How to Stop WordPress Registration Spam – Complete Guide
You want to grow your website. You want more customers and revenue.
So you lay out a plan to improve your content and refine your design.
You add more CTAs and enable your users to subscribe and register on your site!
But you suddenly find your site being bombarded with spam user registrations!
Instead of growing your business, you’re spending time cleaning up a deluge of spam every day.
Instead of doing this, you are stuck cleaning spam user registration every morning.
That must be frustrating.
Over the last decade, we’ve had the opportunity to help customers who were managing a deluge of spam WordPress registrations every single day.
So don’t worry, no matter how bad the situation is, we will help you reclaim your time. You can go back to focusing on growing your business and generating more revenue after reading this article.
To stop WordPress registration spams, you need to implement a few measures. First, install a firewall, implement geo-blocking then enable reCAPTCHA. If these measures don’t stop registration spams completely, then try implementing all the measures listed below.
Before diving into the prevention methods, if you want to understand why hackers carry out registration spams in the first place, jump to this section.
And if you want to learn about how registration spam can impact your site, go this section.
How To Block WordPress Registration Spam?
Here’s a thought:
Instead of preventing registration spams why not disable registrations.
You don’t need to enable public registration if you want to allow only a small number of people access to your site.
Just create user accounts manually. Ensure they are not given admin access.
> Disable User Registration
To disable spam registration, go to your WordPress dashboard, then navigate to Setting > General.
In the General Settings page, scroll down to the Membership option and uncheck the ‘Anyone Can Register’ box.
WordPress has a default registration page URL which looks like this: https://example.com/wp-login.php?action=register
After you disable the registration spam, trying to open the registration page throws the following message:
“User registration is currently not allowed.”
Pro Tip: Don’t forget to delete the fake users already registered on your website. Check their user emails with the help of the following tools: Hunter, VerifyEmailAddress, and Email-Checker. If any of the email addresses are fake, delete them from your site.
That said, if disabling public registration is not an option then consider limiting what users can do on your website.
> Set Proper User Roles
When hackers gain user access to your website, they can do very little if they are limited by their user roles.
In a WordPress website, there are 6 user roles. Each comes with different capabilities. Admins have full control over the site. Editors are allowed to publish posts and carry out a few functions on the website. Contributors and authors can only modify or create posts. Subscribers can only manage their profiles and read all posts and pages. Nothing else.
As long as users registering on your website are not admins (or super admins in a multisite install) and editor, they cannot publish harmful content or initiate malicious functions on your website.
You can read more about user roles from here – WordPress User Roles & Capabilities.
To set user roles to contributors or authors or subscribers go to your WordPress dashboard.
Then navigate to Settings > General. In the general setting page, look for the option New User Default Role.
From the drop-down menu choose contributors or authors or subscribers.
That said, limiting user roles will not prevent spam registrations.
To stop registration spams altogether, you have to:
- Install a firewall
- Implement geo-blocking
- Implement reCAPTCHA-protection
- Enforce email activation
- Change WordPress registration URL
- Enforce multi-factor registration
- Enable honey pot protection
- Enable manual approval
You are probably wondering if you need to implement all the measures. If you did enable all the measures, users will have to jump through several hoops. So that’s not recommended.
Depending on how severely your website is under attack, you will need to implement the measures we just listed.
Say you want to install a CAPTCHA on your registration page. But if you are receiving hundreds of spam registrations within the short span of a week, CAPTCHA alone will be inadequate. You will have to implement some of the other WordPress security measures as well.
1. Install a Firewall
The firewall is your first line of defense against spam.
When enabled, any traffic coming to your website goes through the firewall first.
It’ll check the traffic against its repository of malicious IP addresses. If the firewall identifies any IP address as malicious, it is promptly blocked.
The firewall helps prevent registration spam attacks before it could reach your website.
- It’s automated and does not require manual operations.
- Offers round-the-clock protection.
- May offer traffic details that are helpful for securing your site further.
- Can fail to recognize & block some malicious traffic.
- May accidentally block legitimate traffic.
How To Implement
You can use a firewall like MalCare. All you need to do is sign up and install the plugin on your site. The firewall will be enabled automatically.
MalCare offers more than round the clock protection. You can find information about the traffic that was blocked which includes the country of origin, URL the hackers were trying to access, their IP address, etc.
Such information is useful for hardening the security of your website further. For instance, if you are receiving too many bad traffic requests from a specific country, you can block the entire country.
2. Implement Geo-Blocking
Geo-blocking refers to blocking the entire country from accessing your website.
This will prevent both malicious as well as legitimate traffic from the country you blocked.
So you need to ensure that the traffic from that particular country is not valuable to you.
- Significantly reduces malicious registration spam.
- Blocks legitimate traffic.
- Hackers can still use a VPN and access your site.
How To Implement
There are plugins that can help you implement geoblocking, but if you are using MalCare’s firewall, you can look at the traffic log to find out where most of the blocked traffic originates.
Then you can also utilize MalCare geo-blocking to block that country. Here’s a guide that’ll help you achieve that – How to Implement Geo-Blocking?
3. Implement reCAPTCHA Protection
Hackers design bots to carry out spam user registrations.
reCAPTCHA is a test used to tell humans and bots apart.
At first, these tests were text-based. Bots evolved and were soon able to solve them. Now it’s common to see a reCAPTCHA where you need to check a box to confirm you are not human. Then you are served a few images to choose from.
Bots are unable to see images and therefore are unable to solve reCAPTCHAs.
Adding reCAPTCHA protection to the registration form will fend off bots trying to register on your site.
- User records are not created in the database unless the challenge is passed.
- You need Google’s help to set up reCAPTCHA. If Google decides to stop the service, you’ll need to look for new ways to prevent registration spams.
How to Implement
1. Download and install Invisible reCaptcha for WordPress on your website.
2. Then open this URL – https://www.google.com/recaptcha/intro/invisible.html?ref=producthunt and log into your Google account.
3. Register your site.
4. Google will give you a Site Key and a Secret Key. Copy them.
5. Go to your WordPress dashboard and navigate to Setting > Invisible reCAPTCHA and enter the keys.
6. Next, from the same page, go to WordPress, and select Enable Registration From Protection.
That’s it, folks.
4. Enable Honey Pot Protection
Honey Pot is an ingenious way of protecting the registration form.
Bots are designed to fill all the fields on a form.
In this method, some fields in the form cannot be filled because they are invisible to the user.
Unlike humans, bots fill the fields by reading the source code of the page. So they end up filling the invisible fields.
Using the honey pot protection method you can easily identify bots and promptly block them.
- The most effective way of identifying and blocking spambots.
- Cannot stop hackers who are manually registering on your site.
- Blocks screen reading software that auto-fills forms.
- Blocks users with vision impairments.
How to Implement
Some custom forms like Formidable Forms and website builders like Elementor come with built-in options for Honeypot. But you need to be a premium subscriber to access them. However, there are dedicated plugins like Clean Login that’ll help you enable honeypot.
1. Download and install Clean Login into your WordPress website. Honeypot protection will be enabled by default.
5. Enforce Email Activation
After jumping so many hoops, if someone manages to come so far to register, then that’s a good sign. The user is most likely not a bot. But it can still be a hacker.
The email verification method consists of sending users a link in the email address they used to register. Opening the link will activate the user account.
If it’s a fake email address, they can’t activate the account. The account will be placed on pending mode which you can manually delete.
- Verifies whether the email address exists.
- Emails can land in the spam folder and can go unseen.
- User registrations are stored in the database even if not activated.
How to Implement
There are many plugins that’ll enable you to enforce email verifications. Some are dedicated form plugins to like Gravity Forms and Formidable Forms but they usually support registration features in the premium version.
If you are already using a custom form plugin, then it probably offers email verifications.
Alternately, you can use plugins designed specifically for email verifications like User Verification.
1. Download and activate the User Verification plugin.
2. On your WordPress dashboard, go to User > User Verification.
3. In the User Verification Settings page, there is an option called Enable email verification. Select Yes to enforce email verification.
You can use the User Verification plugin to enforce reCAPTCHA as well.
6. Change WordPress Registration URL
Another security measure that you can take is to change the URL of your registration page.
The default WordPress registration page is located at https://example.com/wp-login.php?action=register
Hackers program bots to look for this link. So an affecting way of preventing bots from registering is to move the page to a custom URL.
The registration page is a part of your login page. Changing the login URL will let you change the registration page.
- Prevents hackers and bots from finding the registration page.
- Legitimate visitors won’t be able to find the registration page if they tried opening the URL directly. It’ll discourage them from registering.
How to Implement
1. Download and activate the WPS Hide Login page.
2. Go to your WordPress registration and navigate to Settings > WPS Hide Login.
3. In the Login URL option, enter the new URL. Ensure that it’s something unique that no one can guess.
Say if your new URL is https://example.com/nowornever
The new registration page will be located at https://example.com/nowornever?action=register
4. In the Redirection URL, enter an error like 404 or 503.
7. Enforce Multi-factor Registration
Implementing multi-factor registration offers a second layer of protection. For instance, if you have CAPTCHA installed on the form, you can have the user validate via an SMS or app as well.
This means users will have to use their smartphones to register.
It’ll stop bots on their tracks. And if hackers are trying to register manually, they can register only one account with one phone number. This will slow down their spam registrations activities.
- User records are not created in the database unless they register.
- Too many steps to register.
- Users may be skeptical about sharing phone numbers.
How to Implement
1. Download and activate the MiniOrange OTP Verification plugin on your website.
2. On your WordPress dashboard, navigate to OTP Verification.
3. Register with MiniOrange.
4. Go to Forms and select WordPress Default Registration Forms.
5. Next, check the box right beside WordPress Default / TML Registration Form. A drop down will appear. Select Enable Phone Verifications > Do not allow users to use the same phone number for multiple accounts.
Don’t forget to select Save Settings.
That’s it. Users will have to use their phone number to register.
8. Enable Manual Approval
You can manually approve the users who are registering on your WordPress website. There is no default option that enables you to do this. But with the help of a plugin, you can enable admin approval.
When someone registers on your site, they will be shown a message saying that they need to wait for approval from the admin.
The Admin is then notified about the new signup.
- Users who’ve managed to get past other measures can be blocked with manual approval.
- It’s time consuming and tedious work.
- For websites receiving dozens of registrations on a weekly basis, it’s impossible to manually approve so many registrations.
How to Implement
1. Download and activate the New User Approve plugin. The plugin will start working right away. Anyone registering on your website will have to wait for manual approval.
2. To manually approve new users, you need to go to Users > Unapproved.
What Do Hackers Gain From WordPress Registration Spams
You hear about terrorist groups hacking US government websites and celebrity phones being invaded.
It’s hard to think about what hackers can possibly gain by hacking your site.
There are a number of reasons hackers will attack your website even if they know nothing about you nor about what you stand for.
It is not personal, it’s business.
Hackers are interested in gaining user access to your website to carry out the following operations:
- Peddle fake pills, porn, scams, and malware for revenue.
- Build backlinks to their own websites or client sites.
- Ruin your SEO efforts.
- Steal user information like email addresses, credit card information, and medical records.
- Store illegal pirated movies, TV shows, and software.
That said gaining user access to your website alone will not enable hackers to carry off these operations.
They need to have admin access to carry out some of the operations like storing files. For other malicious operations like ruining your SEO effort, they just need editor access.
Access to our website coupled with vulnerabilities in the plugin and themes can lead to major security breaches. For instance, in the past Contact Form 7 vulnerability allowed subscribers to gain admin access.
- Once they gain higher access, they can redirect your visitors to malicious websites.
- They can publish a post with spammy Japanese keywords to run your SEO.
- They can spam your pages with names of illegal drugs in what we call the pharma hack.
Even users with limited access like an editor can moderate comments. They can approve malicious comments which will compromise your database. To learn more check out this WordPress SQL Injection post we’ve put together.
Needless to say, the impact of such a hack on your website will be ugly.
Impact of WordPress Registration Spams On Your Website
Hackers try to access your website either to utilize your resources or cause chaos. Here’s how they harm your website:
- User registrations are stored in the database. Hundreds of registration spams can bulk up your database which will make your website slow.
- Your search engine rankings can be affected if users are posting spammy content and redirecting visitors to different sites.
- Speaking of redirection, your visitors are being sent to websites selling illegal drugs, and adult sites. In some cases, they are forced to download software onto their local computer. This is bad for your reputation.
- If they gain access to information from other users like credit card details and medical records, they can sell it online and you will be held liable for a data breach.
- When hosting services and search engines find out that your site is hacked, they suspend your site, mark it as deceptive and blacklist it respectively.
- Cleaning a hacked website will be an expensive affair.
Clearly WordPress new user registration spams should not be taken lightly.
With the help of our guide, we are confident that you’ll be able to prevent WordPress user registration spams.
But blocking registrations spams alone will not prevent hackers from trying to break into your website.
To ensure the complete security of your website, you need to install a WordPress security plugin like MalCare. It’ll place a firewall between your website and the incoming traffic. It will protect your login page from brute force attacks.
It’ll scan your website on a daily basis and help you clean your website instantly if it’s hacked.
You can take site hardening measures and backups for WordPress websites.
Try Our MalCare Security Plugin!
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.