Improving the user profile. Adding permissions and anti-spam for fields & overhauling the presentation

Stuart Wright

Well-known member
This is quite a broad suggestion, but I feel it's needed because there are some significant shortcomings with user profiles.

Spam checking
Firstly we have a big problem with people using the legacy profile fields Website, Occupation and About for spamming. Mainly Website.
These fields are carry-overs from vBulletin in a lot of instances.
I'm running this SQL:
SELECT CONCAT('[URL=',xf_user.user_id,%27/?no_redirect=1%27),website,location,snog_flag,message_count,about']',xf_user.user_id,'/?no_redirect=1'),website,location,snog_flag,message_count,about[/URL]
FROM xf_user_profile,xf_user 
WHERE xf_user_profile.user_id = xf_user.user_id and length(website) > 0
and user_state='valid'
and is_banned = 0
order by xf_user.user_id desc
which returns nearly 11,000 rows.
As well as the Website field, I'm noticing that the About field is being used with links to spam also, so the first suggestion is to put all user profile text entry fields through the usual spam checking routine whenever they are changed. And maybe block links from the About field also.

Use custom user fields
But I actually think we need more than that. It seems to me that the best way to address these and some other profile fields (Location, Gender) is to turn them in to custom user fields (predefined in new installations to make it easy for new admins) so that admins have more control over them. Including deleting them altogether (which is what I'd do to the Website field).

Custom user field permissions (and sort order button)
But I actually think we need more than that. We need more permissions for the custom user fields so that admin can control what usergroups can edit and view them. With separate permissions to view in the user profile and view in the postbit.
This would give lots more flexibility for the custom user fields so that they are unavailable to new members, for example, and only become available to more active members. Perhaps we want some user fields available for members to view but not guests or search engines. Perhaps we want to put specific fields in the message postbit as well as the user profile about tab.
There's also a reasonable argument for having view permissions for system fields like Join date and Birthday.
Maybe we also need a permission that puts edits in to the moderation queue so we can deal with particularly problematic custom fields like Website.
Oh and can we have a sort button so we can drag and drop the display order of custom user fields please?

User profile customisation
But I actually think we need more than that. With custom user field permissions (for viewing), we'd already be customising the contents of the user profile about tab. But I think we need to be able to have usergroup permissions for which tabs are shown on the user profiles as well.

We could go even further and allow the customisation of the user profile tabs and allocation of custom user fields to those tabs.

It's 42 years since I started coding on computers so I can make an educated guess that making the above changes in Xenforo core won't be trivial. But I'm guessing (hoping) they won't be huge projects, either. The benefits in flexibility will be significant, though.

Xenforo guys please correct me if I've made mistakes in my assumptions about what is and isn't already possible.

So folks reading this, if you think it's time there was a revamp of the user fields and user profile, please upvote this suggestion (using the little up arrow top-right of the post).
Maybe we can have the guys shoehorn it in to 2.3? Cheers
Last edited:
Upvote 26
So far this month our website has been VERY aggressive in moderating these accounts which use profile fields to Spam the website. Because we’re very seasonal website we see almost no new members this time of the year so we’re able to really focus on checking each account manually to try to see who’s doing what. This month we’ve seen roughly 600 new members create a new account and Spam the profile fields. This has occurred after only 23 days.

Had this occurred during the busy season it’s likely we wouldn’t have had the time to manually review these accounts thus the Spammer would have easily had their links displayed.
Top Bottom