Thread

I just noticed that an EE site I run has a bunch of members (about 20) that should not be there. The only valid accounts are my super admin and 2 accounts for my client. These members belong to the same group as my client’s account and only one of them still has status “pending”.

The site does not feature member sign ups at all. There is one form that is a login form which posts to an external site (different domain) and a there are also a few Freeforms, nothing more than elaborate contact forms.

What is MOST worrying is that when I google their usernames, they seem to pop up on various EE powered forums. Try a google for .(JavaScript must be enabled to view this email address) for example.

One result shows: Newest Members:  tomasze,  handtruck,  Tracy,  mycheapseo,  karl3war7,  .(JavaScript must be enabled to view this email address),  curtdill89,  GetSeo,  MichaelWaskl,  craig5paul

I have 3 of those usernames in my list of members and several can be found across various EE forums. Signing up on a forum is not really a problem but how could these people become members on my site if there is no public signup?

EDIT: I am able to login as these members and they have the same rights as my client. NOT GOOD :(

Anyone know what’s going on?

just to confirm… have you definitely disabled members in the modules, etc.
A lot of sites setup with EE do not disable this and change other settings to restrict member ship. And so even if the members area is not publicly linked to - it would easily be guessed by automated bot. (especially if the site has obvious EE traits).

I personally felt i was getting a lot of spam registrations on a site which did have a public registration form - and changing the captcha from default to any of the others eased this - but that is a different matter from yours…

any links to the site so we can look or help?

Member management system 1.3 is installed but I need that for my client’s account right?

This is EE 1.6.5 btw, yes I should update ...

Does the site have a forum attached to it?

No forum installed

member module
not as far i am aware - i am running sites with it uninstalled, and i am able to add/edit members through the backend. The member module i believe is just for the front end registration and features, etc.

So in theory these registrations are probably coming from:

http://www.domain.com/index.php/member/register/

where the segment /member/ is what ever the trigger word is setup to be in the member module.

now read up and confirm this, as i am not 100% sure on your setup, versions, and use of members, etc. But it is fine for my sites.
Sue might tell you more about this…

Well ... that’s it! the member/register page is there with the default EE template. Ill remove that now.

So all a member has to do is sign up, click the confirmation email and then by default they end up in the same Group as my client?

Seems like this was a serious error on my part.

well not sure how you have member groups setup…
but you can define that in the member module…

typically i create an extra member group layer between Super Admin and Member - somehting like Editor, or Admin.

Then i can control what they see and do in the backend, while leaving the defaults in place for member, etc.
but this is purely personal preference i imagine.

Uninstalled the member module but the member/register page is still accessible.

cache? either browser, or server?
just tested one of mine, and this is not a problem on these sites so above should be right.

browser cache cleared and all caches cleared in the EE CP, page is still there. I also don’t have a template group called “members”, that normal?

Changing the trigger word would fix that particular problem if you still had the module installed. But in any case, you need to upgrade.

actually i have done a few tests and i am experiencing the same…
the member module is not installed… but the registration form is still showing…

surely this is not the correct behaviour?

EDIT/ADD

You can disable the registration part in admin->members->preferences….
but this still allows people to see profiles, even with member module not installed…
for example: http://www.domain.com/index.php/member/1

i can change the trigger word, but surely this is not the correct behaviour?
note this is on a EE1.6.8 Build:  20100121

Yep, same here. nevsie, which EE version?

Page shows, module is uninstalled. I set it so that the default member group is now banned and changed the trigger word to a long random string. That should secure it all for now.

Nevsie. People sometimes close registrations, but still allow the ability to allow existing profiles.

You can change that on a per member group basis:

Can view public profiles