, save your settings, and you are done. Now all new blogs will show in the ‘Blogs’ section of the ‘Site Admin’ menu with the activation link on the right. Easy!

  • NOTE: Dropping the plugin into the ‘plugins’ folder instead of the ‘mu-plugins’ will result in partial functionality. New blogs can be created by users, and they do go into moderation, but you cannot moderate them. There is no link. They show in the blogs list, but they cannot be accessed or deleted. If this happens to you, don’t worry…the solution is easy, but could be time-consuming depending on how many blogs were created.
    1. Step 1. Deactivate the plugin and delete it.
    2. Step 2. Manually recreate the blog(s) in the ‘Blog’ section of the ‘Site Admin’ menu. Important: You must recreate the blog EXACTLY as listed in the blog list. If you do not use the same spelling, capitalization, and admin email, it will create a different blog instead of replacing the one listed.
    3. Step 3. Delete the erroneous blogs.
    4. Step 4. Load the plugin into the ‘mu-plugins’ folder.
    5. Step 5. Done. Try creating the new blog through the registration page again!
  • My only problem with this plugin is the absence of a dashboard notification widget. When a new blog is created, the site admin should get an email that simply says there are new blogs in moderation. Then those blogs should be accessible by clicking the notification on the dashboard. Or, as is the case in comment moderation, there should be an ‘Activate’ link in the notification email.

    Well, there you have it. How to successfully avoid the majority of splog registrations. Unfortunately, as with content stealing, there is little one can do to stop a splogger who is hand-jamming everything, but they are few and far between. I hope this post has helped you out. If it has, let the other readers know by commenting. Is there a way you do business that differs from mine? Is it better or worse? I would love to hear from you! Thanks for stopping by!


    The above steps got rid of about 90% of the splog registrations; however, I was still getting one or two per day. I have since installed the SI CAPTCHA Anti-Spam plugin. Super simple to use. Just install and activate. Once activated, click the ‘Settings’ link on the plugins page and make your selections. I will post more if this does not do the trick!

    Special thanks goes to @sbrajesh for the help!!

    Thanks for visiting! If you have any other tips for readers, please leave a comment below!

9 thoughts on “2 Steps to Stopping Splog Registrations in WordPress MU”

  1. Great article. I have implemented the .htaccess trick and turned blogs back on in the dashboard. Will let you know how it works for me.
    .-= Hippy Randall´s last blog ..Twitter Weekly Updates for 2009-12-13 =-.

    1. I am glad you enjoyed my article. I am hoping it works for me as well. I just made the changes last night. I will post if splog registrations make their way back in.

      Thanks for commenting!

      1. I have only had one blog registration since turning the feature back on. This user has not added any posts or other info though. I am almost positive it is a splog.
        Just waking up. I will read through your new notes and try implementing them.
        .-= Hippy Randall´s last blog ..Apricot-ish Dreams =-.

        1. Awesome! Thanks for coming back! I am not sure why, but I got SEVERAL more spolggers. It is possible that they were human spolggers and not bots, but there were about 60 more. I will post how it goes! Thanks for the comment!

          1. I already had the SI CAPTCHA Anti-Spam plugin installed. I am thinking that there is just no way around determined sploggers. I had another user start a blog last night that I suspect is splog.
            .-= Hippy Randall´s last blog ..Apricot-ish Dreams =-.

  2. Hippy Randall:

    I already had the SI CAPTCHA Anti-Spam plugin installed. I am thinking that there is just no way around determined sploggers. I had another user start a blog last night that I suspect is splog.
    Hippy Randall´s last blog ..Apricot-ish Dreams

    Right on. I did not know it existed. I am just a bit concerned that you still got two and am wondering what I am in for, but I guess two is better than 102!

  3. Pingback: asulyk.com

What do you think?