How to Stop WordPress Registration Spam – Complete Guide


In the ever-evolving landscape of the online world, combating WordPress spam user registration and WooCommerce spam user registration can feel like a never-ending game of whack-a-mole. Just when you think you have it under control, new spam accounts pop up, requiring you to tirelessly delete them. The frustration only deepens when you consider the flood of unwanted emails from domains like, that accompanies these registrations. It’s time-consuming to sift through the spam and find the legitimate ones.

On the other hand, some sites thrive on the registrations feature. Memberships, for example, can help you build a community of like-minded people. If you’re a WooCommerce site, maybe you want your customers to create accounts on your site. There are many benefits of keeping registrations open. So, how do you cope with WordPress fake user registrations? In this article, we will equip you with effective strategies to finally put an end to spam user registration in WordPress.

TL;DR: Consider using anti-spam plugins like CleanTalk to prevent spam registrations. For more comprehensive security, MalCare has a powerful malware scanner, one-click malware removal, and an advanced firewall with built-in bot protection to keep out spam registration bots for good measure. 

What are WordPress spam user registrations?

Spam registrations are a persistent issue faced by WordPress website administrators, characterized by the creation of numerous fake user accounts on their sites. These accounts are typically generated by spammers and serve various malicious purposes, such as spreading malware, executing phishing scams, or engaging in other harmful activities. 

They are caused largely by the lack of robust login security measures in the default registration forms. The default registration process in WordPress is often basic and straightforward, lacking essential anti-spam mechanisms such as reCAPTCHA or two-factor authentication (2FA). This allows spammers to bypass any form of verification or validation, enabling them to create a high volume of fake accounts quickly.

How to stop spam user registrations in WordPress?

To effectively prevent spam user registrations in WordPress, consider implementing the following strategies:

1. Utilize anti-spam plugins: 

Deploy anti-spam plugins such as CleanTalk and Akismet or explore alternative options that we’ve tested. Clean Talk is our favourite and here are the steps to use it:

Step 1: Sign up for CleanTalk

Visit the CleanTalk website and sign up for an account. You’ll need to provide your email address, choose a password, and select the type of website you want to protect from spam.


Step 2: Add your website to CleanTalk

After signing up, log in to your CleanTalk account and click on the “Add website” button. Enter your website’s URL and follow the instructions to verify your ownership of the website. This typically involves adding a code snippet or modifying your DNS settings.

Step 3: Install the CleanTalk plugin

Navigate to the “Plugins” section on the left sidebar and click on “Add New.” In the search bar, type “CleanTalk” and press Enter. The CleanTalk Anti-Spam plugin should appear in the search results. Click on the “Install Now” button next to the CleanTalk plugin. Once the installation is complete, click on the “Activate” button to activate the plugin. After activation, you’ll be prompted to enter your CleanTalk access key, which you can find in your CleanTalk account. Enter the access key and click on the “Save Changes” button. The CleanTalk plugin is now installed and configured on your WordPress website, providing spam protection for your forms and comments.

Install CleanTalk plugin

2. Disable public registrations: 

If your website does not require public registrations, consider disabling this feature altogether. By restricting user registrations to manual approval or invitation-only, you can significantly reduce the risk of WordPress spam user registration. Here are the steps to do so:

Step 1: Log in to your WordPress Admin Dashboard

To disable public registrations, you need to log in to your WordPress site’s admin area. Enter your login credentials (username and password) to access the WordPress Admin Dashboard.

Step 2: Navigate to the Settings section

Once you’re logged in, locate the left-hand menu in the WordPress Admin Dashboard. Look for the “Settings” tab and click on it. This will open a dropdown menu with various settings options.

Step 3: Click on “General” settings

From the dropdown menu, click on the “General” option. This will take you to the General Settings page, where you can modify various basic settings of your WordPress site.

Step 4: Locate the “Membership” or “Membership Options” section

Scroll down the General Settings page until you find the “Membership” or “Membership Options” section. The exact name and position of this section may vary depending on your WordPress theme or plugins.

Locating the membership section

Step 5: Disable user registration

In the Membership section, you will typically find an option labeled “Anyone can register” or “Membership” with a checkbox next to it. By default, this box is usually checked to allow public registrations.

Uncheck the box or toggle the option to disable public registrations. This action will prevent new users from registering on your WordPress site without your explicit invitation or approval.

Step 6: Save the changes

Once you have disabled public registrations, scroll to the bottom of the General Settings page. Locate the “Save Changes” button and click on it to save the modifications you made to the settings.

Step 7: Verify registration status.

After saving the changes, your WordPress site will no longer allow public registrations. To verify the registration status, open a new incognito/private browsing window in your web browser and try accessing the registration page of your site (typically

User registration is currently not allowed error

3. Set user roles: 

Assign specific user roles to differentiate between regular users and administrators. Limiting the privileges of user accounts can minimize the potential impact of spam user registrations in WordPress. Here’s how you do it:

Step 1: Log in to your WordPress Admin Panel Open your web browser and navigate to your WordPress website’s admin panel. Enter your username and password to log in.

Step 2: Access the User Roles Settings

Once logged in, locate the left sidebar menu and find the “Users” tab.

Step 3: Edit User Roles

Locate the user in the user list on the user management page. Hover over the user’s name, and you’ll see several options appear. Click on the “Edit” option.

Step 4: Assign the right user role

On the Edit User page, scroll till you see the Role section. Click on the drop-down menu and choose the appropriate user role for the user.

Setting user roles

4. Install a security plugin: 

Implement a security plugin tailored for WordPress sites and designed to give you a comprehensive solution. You want a plugin with a firewall that can actively block malicious bots that are creating the accounts. It’s an important way to stop WordPress spam user registrations. It’s also very helpful to have an automatic malware scanner and removal. MalCare has an excellent scanner, one-click removal and a firewall that prevents bad bots from getting through to your site at all, while letting the good ones through. Here are the steps to installing it:

Step 1: Visit the MalCare website

Open your web browser and go to the MalCare website.


Step 2: Sign up for an account

On the MalCare homepage, click on the Sign Up button. Fill in the required details such as your name, email address, and password to create a MalCare account.

Step 3: Add your website

Enter your website details In the next screen, you’ll need to provide some basic details about your website like your admin panel details.

Connecting website with MalCare

Step 4: Install the plugin

Allow MalCare to install the plugin.

Installing MalCare plugin

Step 5: Initiate sync

The next step is to click the Initiate sync button. This will scan your site for malware.

MalCare plugin installed succesfully

The free plan includes a real-time firewall. So, you’re all set. For other features like bot protection, instant removal and vulnerability monitoring, upgrade to the Basic plan that is $99 a year.

5. Implement geoblocking: 

Geoblocking allows you to restrict WordPress sapm user registrations from specific geographic regions known for high spam activity. By blocking fake user registrations from these areas, you can significantly reduce spam account creation. Geo-blocking is useful when you aren’t expecting or wanting traffic from specific countries, but it isn’t a viable solution on its own. You can block countries with MalCare, but we recommend letting the firewall do its job instead. We have an article that will walk you through the steps for geo-blocking.

6. Enable reCAPTCHA protection: 

Integrate reCAPTCHA, a widely-used security measure, into your registration process. This helps verify that real users are registering while deterring automated bots. While we recognise that this adds a layer of inconvenience to a customer, reCAPTCHA is a great opportunity to detect bots.  It comes integrated with some popular form builders or page builder plugins. So, the process will vary depending on which plugin you use.

7. Double opt-in activation: 

Require users to activate their accounts through email confirmation. This additional step ensures that only legitimate email addresses are used for registration, minimizing chances of spam registrations considerably. Double opt-ins are also good indicators of user intent, and are highly recommended from a UX perspective. This is also a feature that is integrated with some email marketing plugins so the process with vary depending on the plugin you choose.

8. Implement multi-factor registration: 

Employ multi-factor authentication techniques during the registration process. This involves combining email verification, SMS verification, or other authentication methods to add an extra layer of security. This also comes with some security plugins and the installation process will vary,

9. Manual approval: 

Opt for a manual approval process for new user registrations. By manually reviewing and approving each registration, you have full control over the legitimacy of user accounts. You will need to create a custom registration form to enable this. We’ve used the Forminator plugina nd here are the steps:

Step 1: Change the user account activation method:

Once you’ve created a custom registration page, click Forminator in the sidebar. Then, hover over the form and click Edit. You will be redirected you to the settings for that form. Then click User Registrations on the left and scroll till you see User Activation Method.

Step 2: Set manual approval method

Then, select the manual method for approval and save the settings by clicking Update.

Now, every time a new user registers, you will have to go to the Submissions section of Forminator and manually approve them.

10. Honeypot fields: 

Incorporate honeypot fields into your registration forms. These hidden fields confuse bots and automated scripts, as genuine users won’t fill them out. If a hidden field is filled, it indicates the presence of a bot, allowing you to block the registration. Much like two-factor authentication, you can look for plugins enable this feature.

11. Create a custom registration form

This is a fairly quick and easy process. We’ll be using Forminator as an example for this tutorial:

Step 1: Install and activate the plugin

Search for Forminator in the WP Admin, Plugins page. Click Install and Activate.

Step 2: Create a new form

Forminator will allow you to create a form from scratch or use an existing template. So, choose User Registration as the type of form and get started. Feel free to design it to match your website aesthetically.

Step 3: Add the shortcode to your page

Now, copy the shortcode and paste it on a Registrations page. Click Publish and you’re ready to go.

Step 4: Preview the page

Open the page on an incognito tab and make sure everything works as intended.

12. Block malicious IP addresses

Blocking malicious IP addresses is an essential step in ensuring effective spam protection for your website. By identifying and blocking IP addresses associated with spamming or malicious activities, you can safeguard your site’s integrity and user experience. Blocking these IP addresses prevents unwanted bot traffic, contact form spam, spam comments, and other malicious activities from reaching your site. Here are some detailed instructions on how to block IP addresses in WordPress.

How to clear fake user registrations in WordPress

When faced with WordPress spam user registrations on your site, it’s crucial to act swiftly and effectively to mitigate their impact. While the manual method is time-consuming, it is the only way to do so. CleanTalk, for example, can check for spam accounts but you will still need to remove it. To manually delete spam accounts, you have to first identify them. Here are some ways to do that:

  • Monitor User Registrations: Look for users with generic usernames, random strings of characters, or email addresses that appear to be generated automatically.
  • Check User Profiles: Review the user profiles for any suspicious or nonsensical information. Spammers often use random or irrelevant details in their profiles. Look for inconsistent or incomplete profiles, such as missing profile pictures or incomplete biographical information.
  • Analyze User Activity: Look at the activity of the user accounts. Spammers often create accounts to engage in spammy behavior such as posting irrelevant comments or adding suspicious links to their user profiles or posts. Check for repetitive or irrelevant comments, excessive self-promotion, or suspicious links.
  • Review User IP Addresses: Check the IP addresses associated with user accounts. If multiple accounts are linked to the same IP address, it could indicate a spam network or automated spamming software.
  • Monitor User Engagement: Keep an eye on user engagement metrics, such as the number of comments, likes, or shares. Unusually high engagement from certain accounts may indicate spam activity.

As you find them, you will have to manually delete them front our admin panel. Here are the steps to do so:

Step 1: Log in to your WordPress Admin Dashboard

To delete user accounts, you need to log in to your WordPress site’s admin area. Enter your login credentials (username and password) to access the WordPress Admin Dashboard.

Users in WordPress admin dashboard

Step 2: Navigate to the Users section

Once you’re logged in, locate the left-hand menu in the WordPress Admin Dashboard. Look for the “Users” tab and click on it. This will take you to the Users management section.

Step 3: View the user list

In the Users section, you will see a list of all the registered users on your WordPress site. This list provides an overview of their usernames, email addresses, roles, and other relevant details.

Step 4: Choose the user account to delete

Scroll through the user list and locate the account you want to delete. Click on the username or hover over it to reveal additional options.

Step 5: Click on the “Delete” option.

After selecting the user account, a menu with various options will appear. Click on the “Delete” option or “Delete User” button to proceed with deleting the user account.

Step 6: Verify the user account deletion.

WordPress will display a confirmation message indicating that the user account has been successfully deleted. You can also check the user list to ensure that the account no longer appears.

Why does spam user registration in WordPress occur

Hackers engage in spam registrations on websites to exploit vulnerabilities and gain unauthorized access. Understanding these motivations sheds light on the potential risks associated with spam registrations.

  1. Privilege escalation attacks: One of the primary reasons hackers engage in spam registrations is to execute privilege escalation attacks. By creating fake user accounts, hackers aim to gain elevated privileges within the website’s system, allowing them to bypass security measures and gain unauthorized access to sensitive data or functionalities. Spam registrations serve as a gateway for hackers to promote and peddle various types of content, products, or even malware. They may use these fake accounts to distribute spammy links, advertisements, or malicious software, aiming to generate illicit profits or compromise unsuspecting users.
  2. Boost SEO rankings for illicit sites: Hackers may engage in WordPress spam user registrations as part of their strategy to manipulate search engine rankings for their own sites. By creating numerous fake accounts, they can attempt to flood the website with low-quality or irrelevant content, hoping to deceive search engines and artificially boost their rankings.
  3. Steal information: Spam registrations can be a means for hackers to gain access to valuable user information. By creating fake accounts, they may trick users into providing personal data or login credentials, which can then be exploited for identity theft, financial fraud, or other illicit activities.
  4. Store pirated content: Hackers can use your site to store and distribute pirated content. By using your site as a repository for unauthorized copyrighted material, it enables hackers to profit from illegal distribution while avoiding detection.

  5. Redirect visitors: Hackers can redirect website visitors to malicious or phishing websites. These redirects can lead unsuspecting users to sites that attempt to steal sensitive information, install malware, or engage in fraudulent activities.

What is the impact of WordPress spam user registrations?

Spam registrations on websites can have significant adverse effects, impacting both your website and users. 

  1. Affects search engine rankings: Search engines prioritize websites with high-quality and relevant content, and if hackers flood your site with low-quality or irrelevant content, it will be penalized, resulting in a drop in search engine rankings.
  2. Redirects Visitors to Their Site: Hackers behind spam registrations may use these fake accounts to gain access to admin roles. They are then able to redirect website visitors to their own malicious or phishing websites. Such redirects can mislead users, compromising their online security and exposing them to potential fraud or malware attacks
  3. Blacklisting by search engines: Search engines are vigilant about protecting users from malicious activities. If a website’s spam registrations are not adequately addressed, search engines may detect the presence of spam and blacklist the site, significantly impacting its visibility in search results.
  4. Negative impact on customers: Spam registrations can also have a detrimental impact on genuine users and customers. The presence of fake accounts may clutter communication channels, making it difficult to identify and engage with legitimate users. Additionally, users may become frustrated with the influx of spam content and may even question the security and integrity of the website.
  5. Slows down website: An influx of spam registrations can slow down youra website’s performance. The increased database load and server resources required to manage fake accounts and associated data can leads to sluggishness, affecting the overall user experience.

Final thoughts

In the realm of website security, it’s not a matter of “if” but “when” an attack may occur. With this understanding, it is crucial to proactively implement comprehensive security measures to safeguard your website and avoid the potential consequences of an attack. So, while CleanTalk is our recommendation for an anti-spam plugin, use it alongside MalCare for comprehensive WordPress security. MalCare has an advanced firewall, and superb malware removal capabilities. With both in your tool box, you can significantly reduce the risk of security breaches, ensuring a smoother and safer online experience.


My site has lots of spam registrations. How is everyone handling this right now?

Many websites are successfully addressing this issue by utilizing effective anti-spam plugins such as CleanTalk. CleanTalk is widely recognized as one of the best anti-spam plugins available, offering advanced spam detection algorithms and protection mechanisms. 

How can I get rid of spam registrations on my website?

To combat spam registrations, there are several steps you can take. Firstly, you can utilize an anti-spam plugin like CleanTalk to help identify and block spam registrations automatically. Secondly, install a strong WordPress firewall, like MalCare, for bot protection. Additionally, use reCAPTCHA or two-factor authentication to verify user authenticity. By combining these strategies, you can significantly reduce the impact of spam registrations on your website.

Spam bots are bypassing my custom registrations and honeypot fields. How can I handle this?

If spam bots are managing to bypass your custom registrations and honeypot fields, it’s essential to strengthen your website’s defenses. Implement more robust reCAPTCHA solutions, change over your anti-spam plugin, and definitely install MalCare. MalCare has an advanced firewall with built-in bot protection. By fortifying your website’s security, you prevent spam bots from infiltrating your registration process.

How can I stop bot registrations on my website? 

To prevent bot registrations on your website, implement the following measures:  

  1. Use a reliable anti-spam plugin like CleanTalk.
  2. Install MalCare which will automatically detect and block malicious bots.
  3. Enable reCAPTCHA on your registration forms to verify user authenticity.
  4. Implement additional security measures such as email activation, manual approval of new registrations, or IP blocking to block suspicious or known bot IP addresses.

How can I stop spam blog posts on WordPress?

To combat spam blog posts on WordPress, you can take several actions:

  1. Utilize an anti-spam plugin like Akismet, CleanTalk, or MalCare, which can effectively filter and block spam comments and blog posts.
  2. Use content filtering plugins that can detect and block spammy or suspicious content.
  3. Regularly monitor and review your website’s user registrations to identify and remove any bot-generated accounts.

Does WordPress have a built-in spam blocker?

WordPress does not have a built-in spam blocker, but it provides the ability to combat spam through plugins like Akismet. Akismet is a widely used anti-spam plugin that comes pre-installed with WordPress. It uses advanced algorithms to detect and filter out spam comments and trackbacks. However, relying solely on Akismet may not always be sufficient, especially for more sophisticated spam attacks. Supplementing it with MalCare, an advanced WordPress firewall with built-in bot protection, can enhance your website’s spam protection.

Why do bots or spammers register user accounts?

Bots and spammers register user accounts for various reasons, including:

  1. Privilege escalation attacks: By registering user accounts, bots or spammers may attempt to gain unauthorized access to sensitive areas of a website or exploit vulnerabilities.
  2. Peddling content, products, or malware: Spammers may create user accounts to promote their own content, products, or distribute malicious software.
  3. SEO manipulation: Some spammers register user accounts to manipulate search engine rankings by creating backlinks or generating spammy content.
  4. Information theft: Bots or spammers may register user accounts to gather personal information from unsuspecting users or engage in identity theft.
  5. Storing pirated content: Spammers may use user accounts to host or distribute pirated content, infringing on copyright laws.
  6. Redirection and spam content: Bots or spammers may use user accounts to redirect visitors to malicious websites or publish spam content, such as pharma hacks or keyword hacks.



You may also like

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.