How to moderate signups

Since at some point spammers will find your site and create splogs, there’s many ways to stop them. Deleting them as they occur is like shovelling snow during a blizzard. You can add another field to signup, add a captcha, go invite-only, or in the case of my main niche blogging site – moderate the signups. This works well for smaller signups where you don’t get a huge number of new bloggers on a daily basis, and where spammers have proven to be a general nusiance, a potential embarrasement, as well as a time suck.

Basically, this is a light hack which re-words the signup page so users aren’t confused as to what is happening, and sends the activation email to you, the site admin, instead of the new user.

You’ll need to edit two files:
– public_html/wp-signup.php
– wp-includes/wpmu-functions.php

Open up wpmu-functions.php in your favorite text editor. Scroll down until you find the function wpmu_signup_blog_notification. Copy everything from $admin_email to just before the last } and paste it directly underneath.

Edited to add this bit:
$admin_email = get_site_option( “admin_email” );
if( $admin_email == ” )
$admin_email = ‘support@’ . $_SERVER['SERVER_NAME'];
$from_name = get_site_option( “site_name” ) == ” ? ‘WordPress’ : wp_specialchars( get_site_option( “site_name” ) );
$message_headers = “MIME-Version: 1.0\n” . “From: \”{$from_name}\” \n” . “Content-Type: text/plain; charset=\”” . get_option(‘blog_charset’) . “\”\n”;
$message = sprintf(__(“To activate your blog, please click the following link:\n\n%s\n\nAfter you activate, you will receive *another email* with your login.\n\nAfter you activate, you can visit your blog here:\n\n%s”), $activate_url, “http://{$domain}{$path}”);
// TODO: Don’t hard code activation link.
$subject = sprintf(__(‘Activate %s’), $domain.$path);
wp_mail($user_email, $subject, $message, $message_headers);

(Note: in case of future code edits this may end up looking a little different. So to clarify, it’s the section of this function that sends an email. It helps to read the code you’re tweaking. :) )

In the first section (the original bit we copied), change the message sent to the user to something like “We’ve recieved your signup request and you’ll get another email with your password.” Remove the $activate_url directly after that. This verifies that we are not sending them the activation link.

Now, in the bit you copied over, we’ll do a little more work. This is the message that will come to you, the site admin, and we have to add more details so we can determine if this is a legit signup. First, we’ll change the message that gets sent to us.

Mine looks like this:

$message = sprintf(__(“Someone at the address %s has signed up for a blog: %s. To activate this for them, please click the following link:\n\n%s\n\nAfter activation, the user will receive *another email* with their login.\n\nYou can visit their blog here:\n\n%s”), $user_email, $title, $activate_url, “http://{$domain}{$path}”);

The %s stands for string, and the value inserted is the first (or next) option listed directly after this message. By comparing this to the original, you can see I added the user’s email and the title of the requested blog. There are four %s in the message and four matching values at the end of it.

On the last line, change the line like this:
wp_mail($user_email, $subject, $message, $message_headers);
to this:
wp_mail($admin_email, $subject, $message, $message_headers);

This will send the message to the admin, not the user.

Another thing to do in this file is moderate the user signups as well. Spammers can still create splogs (and they will) if they can easily signup for just a username.

For ease of use, the function wpmu_signup_user_notification is just underneath the one we’ve been working on. Make the same changes as above.

Save your work.

Now that we have moderated the signups, we need to inform the users we did so. Otherwise, you’ll get dozens of annoyed potential users asking “Where’s my activation key???”

Open up wp-signup and find the function confirm_user_signup (line 292). All we are going to change is the text of the messages. I changed mine to read something like, “But, before you can start using your new username, we must activate it. Check your inbox for the password we will send to you. If you do not get an activation notice within two days, please email support.”

Scroll down a little further to line 362 to the confirm_blog_signup function, and make similar changes to the message there. Save your work.

Make sure you save a copy of the original files somewhere, then you can replace them with your new edited version of the files. Whenever you upgrade, you can overwrite the files with the new version and make these changes again, OR you can use the revision log to make line-by-line upgrades to each file.
wp-signup revision log
wpmu-functions revision log

About andrea

Comments

  1. TechWorker says:

    Good article. But how do you identify the spammer from a good intentional user. How to make a decision from the signup name or email address. Thanks,
    TW

  2. In my experience, it’s usually easy to determine a spammer.

    – Their email is suspect for one. It usually doesn’t make any sense (nonsense characters and letters together) and/or is from a recognizably spammy domain (a lot of .info ones)
    – They fill in the title with links or the words Default Title, which is a BIG tip-off. What person would type in Default Title as their blog title?
    – the username, blog title and email are all identical. This is a little sneakier, but most people want to express themselves and wouldn’t pick the same phrase for all of the options.

    It is hard if you’re just looking at one or two options, but I found all of them together, especially with the blog title, make it quite obvious in many cases.

    When in doubt, you’ve just been sent the user’s email address and you can email them to verify their existance.

  3. Hi!..
    Is this for Wpmu 125a? Because the line numbers you give dont line up with I get in my program and u dont say what to copy and paste execpt –> Open up wpmu-functions.php in your favorite text editor. Scroll down until you find the function wpmu_signup_blog_notification (line 1106)(1106 in my program is [$meta = serialize($meta)]. Copy everything from line 1114 to line 1122 and paste it directly underneath. –Underneath what? .. function wpmu_signup_blog_notification ? As You can see Im trying to learn..

  4. You’re looking for the function called wpmu_signup_blog_notification, which is a few lines down at 1114. Gotta read the code too. :)

    I took the line numbers right out of trac for the absolute latest copy. Copy everything from $admin_email (line 1122) to the end brace (but not including it) and paste it right before that end brace. Continue as directed.

  5. Great hack, I did it myself and got it working in no time.

  6. It sounds like a great hack, but I couldn’t get it to work. The wpmu-functions file has changed several times, and the version on trac doesn’t match the lines you suggested changing. Could you copy and paste the code here that need to be copied instead of just telling us the line numbers? Or at least copy and paste the first line and the last line (not just the line numbers)?

    Thanks :)

  7. Andrea/All,

    I’m interested in implementing an invite only system on my wpmu site. Do you have any code you can share that might help me get this going? Are there any plug-ins available?

    Thanks!

  8. For some reason i still cant get it too work either ? HELP

  9. This code caused my site to stop working. I get errors like this one.
    ————————-
    Parse error: syntax error, unexpected ‘:’ in /home2/arkblogs/public_html/wp-includes/wpmu-functions.php on line 1006
    ————————-
    Don’t copy the code from this site. Just make changes to the text the emails sends out.

  10. If you just change the email text, that’s all it does – send different emails, no moderation.

    You got the error for one of three reasons:
    – it wasn’t copied correctly (sometimes scraping it can catch odd characters)
    – you’re using a different php version
    – there’s something different in the latest code.

    The error you’re getting means there’s a stray colon somewhere, an error in syntax, which leads me to believe it may be a combo of a different php version (I haven’t tried this on php5) and possibly a change in the recent code.

    The code changes pretty often, so something form a few months ago may certainly need changing.

  11. Huh? I’m sorry. I’m not followign the instructions. EXACTLY what code am I supposed to paste and WHERE I am supposed to paste it? I’m not following your sentences here … sorry.

  12. For example:

    Open up wpmu-functions.php in your favorite text editor. Scroll down until you find the function wpmu_signup_blog_notification. Copy everything from $admin_email to just before the last } and paste it directly underneath.

    “Directly underneath” where?

  13. Pryrates says:

    In the function wpmu_signup_blog_notification you copy the lines from $admin_email to just before the last } and paste them under this copied section but before the last }.

    Nice hack, great for my site, in that I really missed admin control over registration. Lucky I found your blog and browsed here…

  14. I can’t get it to work. I am using it on http://www.iitdreams.com. It is a buddypress installation with WPMU.

  15. Thanks, Sir..
    It works like a charm :D

  16. I found this post useful in modifying Buddypress 1.0.3… the main difference was making the recommended changes in bp-core-activation.php and bp-core-signup.php instead of the wpmu files, otherwise very similar.

  17. zlamczyk says:

    How would this be accomplished with a WPMU 2.9.2 and BP 1.2.4 install? I tried modifying bp-core-signup.php but it didn’t work for me. And bp-core-activation.php is not present in my directory. Was that file deprecated?

    • zlamczyk says:

      Figured this out, finally. Turns out that the file and function to modify was:
      `wp-content\plugins\buddypress\bp-core\bp-core-filters.php`
      –>`function bp_core_activation_signup_user_notification( $user, $user_email, $key, $meta )`

      Isn’t is redundant to have two functions so similar to each other? Both the above function and
      `wp-content\plugins\buddypress\bp-core\bp-core-signup.php`
      –>`function bp_core_signup_send_validation_email( $user_id, $user_email, $key )`
      are extraordinarily similar to each other. It’s kinda frustrating.

      I’d consider developing a plugin, but perhaps I’ll wait for the first release of WP 3.0.

Trackbacks

  1. [...] How to moderate signups – WPMU Tutorials Since at some point spammers will find your site and create splogs, there’s many ways to stop them. Deleting them as they occur is like shovelling snow during a blizzard. You can add another field to signup, add a captcha, go invite-only, or in the case of my main niche blogging site – moderate the signups. This works well for smaller signups where you don’t get a huge number of new bloggers on a daily basis, and where spammers have proven to be a general nusiance, a potential embarrasement, as well as a time suck. (tags: wordpress hacks wpmu) [...]