When I bought XenForo, I figured I could modify it any way I liked, using the powerful addon-system. True, you can pretty much do anything you like with it, but the learning curve is quite steep. There is little to no documentation available, and the even the simplest addons takes days of research, digging through forum discussions, other similar addons' source code and even XenForo itself. And this is coming from someone who speaks about ten different programming languages fluently. I can't imagine how hard it must be for someone with no experience at all.
Anyway, after a couple of months, I gave up on this, and started working on my own solutions from scratch. That's what I'll be using from now on.
The thing that really tipped me over, is the serious lack of security. We've had problems with spambots. Shortly after the initial attacks, we set up a series of tough anti-bot-questions, that were supposed to slow them down. By tough, I mean that they can't be calculated or otherwise figured out from the actual question, from a bot's point of view. This didn't help at all. It would seem like the bots somehow managed to avoid these questions.
A couple of days ago, we really got our butts kicked, by a storm of bots. My response was to turn of user registration. Since you can't post anything on our forum without a user account, this would surely stop the attack, I thought.
I then turned on email validation. That kept them at bay. It would seem that turning off registration only serves to remove the button that says "sign up". It won't keep anyone from actually signing up. Brilliant design feature, I must say.
Another thing; there is supposedly an anti-spam option for users. On our board, we have to wait something like 30 seconds between posts, regardless of what kind it is. Regular posts, status updates and so on. This lock doesn't apply to these bots either. They can post whatever they want, whenever they want, regardless of the rules set by the ACP.
Again, I'm probably running an older version, but XenForo had been around for quite a while before I joined in, and this is pretty much the most basic security-stuff in the world of internets. It shouldn't be that hard to get it right. I know I'm never gonna get my money back, but on behalf of the folks still using XenForo today - for God's sake, fix this. And get some proper documentation on that API.