This is what chgpt write as known issue:

Why do I get spam registrations only when BuddyPress XProfile Custom Field Types is active? Short answer

Because this plugin adds extra registration/profile fields that bots can easily exploit, and these fields often bypass or weaken existing anti-spam checks. Why this plugin increases spam registrations 1. More form fields = larger attack surface

The plugin extends the BuddyPress registration form with custom xProfile fields (text, URL, social links, etc.).

Many of these fields:

• lack strong server-side validation
• are processed before final registration checks
• are easy for bots to auto-fill

Bots actively scan for such forms. 2. Registration happens before anti-spam checks

In BuddyPress, xProfile field handling often runs earlier than:

• reCAPTCHA
• honeypots
• WordPress anti-spam plugins

Result:
➡️ Bots can complete registration before spam protection fully triggers. 3. Certain field types are bot magnets

Especially risky field types:

• URL fields
• free-text fields
• social media fields
• required fields without validation

Bots are specifically designed to detect and exploit these patterns. 4. The plugin is often poorly maintained

Many versions of BuddyPress XProfile Custom Field Types:

• are not fully compatible with modern WordPress / BuddyPress
• use outdated hooks
• unintentionally bypass newer security mechanisms

Spammers know this and target such setups. Why spam stops when you deactivate the plugin

When the plugin is disabled:

• fewer form fields exist
• BuddyPress falls back to its default registration flow
• anti-spam plugins start working correctly again

➡️ The attack vector disappears. What you should do (recommended) ✅ Immediate actions

• Keep the plugin disabled if possible
• Require:
  • reCAPTCHA v3 and
  • a honeypot and
  • email activation

🔧 If you really need this plugin

Add extra protection:

• Avoid URL fields
• Do not make custom fields required
• Enforce server-side validation
• Require email activation before login
• Add rate-limiting to registrations

🔁 Better alternatives

• Use default BuddyPress profile fields
• Or switch to a well-maintained profile field plugin

Final conclusion

The plugin itself doesn’t create spam — it opens a door that bots can walk through.
Your observation is technically correct.

If you want, tell me:

• your WordPress version
• your BuddyPress version
• which profile fields you actually need

I can recommend a safer setup or a better alternative.

WORKAROUND:

Got it — with latest WordPress + latest BuddyPress and you only need a “Country” field, the good news is:

👉 You do NOT need BuddyPress XProfile Custom Field Types at all. Best & safest solution (recommended) Use native BuddyPress profile fields

BuddyPress already supports a “Drop-down Select Box” field type — this is perfect for Country selection and much safer than custom field plugins. How to set it up

1. WP Admin → Users → Profile Fields
2. Create a new field:
   • Field Type: Drop-down Select Box
   • Name: Country
   • Required: ❌ No (recommended)
3. Add your country list (one per line)
4. Save

✅ This field:

• Is fully supported by BuddyPress core
• Works with the registration page
• Does not bypass spam protection
• Is maintained and future-proof

Why this stops spam

• No extra plugin hooks
• No early xProfile processing
• No vulnerable field rendering
• reCAPTCHA / honeypot works again

➡️ Bots lose their easy entry point. If you want the country list auto-generated

If you want a prebuilt country list:

• Copy a standard ISO country list (safe)
• Or I can generate one for you (English or localized)

Just tell me. Extra hardening (highly recommended)

Even with core fields:

• Enable email activation in BuddyPress
• Add honeypot (e.g. WP Armour)
• Use reCAPTCHA v3 or Turnstile
• Limit registrations per IP

Summary NeedBest choiceCountry field onlyBuddyPress core dropdown fieldSpam protectionCore + captchaPlugin needed❌ No Final advice

Delete BuddyPress XProfile Custom Field Types permanently.
For a simple “Country” field, it is unnecessary and risky.

If you want:

• a ready-to-paste country list
• validation (e.g. block certain countries)
• or UX improvements (flags, search)

Just tell me 👍

You miunderstud me.

Issue is not after installing your plugin.

It worked for years, I have nothing changed.

User search is working but now without country 🙁

I tested all again and again. Also only with buddypress without youzify.

As far I activate your plugin, spam registerings are coming 🙁

What I wonder about is taht field gender is there even when plugin deactivated.

As I remember it was not this cace to begin

Please delete double topics. I seems to be some bug here

there paths where infected files ware detected with very good plugin

Anti-Malware from GOTMLS.NET

No, after reinstalling there is no critical error but it seems to be some error in your plugin. Alert was detailed something with 25 line or so. I dont wnat to reproduce this again

1. No
2. It is investigation function of chrom (rightclick, last position)

But anyway I resolved this issue

I use print with browser.

I had to disable all plugins by chrome.

Some must have cause this red sign.

Now it works like before

Thank You!