WordPress MU

Hello, I use my MU more for testing and I have 3 blogs for me and some friends. I recently updated to 1.5.1 because it seemed to give an easy option for closing registrations and this is what I really needed.
So, I disabled the registrations (as you can see in jantima.it/wp-signup.php) but today I received an email notification about a user being able to register and another email about the same user creating a blog.

I have no ida how they managed to register.

Some other things:

1. Wasn't there a footer -in the admin section- with version number of WP installed in the previous versions? Where can we see what version of WP we have currently installed?

2. Wasn't there also an option to require an administrator to accept/enable/activate new users and new blogs? Where is this option now?

Please start of with reviewing your webservers logs. You have the IP address of the created account. It's stored within the wp_registration_log table. You can cross reference that with your logs to see how they did it.

1) wp-includes/version.php for the version numbers.

2) I don't recall there being such an option.

IRT 2): That option hasn't ever been a core function of MU.

Thanks for your kind help! I will do my research to see how they do it. I got a new one today as well.

Check and verify your settings, just to be sure. When you visit the actual signup page, it should tell you that you aren't allowing registrations.

You could always put a die at the top of the file, and kill anything coming to it.

If they still get by, that points to a hole somewhere other than that file.

Either way, do bounce their IP against your error and access logs, and see what you come up with.

Check and make sure you don't have a bunch of spam *users* who may still be able to create new blogs.

I did the research and find out some info about the two users... Both IP seems from China.

The first user (the one registered yesterday) did hit the wp-login.php page many many times, and then it did:
GET /wp-activate.php?key=73b0e1d30fab557e
and then wp-login.php and options-general.php and eventually posted a message. After some hours the same IP started again to spam the wp-login.php page.

The second IP that signed up today did the first hit with:
GET /wp-activate.php?key=ae6c8d49e998302e
then wp-login.php and options-general.php. It doesn't seem that he posted a message though. And I have no other newer trace of that IP.

The funny part is that my configuration is messy and the wildcard is broken (from a long time, and I have been too lazy to fix it). So I cannot see their blogs, if any, and I guess they cannot see them either :P

I have cleaned up all spam-users and spam-blogs from the wp site admin, two days ago just before upgrading and closing the registrations. But I just found out that the database wp_signups table is still full of spam users. But these two users and blogs are not in this list.

I haven't shared this before, but give my plugin a try to block almost all of the splog signups - the automated ones at least. It's a heavily modified version of wordpress plugin originally made for blocking spam comments. Works incredibly well and there is no captchas.

http://www.paidtoblog.com/wpmu_splogfree.zip