This is effective: https://community.elgg.org/plugins/1612728/0.1/registration-randomizer
This prevents bots from signing-up since your register page is never the default url, always random and it's the default URL they are heading to, to try and sign up.
I am sorry to hear how the spammers are frustrating you and your site. The hardest thing to stop is human spammers. Most companies will pay spam sweat-shops to solve most captchas available even at the moment including the, gutwacaptcha :
https://community.elgg.org/plugins/1172111/1.8.15C/elgg-captcha
At the moment, gutwacaptcha works faithfully but needs a few tweeks to make it work to it's optimum.
For example, the next versions will include a limit a user can mess around with the site or solve gutwacaptcha. This way the bots can not just brute force the gutwacaptcha.
Try sitecode plugin. The site code will help you shut down the registration of your site to new members and including the bots or spammers while dealing or deleting the registered spammer.
Comment posted from a cellphone~~~
Thank you all. It seems that the spamming has tapered off since I installed the textcaptcha. Won't count my chickens before they've hatched, but this is a good sign!
@webgalli Thank you for the lead; it is helpful. If anyone would like to give me a lead on how to show/hide the html editor, then I'd be grateful.
Watch out!! Anyone can type/paste/inject dangerous HTML regardless of the editor being present.
You only want to temporarily relax your htmlawed standards when trusted users are logged in.
Then you can remove filter_tags() sanitization (htmlawed) from the output/longtext view so all users can see that content.
This solution isn't perfect because if any non-admin edits that content, the unsafe markup will again be stripped out.
@steve_clay
Wow, that worked splendidly. However, I noticed that messing with the tinymce extended_valid_elements doesn't really do anything whether or not I put in iframe. It looks like the htmlawed safe option is the only thing that controls that.
I do have a question for you though. Right now, with htmlawed safe option set to true conditionally when admin is logged in, then admin can post iframes and others can see it, but non-admins cannot post working iframes. However, when a non-admin opens the HTML editor and pastes an iframe in, and hits update, then the iframe works in the editor. When the post is published, it gets stripped.
Is this not a security risk that iframes load in the editor? Shouldn't the 'safe' option set to true in htmlawed prevent users from loading the iframe in the wyswyg editor, or that's just the domain of longtext?
What do you see in maillog during action processing?
@Paweł
I was able to find a solution, thank you!
For posterity, and others who may run into this issue, this is what worked.
First, per Paweł's suggestion, I checked the "maillog", which refers to a log file on your server. On my Debian 7 server space, it was in /var/log/mail.log. I performed an action or two that would replicate the hanging behavior, and then a couple minutes later, I checked the mail.log file.
Looking at the bottom of the page, I found "My unqualified host name (shhThisIsSecret) unknown; sleeping for retry". I got this error because the hostname I had set for Linux was not an FQDN (fully qualified domain name). This is problematic in a few ways, which I'm sure you can look up.
To fix it, change the hostname to an FQDN. On Debian 7, I was able to change the hostname super easily with the hostname command. If you just type in hostname in the prompt, and hit enter, it should return what the hostname is currently. Then just type hostname myFQDNhostname , and hit enter, and it should have changed the hostname. You can verify it by running the hostname command by itself again.
That should do it (it worked for me)!
If you type in an invalid FQDN, then the page may stop hanging, but no email will send. If you check your mail.log again, you may find messages like "Domain of sender address myApacheUsername@myNotValidFQDNhostname does not exist".
A common valid FQDN to use for your hostname would be mail.myDomainname.com
Hopefully this helps someone else.
I'm glad it helped. Thanks for extensive information on actual problem. That's one of the best ways to give back to the community.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.