User Spam Remover for WordPress
User Spam Remover is a plugin for WordPress that automatically removes spam user registrations and other old, never-used user accounts. It also blocks the notification e-mail that WordPress normally sends to the administrator whenever a new user registers (annoying when that registration is spam!) and logs it instead.
The plugin adds a configuration panel so that all of these options can be turned on or off, and it logs and fully backs up all user accounts that it deletes, so that you can restore them if you need to.
Features
- Automatically deletes user registration spam and other orphaned, never-used accounts.
- Very simple, enable and go! Doesn’t interfere with the normal user registration process in any way. So, it doesn’t add captchas or activation or anything else — you’re free to use it alongside a plugin that does, if you like. (For more info on why I’ve written it this way, see the FAQ).
- Blocks notification e-mail that WordPress normally sends to the administrator every time a new user registers (instead, logs this event).
- Fully configurable, with grace period for new accounts and optional username whitelist.
- Fully logs all actions and backs up all user accounts that it deletes so that you can seamlessly restore them if you ever need to.
Installation
Note: Please report any bugs or issues you have in the comments below, so that I can make it better.
Requirements:
- WordPress 3.9+
- PHP 5.1+ (tested with PHP 5.2 through 7.0 series)
- MySQL using PHP
mysqli
extension
To install:
- Download, unzip and upload into your plugins directory. (Or, install through the plugins menu in WordPress.)
- Go to the Plugins configuration screen in WordPress and activate. Look for the settings link to go to the User Spam Remover settings page (User Spam Remover also gets added to the left menu under “Users”).
- On the settings page, you’ll need to click the “Enable” checkbox to turn the plugin on. Scroll down and change any options you like. Click “Save Changes.”One note on logging: By default, all logging is enabled (good!), but the log directory is set to the
log
subdirectory of the plugin. While this is OK, it means your log files will be viewable over the web, so I recommend you change this directory to someplace else (i.e., if the root of your site is/www/mysite/html
, do something like/www/mysite/log
). Be sure to usechmod
or your FTP program to make this directory webserver-writable (don’t worry, User Spam Remover will warn you if it’s not). - Once you’re done, that’s it! Feel free to use the blue “Remove spam/unused accounts now” button to test it out. User Spam Remover will run once a day automatically from now on.
Questions? Please see the FAQ.
Upgrading
There’s nothing special you need to know. Either upgrade through WordPress itself, or download the newest version, unzip and upload the new files.
Versions
See the changelog to see what’s new. First released in 2010. Version 1.0 was released on April 4, 2017.
Ping from User Spam Remover für WordPress
Aug. 27, 2010, 7:18 am
[…] Spam Remover für WordPress | 27. August 2010 | Autor: Karl-Heinz Das Nutzer Spam Remover Plugin entfernt Spam- Registrierungen und seit längeren nicht genutze WordPress Konten. […]
Ping from User Spam Remover für WordPress
Aug. 27, 2010, 7:19 am
[…] User Spam Remover Plugin entfernt Spam- Registrierungen und seit längeren nicht genutze WordPress Konten. […]
AkoZ
Sept. 9, 2010, 12:13 am
Plugin could not be activated because it triggered a fatal error.
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /domainname/wp-content/plugins/user-spam-remover/user-spam-remover.php on line 36
may be a bug report there ? but not found … ;)
oops i use the latest version nighbuild … :)
sticks
Sept. 9, 2010, 12:25 am
Thanks for the report. Definitely no parse error on line 36, so it’s something with your config.
I’d guess you’re running PHP4? (Since it fails for you on a PHP5 protected variable declaration.) If that’s the case, sorry, but this plugin requires PHP5.
Stefan
Sept. 19, 2010, 12:41 pm
I also get the parse error – is it a general bug?
sticks
Sept. 20, 2010, 2:00 am
If you’re talking about Akoz’ comment, there’s definitely no parse error, so no known bugs — this plugin requires PHP 5.1+. He didn’t reply, but I’m 99% sure he was using PHP4.
If you think you’ve found a bug, please provide more info: Copy/paste any error messages, explain steps to reproduce (what you were doing at the time), and versions of WordPress and PHP and anything else relevant (like MySQL if it were a db-related bug, or what plugins you’re using if you think there’s a conflict with another plugin). You can also put bug reports in the WordPress support forum for the plugin if it’s too much to fit into a comment here.
Ping from site updates! | She is Legend.
Nov. 14, 2010, 4:05 pm
[…] my own benefit, I installed a plug-in to hopefully minimize how many spam comments I get: User Spam Remover. There were a few available to me, but this one got a five-star rating and seemed most relevant to […]
Panagiotis
Nov. 15, 2010, 11:54 pm
hi. i have your plug in over there: http://greenhost.gr/ and sure it was helpfull
Ping from decisions, decisions, decisions. | She is Legend.
Nov. 16, 2010, 8:03 pm
[…] doesn’t look like that spam-filtering plug-in is doing much for me. […]
NZ Scams
Nov. 18, 2010, 8:51 pm
Hi
This is going to make a big difference. Love how you provide the sql to “undo” any damage done. Well thought out.
Feature request: to be able to preview those who will be deleted. And to have a snapshot of remaining users…
Active | Inactive < 7 days | Inactive < 14 days
and so on until the threshold is reached. I've set mine to 30 days.
thanks
Sarah
sticks
Nov. 19, 2010, 9:03 pm
Thanks a lot for the new feature idea.
It would not be too difficult to implement. What I’m thinking is, a line or two next to the “Age threshold” settings section where it would have something like “Users pending the next deletion: [ … ] . New users inactive N days or more [ … ] .” And then N would be 1/2 of whatever the threshold setting is (i.e. 5 for the default value of 10 days).
Could you explain a bit more why you would like this feature, how you would use it, and/or how it would be helpful? That would help me design how it should work. I’m guessing that you want to be able to check “Who’s about to be deleted?” and click over to their user profile … but that’s just me guessing. :)
sticks
March 5, 2011, 9:36 pm
Update: Look for this feature in the 0.9 release, which is out for final testing and should ship within a few days!
Nosgoroth
Dec. 23, 2010, 10:47 am
Thanks for this plugin. My four-year-old blog just got itself rid of 1400+ spam users without any issues.
Ray
Jan. 2, 2011, 1:04 pm
Love the idea behind this.
Would it be possible to send an email to the potentially-deleted user before deleting them, just to make sure they’re not a spammer? The email will give the user one week (or whatever the age threshold is) to login; if the user doesn’t login within that time period, the account gets removed.
Also is this plugin WP 3.0 network-compatible?
Ray
Jan. 2, 2011, 1:10 pm
Just to follow-up on my previous comment.
What I meant by “network-compatible” is does your plugin also remove any blogs the spammed user created on a WP 3.0 network?
sticks
Jan. 22, 2011, 2:51 pm
re: e-mailing users:
I’ve thought about this for a while. Unfortunately for you, my first instinct was “no!” because it opens an additional attack vector. Now that a spammer can cause your webserver to send e-mail, it turns your WordPress install effectively into a mail relay (which then causes all kinds of collateral damage to you when your mail server is blacklisted etc.). Sorry!
Secondly, WordPress doesn’t track user logins, so the mechanism for the second part of this doesn’t exist. I do have some slightly happier news for you there, if you check this thread on the wordpress.org forum, you’ll see I’ve done a mod that works with another plugin that tracks logins.
It also goes into why I don’t want to add features along these lines to the plugin (sorry). The idea behind the plugin is to delete simple robot spam (no more), and my best suggestion if you still want to use it is just to increase the deletion threshold to a month or a year. Otherwise (and especially if you’ve set up your blog so that you encourage users to register and log in to read it, but they never have to post or comment), it’s probably just not the plugin for you.
re: “network-compatible”:
No, the plugin doesn’t delete blogs, it only deletes from the user and usermeta MySQL tables. I’ll throw that in the feature request file. (However, I don’t run any community-type sites where users can create blogs, so I don’t have a corpus of spammer activity to start from to even know how pervasive of a problem that is or how to identify it.)
Raph
Jan. 9, 2011, 10:02 am
I have thousands of these dummy accounts registered on my blog, visible from the Users list.
However, when I use the plugin, it says that “No unused user accounts older than 10 days were found to delete.” Any ideas why this might be?
sticks
Jan. 22, 2011, 2:06 pm
The short answer is, I don’t know and can only guess without looking in your MySQL database. (if I were debugging this myself, I’d connect on the
mysql
console and manually step through the SQL queries starting on line 411 of user-spam-remover.php). If it’s a bug, I’d guess that it’s something with your MySQL version or configuration that’s different from what I’ve tested on.An obvious non-bug reason would be if some of the spammers have left comments, their accounts won’t be deleted until after the comments are.
sticks
Jan. 22, 2011, 2:21 pm
FYI, here’s a SQL query to try (modified from the one near line 411) that will return the number of users that should be removed:
SELECT COUNT(u.ID) FROM wp_users AS u LEFT OUTER JOIN wp_comments AS c ON u.ID = c.user_id LEFT OUTER JOIN wp_posts AS p ON u.ID = p.post_author LEFT OUTER JOIN wp_links AS l ON u.ID = l.link_owner WHERE (c.comment_approved = 'spam' OR c.user_id IS NULL) AND p.post_author IS NULL AND l.link_owner IS NULL AND u.user_registered < DATE_ADD(NOW(), INTERVAL -10 DAY);
Raph
March 7, 2011, 12:47 pm
When i tried that query in phpMyAdmin, the first time I got an error saying that I needed to SET SQL_BIG_SELECTS_OK. I added that, then when I ran it I got “#1317 – Query execution was interrupted”… so it may just be that I have too many of these spam users there!
sticks
March 7, 2011, 1:41 pm
That’s the message you get when you hit CTRL-C in the command-line client … my guess is that it’s a long-running query and phpMyAdmin is killing it to return a page before the browser times out. So, maybe try the same query from the
mysql
console?The real answer though to any slow query like this is to optimize the query. In this case, I checked and WordPress doesn’t have indexes on three of the columns the query joins on or uses in the WHERE clause:
wp_comments.user_id
,wp_links.link_owner
,wp_users.user_registered
. I used the MySQL EXPLAIN command, saw that the query was seeking over every single comment in the database. Slow!So what I did was to add an index on that column. You can use phpMyAdmin to do that or just do “ALTER TABLE wp_comments ADD INDEX (user_id);”. If you have a lot of links, you might also do “ALTER TABLE wp_links ADD INDEX (link_owner);” (it won’t hurt). That made this query go a lot faster!
If you add the index on
wp_comments.user_id
, it should hopefully not just make you able to run this query, but also fix User Spam Remover for you as well. Let me know how it works out … I don’t know if I want my plugin adding indexes on people’s databases, but it’s worth an entry on the FAQ at least.I’m also curious how many rows there are in your comments table (so I can tell people “if you have X comments, watch out!”) if you don’t mind sharing that info.
Raph
March 7, 2011, 5:22 pm
I’ve got 30,985 comments right now. The blog has been running for a very long time. :)
After adding the index, I ran the query you provided above, and it counted 6250 spam accounts.
However, User Spam Remover on the dashboard showed zero still, and did not remove any when run.
sticks
March 7, 2011, 10:07 pm
Great, I think we’re on the right track. I sent you a couple of emails with some stuff to try — let me know if you don’t receive and I can resend.
I’ve now tested with 30K comments and 10K users — adding the index is an absolute requirement at a fraction of that scale since without it, MySQL appears to be seeking over all 30K comments for each of the 5K users it selects (i.e. it seeks over 150 million rows which takes minutes). With the index it’s a second or two.
So, the next version of User Spam Remover will add the index, either as on plugin activation or as a runtime check.
sticks
March 11, 2011, 12:02 pm
FYI, 0.9.1 released today addresses these issues. It adds these two indexes and also enables SQL_BIG_SELECTS, which will enable it to run on larger datasets in restrictive shared hosting environments. And, everybody benefits from faster query performance!
Many thanks to Raph for taking the time to help me trace his issue over email earlier this week.
Brian
Jan. 19, 2011, 5:03 pm
I installed this plugin and have exactly the same problem as Raph above but I used a much higher no of days and got “No unused user accounts older than 180 days were found to delete.” I get several dummy accounts registered each day and wanted to try it out with a 6 month period first. Am using WP 3.04
sticks
Jan. 22, 2011, 2:26 pm
Thanks for the report. I’ve replied to him, so see my reply above. With more than one report, I’m definitely curious about what’s going on. Definitely MySQL version and any debugging you can do would be appreciated.
Feel free to use the e-mail address on the about page if there’s anything you’d rather not post here.
sticks
March 11, 2011, 12:07 pm
See the resolution of Raph’s thread above. Try 0.9.1, which also now prints any MySQL read errors in the WordPress UI, so if there’s still a problem we’ll know what it is. (SQL write errors are already logged and shown onscreen.)
Ping from User Spam Remover für WordPress | Scripts United
Feb. 8, 2011, 6:19 am
[…] System »User Spam Remover für WordPressPubliziert 27. August 2010 | Von khkDas User Spam Remover Plugin entfernt Spam- Registrierungen und seit längeren nicht genutze WordPress […]
Jimmy
Feb. 14, 2011, 3:18 am
Just a quick heads up for anyone who reads this – great plugin, but I used it on my site which has an integrated bbPress installation – I didn’t realise that posting on the forum doesn’t update the user object in the same way, so it deleted all of my forum users. So, if you use bbPress with WP Integration, DON’T use this plugin! Otherwise it works like a charm.
sticks
Feb. 14, 2011, 10:18 am
Thanks for the tip. I’ll take a closer look at look at bbPress and see if there’s a good way to fix this in the plugin.
sticks
March 5, 2011, 10:02 pm
Update: I’ve added some code to the next release, 0.9, which addresses this problem. The release is out for final testing and should ship within the next few days.
More detail for others coming across the thread:
If you’re running bbPress database-integrated with WordPress (i.e. bbPress piggybacks on the WordPress user tables, normally called wp_users and wp_usermeta), all versions of User Spam Remover through version 0.3 will delete users from your database even if they have posted to your bbPress forums.
Most likely, you don’t want this to happen! User Spam Remover 0.9 and later address this by checking the usermeta table for a ‘last_posted’ value, which bbPress sets and then updates every time a user posts. So, any user who has ever posted to a database-integrated bbPress forum (even if those posts are subsequently deleted) should not be deleted by User Spam Remover 0.9 and later. The fix has been tested with bbPress 1.0 and later.
User Spam Remover is not a plugin to bbPress (and if you try to install it as one, it will fail). This is for people running User Spam Remover on a WordPress install that is database-integrated with bbPress.
Also, this is why I wrote this plugin with full SQL backup from the beginning. I don’t want it deleting your site, and I don’t want it deleting my site. (And it would have been harder to develop it without being able to roll back any operation.) Anytime you’re doing any kind of big batch operation, make sure you have a way to undo it if you don’t like the results!
Brittney
Feb. 19, 2011, 6:30 am
Hi, I am completely new to creating my own website so I’m technically challenged. =D Can you please help me out or point me in the right direction on how to make my own directory log? I’m completely lost. Thanks!!
sticks
March 5, 2011, 2:15 pm
By default, User Spam Remover just uses its own directory for the logs — you can leave it like this and it will work fine. All you need to do is check the box on the settings page.
If you want to put the logs someplace else (like I suggest in the instructions), you just need to create a directory on your webserver (you can use
mkdir
from the shell to do this, or your FTP program), and then put the full filesystem path for that directory in the box on the settings page (from the shell you can just typepwd
to get the full filesystem path). If that made no sense, here’s a basic intro to UNIX filesystem commands (if you use some FTP program instead of the shell, look in its help system).If you’re still totally lost, then forget you read that last paragraph, don’t worry about making directories and just leave the log files in their default location. Make sure the log boxes are check on the settings page and you’re good to go.
Michele
March 7, 2011, 9:44 am
Hi. I have a question: I am using wordpress as a CMS, and would like to delete users who do not login for a year or so. Is there a way to have users who login to be considered active in your User Spam Remover?
Thanks.
sticks
March 7, 2011, 10:19 am
The plugin doesn’t work that way by default. This question has come up before, and I made a custom mod that works with another plugin, Login Logger (which tracks user logins), to do this. Check out the end of this thread on the wordpress.org forum for more information.
In brief, the reason I haven’t made this a default feature of the plugin is simply that WordPress by itself doesn’t actually track users’ logins — there’s no way to tell when or if a user has ever logged in. If this information were actually something in the WordPress database, I’d add the feature. But, until that happens, check out the mod, it’s just a couple of lines you need to change, plus installing Login Logger.
Michele
March 7, 2011, 11:20 am
THanks for the feedback!
So, If I understand correctly (English is a 2nd language to me), I have to:
1) Install login logger
2) Install User Spam Remover
3) apply the patch to User Spam Remover (login loger remains unchanged, Right?)
Now, would you integrate the patch into the next release of User Spam Remover so that it stays there in the future?
Thanks!
sticks
March 7, 2011, 12:23 pm
You’ve got the steps right. Be sure not to enable User Spam Remover until after you’ve applied the patch (it starts out disabled when you first install it, so this is no problem). So, step 4 is “Enable User Spam Remover.”
I wrote the patch, but I can’t just ship it with User Spam Remover because it breaks the plugin when Login Logger isn’t installed. I’d have to develop the tie-in with Login Logger as a separate feature, add it to the options page, support it etc. And monitor Login Logger development so if they change something my little free plugin doesn’t break.
So, I feel like just having the patch available is enough for now, but if lots of people come out and feel otherwise I could change my mind. Or if someone wants to pay me to add a feature I’m always open to that, or add it to fundry. Another option would be submitting a patch to WordPress core (I’ve contributed in the past) to do this as a core feature … in some ways I like that idea the most.
Michele
March 9, 2011, 3:53 am
Hi. The patch seems to work fine. I have voted for your plugin.
Thanks again.
sticks
March 9, 2011, 12:33 pm
Thank you. FYI, I made a small attempt to add the feature to WordPress core.
Also, a new version of User Spam Remover will be released in the next week (it makes performance improvements that mostly only affect people with large databases, particularly large backlogs of spam users). I’ll be sure to review the patch to make sure it works with the new version and post any updates to the forum thread.
Michele
March 11, 2011, 11:37 pm
Hi Again. Thank you very much for taking your time for your attempt. I see it was not successful :///
I saw the update, but I’ll wait for you to OK the patch before installing it.
Now, getting back to the integration of the patch into future new release: I understand what you say, that it would take a lot of time and so on to do it properly, but I was wondering: in the meantime, maybe you could place the patch in the code of the plugin, only comment it out, so people who need it have it already there and they just need to remove the comment in the future?
Thanks again for the excellent work!
sticks
March 17, 2011, 2:12 pm
Yes, I didn’t think that had much of a chance, or I would have written the patch to start. :) It’s a big goal to keep core small. When your patch is a win/win, it it goes really fast!
FYI everybody, I’ve created a new thread (with updated patch!) if you need help, want to discuss this issue further, or say that you want this feature.
I haven’t (and don’t plan to) include the patch with User Spam Remover because I don’t actually endorse, haven’t thoroughly tested, and don’t want to support it. Right now, the plugin is tightly focused on removing spam. As soon as you get into “I want to delete Bob because he hasn’t logged in for 3 weeks” that’s a user-management problem that has nothing to do with spam, and people are going to have lots of different ideas and feature demands (email warnings, deactivation not deletion etc.). It also reduces effectiveness vs. actual spam, because spammers can just ping the login script whenever they want.
There are also a lot of tricky implementation issues (take a look at step 4 in the forum thread) even *if* WordPress were tracking login time. So anyway, go to the thread if you feel differently, but for now I guess it’s my turn to say “sorry, sounds like a good idea, but not good enough” on this.
Ping from Raph's Website » User Spam Remover for WordPress
March 13, 2011, 6:09 pm
[…] 0.9.1 of User Spam Remover for WordPress is out, and I wanted to recommend it because it is the only tool to remove fake users that has ever […]
Ping from WordPress Plugin Releases for 3/20 « Weblog Tools Collection
March 20, 2011, 6:02 am
[…] User Spam Remover automatically removes spam user registrations and other old, never-used user accounts. It also blocks the notification e-mail that WordPress normally sends to the administrator whenever a new user registers and logs it instead. […]
Ping from I need this: http://lyncd.com/… | irishmark.net
March 20, 2011, 1:41 pm
[…] need this: /user-spam-remover/ Share this:EmailTwitterPrint 20 Mar 2011 at 8:32 pm | by: Mark | Cat: Tweet | 7501No Comments […]