User Spam Remover for WordPress: FAQ

(back to User Spam Remover)

The timestamps in my log files don’t work!

WordPress only recently added real time zone locales, so if your blog has been around a while, you may still be using the old manual timezone offsets. Go to Settings / General and change your timezone to use a locale (i.e. “America/Los Angeles”, not UTC+/-X). Your blog will now also get daylight savings time adjustments for free!

I’m running bbPress integrated with WordPress. Will User Spam Remover delete my users even if they’ve posted to my bbPress forums?

There are different ways you can integrate your bbPress installation with WordPress. What we’re concerned about here are database-integrated installations where bbPress piggybacks on the WordPress database user tables (normally called wp_users and wp_usermeta). Two other ways to link your bbPress and WordPress installations are to use separate MySQL databases or to use a single database with separate user tables (by default, bbPress uses bb_users and bb_usermeta). So, what follows applies only if you’re running database-integrated with a single set of user and usermeta tables.

The short answer is, upgrade User Spam Remover to version 0.9 or later and your users won’t be deleted, as long as they post something (a blog post, comment, or a bbPress post) before the age threshold you’ve set expires. The fix has been tested with bbPress 1.0.2.

If you’re using an older version of User Spam Remover, you should upgrade. Older versions will delete users who haven’t made a blog post or comment after the age threshold expires, no matter how active they’ve been on your bbPress forums.

This may go without saying, but remember, User Spam Remover is a plugin for WordPress. This doesn’t mean you can install it as a plugin to bbPress, only that it tries to be bbPress-aware when bbPress shares database tables with WordPress.

How do I restore a user account from the backup file?

The file is plain text and consists of SQL statements that re-insert the deleted database records, very similar to the backup files that mysqldump creates. (Feel free to open up the backup file in your favorite text editor and take a look!)

So, to simply re-insert all the deleted users from the backup file, you just need to run the file through the mysql command:

mysql your_wp_database < userspamremover.restore.sql

To restore an individual user account, the easiest thing to do is to restore all of the users like this, and then use the whitelist feature to protect the particular user or users you want to keep. The plugin will re-delete the other, unwanted users.

The longer, manual way to do it is to extract and run just the SQL statements needed to restore your particular user. Remember to get both the statement that inserts the user into the wp_users table and the statements (there will be more than one) that insert the user’s metadata into the wp_usermeta table. The plugin breaks these up into individual statements for easier identification, but you’ll still need to find the right wp_users statement and then use its ID field to find the corresponding wp_usermeta statements with that ID value in the user_id column.

The records to re-insert a single user will look something like these:

-- Begin backup of deleted records from wp_users on 2010-08-11T14:26:56-0700 --
INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user
_status`, `display_name`) VALUES (43, 'Arielliana', '$P$BeeNrOcHy9ITh27bXPnn68urU5.bde/', 'arielliana', '', '', '2010-03-09 12:
10:07', '', 0, 'Arielliana');

-- Begin backup of deleted records from wp_usermeta on 2010-08-11T14:26:56-0700 --
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (220, 43, 'nickname', 'Arielliana');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (221, 43, 'rich_editing', 'true');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (222, 43, 'comment_shortcuts', 'false');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (223, 43, 'admin_color', 'fresh');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (224, 43, 'wp_capabilities', 'a:1:{s:10:\"subscriber\";b:1;}');

Then, since you’re re-inserting an otherwise unused user account, you’ll need to add the user’s login to the User Spam Remover username whitelist to keep it from being re-deleted before the user has a chance to comment or post.

I’m using [some other plugin] that also blocks the new user notification e-mail. What should I do?

If the other plugin allows you to deactivate this feature, you could do that and use User Spam Remover to block the e-mail (this way, new registrations can be logged to the User Spam Remover activity log file). Or, you could choose to deactivate this feature of User Spam Remover and let the other plugin handle it.

If you leave this feature enabled in both plugins (not recommended), it’s hard to predict what will happen. Most plugins implement this feature by overriding the pluggable function wp_new_user_notification(), so if you use multiple plugins that attempt redefine this function, WordPress will use whichever one it loads first. User Spam Remover is written to not trigger any PHP errors, so if another plugin defines this function first, User Spam Remover will not enable its version.

So, if you are getting PHP error messages about wp_new_user_notification(), it’s likely another plugin is trying to redefine this function after User Spam Remover. If this is the case, you can either click the checkbox to deactivate this feature in User Spam Remover or (if you have PHP skills) hand-edit the other plugin.

Why aren’t you using CAPTCHAs / blacklists / activation / double opt-in / statistical analysis / black magic to block spam registrations in the first place like [some other plugin]?

Short answer: Because that’s not what I wanted. If some other plugin does what you want, then that’s great, keep on using it! I’ve written User Spam Remover to not interfere at all with user registration, so you can use another plugin that adds captchas, opt-ins or hoop jumps to your site’s registration process, and then use User Spam Remover to delete any user spam that makes it though.

Long answer: Because they don’t really work, at least not for user spam. There isn’t enough information in a new user account to reliably classify it as spam — which is why Akismet, for instance, doesn’t try to filter registrations. Captchas, blacklists and opt-ins may reduce user spam but they can’t eliminate it, and they add complexity (which means possible bugs and vulnerabilities) and have bad side effects like blocking or inconveniencing real users from registering.

These approaches are also all easily broken by well-known attacks — captchas by captcha farms; opt-ins and RBLs, by botnets — so they add nothing from a security vulnerability perspective. Remember, if your blog allows public registrations, you’re letting (potentially bad) people in with whatever default privilege set you grant them. Instead of weak sign-up filters, you need to do things that add real security: Strictly limit the privileges untrusted users get, moderate (not just rubber-stamp) new registrations, be vigilant about monitoring your system, and keep your software patched.

User Spam Remover isn’t a security plugin, and it doesn’t pretend to be. It only identifies accounts as “spam” after they’ve been registered on your blog for days or weeks. But, it’s also not security theatre or adding unnecessary complexity to your blog and nuisances for your real users. It’s meant only to manage the problem of user registration spam without adding any bad side effects.

The vast majority of spam user accounts do nothing except register — they’re just spamming a URL for evil SEO purposes, in hopes your blog exposes the URL somewhere. They don’t try to post or comment on your blog. User Spam Remover is a tool to remove these nuisance accounts automatically.

If your blog allows public users to register and leave comments, User Spam Remover is meant to be used alongside Akismet or another comment spam filter: When a user registers and leaves spam comments, those comments are caught and deleted by Akismet, and then User Spam Remover deletes the account.

User Spam Remover assumes you have secured your basic permissions so that “spam” users cannot add posts, links or comments without these being moderated and/or caught by a spam filter. These users then show up as never having posted, added a link or commented, and are removed.


  • Thanks for this plugin.

    It would be helpful to know exactly how you define “unused accounts”. Is it an account that has never been logged in to? Or an account that may have been logged in to, but has never been used to post a comment? etc…

    • Sorry, I thought I had explained this well enough, but I guess not! I’ll update to try to make this more clear, but in the meantime, “unused” means “never created a comment, link or post” i.e. there is no record of the user ever doing anything in the WordPress database.

      WordPress doesn’t record if or when a user has ever logged in, so there’s no login information in the database for this plugin to make use of one way or another. We’ve discussed at length adding this feature to this plugin, but for a multitude of reasons (relating to security, performance and activation complexities) I’ve decided not to add it.

      • The same question what I have in my mind. I have more than 3000 registered user that contains lot of spams. Mostly my users are registering through mailpress newsletter subscriptions, actually they are not a wordpress default users. They are subscribers and they will reach my website through mail or they will read the post directly inside mail. When the user delete unused accounts I will lost my mail subscribers right…

      • You may want to check out this thread and the linked thread for more info.

        I can’t speak for your setup (and I’m not familiar with mailpress) but it sounds like User Spam Remover would delete your users since they haven’t posted or commented. I’d recommend testing the plugin out on a copy of your site if you’re unsure.