Stop spam user registration

10 Simple Tricks to Eliminate Fake User Registration (2025)

Getting flooded with fake user registrations is a serious security risk that can slow down your site and create a mess in your user database. 

I’ve dealt with this issue countless times, and it’s frustrating to see spambots creating dozens of fake accounts every day. The good news is that you don’t need to be a security expert to stop these fake registrations.

In this guide, I’ll share nine battle-tested tricks that will help you eliminate fake user registrations on your WordPress site. These are the same strategies I’ve used to reduce spam registrations by up to 99% in most cases!

Create Your Spam Free Registration Form Now! 🙂

How to Eliminate Fake User Registration in WordPress

1. Disable User Registrations in WordPress

If you want to combat fake signups on your site, you should first ask yourself, “Do I need people to be able to create a user account on my site at all?”

You’ll definitely need to allow user registrations if you’ve started an online store or a membership site. But if you have a personal blog or a business site, you probably don’t need to allow registration.

If you have already set up all the logins you need, it makes sense to disable registration completely. To do that, open the WordPress dashboard and click Settings » General.

General settings in WordPress

Find the Membership setting and uncheck Anyone Can Register. Then, click the Save Changes button at the bottom of the page.

Turn off user registrations in WordPress

Of course, if you later need to add new users, you can still do it manually through WordPress » Users » Add New. This gives you complete control over who gets an account on your site.

Pro Tip:

If you have a multi-author blog, you could disable user registrations and install the WPForms Post Submissions addon. It lets people contribute guest posts without logging in to your site.

Post Submissions addon

Do you need to leave registration turned on? Let’s look at some more options.

2. Impose Account Restrictions in WordPress

If you need to keep user registrations open but want better control, setting up smart account restrictions is your next best defense. 

I always recommend giving new users the Subscriber role. Subscribers have few permissions in WordPress, so they can’t gain access to any critical areas of your website.

For example, Subscribers can’t access the WordPress dashboard at all. To check which role your site assigns when new users register, open the WordPress dashboard and click Settings » General.

General settings in WordPress

Now, look for the dropdown labeled New User Default Role and change it to Subscriber. Then, restrict access to certain content until the account is a certain age.

Change the new user default role in WordPress to stop spam user registrations

If you’re using a custom user registration form in WPForms, you can control the settings in the User Registration settings panel like setting up conditional logic for registration approval

Set the default role to Subscriber in a custom user registration form

Not sure how to make your own user registration form? I’ll talk about that next.

3. Make a Custom User Registration Form

The default WordPress user registration form is super basic. If you want more control over account creation, you can make a custom user registration form.

WPForms has a User Registration Addon that makes it easy to create your own custom forms for user registration, WordPress login, and even password resets.

You can install the addon in the Pro version or higher to build a form that includes custom fields to gather relevant user information, smart anti-spam features, form validation rules, and more.

User registration addon

With WPForms, you can control the registration and login behavior of users with much more flexibility with the following options:

  • Add custom user meta fields to get more information about your users when they sign up
  • Let users register on any form on your site
  • Automatically log in users after registration
  • Hide forms for logged in users
  • Stop spambots from abusing your registration forms by adding spam protection methods like captcha and advanced filters
  • Easily customize the emails that are sent when users register or forget their password.

When you install the addon, you’ll also get 3 pre-made templates for all of these features, making it easy to kick off the form creation process quickly.

User registration addon form templates

If you create a custom user registration form, you’ll also want to check out our easy guide to creating a custom login page in WordPress.

The beauty of a custom form is that you can make it as simple or complex as needed. I’ve seen sites reduce spam registrations by up to 95% just by replacing their default WordPress registration form.

Kacie Cooper, Writer at WPForms

“💡 Pro Tip: Add a few strategic custom fields that only real users would know how to fill out correctly. For example, if you run a photography site, you might ask users to name their camera model. Bots typically struggle with these specific, industry-related questions.”

-Kacie Cooper, Writer at WPForms

4. Turn on Email Activation for User Registration

If you want to stop fake user registrations in WordPress, you can turn on email activation for new user accounts. This won’t stop bots from spamming your forms, but it does mean they won’t be able to log in until they manually confirm the request.

The WPForms User Registration form can automatically send out a link for every new account that’s created on your WordPress website. Real users can just click the link inside the email to complete the signup.

To do this, edit your registration form, go to Settings » User Registration. From here, you can turn activation on or off in your form settings, depending on your needs.

enable user activation

Also, set up an automated cleanup process to delete unverified accounts after a certain period (like 48 hours). This keeps your user database clean and prevents it from getting cluttered with pending fake registrations.

5. Turn on Administrator Approval for New User Registration

If you’d like an even more secure method of user registration, you can opt for Manual Approval. This will prompt the site admin to review each user registration request before the new user can log in to their account.  

You’ll receive an email notification for each request, and you’ll have the option to approve or deny the new member. To turn on admin approval, go to Settings » User Registration.

On the right-hand side, scroll down to the User Activation Method and select Manual Approval from the dropdown.

Requiring manual approval for new users

Now you can review every new user that registers on your site to filter out the spammy registrations. While this method requires more hands-on management, it offers much more control.

Kacie Cooper, Writer at WPForms

“💡 Pro Tip: Create a checklist of red flags to look for when reviewing registrations. Common signs of fake accounts include generic usernames, suspicious email patterns, and incomplete profile information. This makes the review process quicker and more consistent.”

-Kacie Cooper, Writer at WPForms

6. Add a CAPTCHA Field to Your User Registration Form

You can also use a CAPTCHA field to stop spam user registrations. A CAPTCHA is a challenge or puzzle that the user has to solve to submit a form.

WPForms includes built-in spam protection, plus:

After activating one of the templates, it’s easy to add reCAPTCHA to prevent spammers from using it. As always, WPForms makes it easy to add reCAPTCHA without writing code.

Password reset form with reCAPTCHA

If you prefer, you can use hCaptcha or Cloudflare Turnstile on your user registration, login, or password reset forms instead of the Google version.

WPForms Captcha settings

While no single solution is perfect, CAPTCHA remains one of the most effective first lines of defense against automated spam registrations.

7. Use Country Filter to Reduce Spam User Registrations

Aside from the captcha methods, WPForms also includes powerful restrictions like the country filter. This can prove incredibly useful, especially if you’ve noticed patterns in fake registrations coming from specific countries.

Similarly, if it only makes sense for you to accept user registrations from a specific country, you can use a country filter to restrict submissions from certain countries.

You can find the country filter settings by navigating to Settings » Spam Protection and Security from the WPForms form builder.

If the form is submitted by a spambot or user with an IP address matching a country you want to block, the user registration form simply won’t submit.

You can also use other geolocation plugins to block access to your WordPress registration page or dashboard. For example, the CloudGuard plugin lets you limit logins from certain countries with geolocation.

Stop spam user registrations using geolocation

You can whitelist your own country and then block every other country from reaching your registration page. Keep in mind that some users may need to access your site to log in.

For example, if you have a WooCommerce store, this solution might not work for you because customers in blocked countries won’t be able to access their accounts.

8. Install a WordPress Security Plugin

WordPress is pretty secure, but you can harden it further by using a good WordPress security plugin.

Many of these plugins keep track of spammy or malicious IP addresses in their own database, so you can use them for spam prevention as well as security.

When you install a plugin like WordFence on your site, it checks every visitor’s IP against its database. If it sees a match, it refuses access. That will stop the spammer from registering a user account.

WordPress firewall to stop spam visitors

Wordfence can also email you when it detects spammy login attempts, so you can easily keep an eye on your website security.

If you’re not getting security reports from Wordfence, this guide on how to fix Wordfence not sending emails will help you to fix the issue.

Learn more in this WPBeginner article on how Sucuri helped block 450,000 WordPress attacks in 3 months. To check out some options, read our guide to the best WordPress security plugins for website protection.

9. Manually Block Spam IP Addresses

With WPForms, you can use a smart tag to get the IP address of your visitor with every form submission.

Once you know the IP address of a spam registration, you can block that address from accessing your site at all. To track the IP Addresses on any form submission, go to Settings » Notifications.

Accessing a form's notifications settings

Next to the Message field, click Show Smart Tags and click on User IP Address.

WPForms user IP address smart tag

When you receive your next email notification, you’ll see what the user’s IP address is. You can decide whether to approve that user or block their IP so they can’t return.

To learn how, check out this tutorial on how to block IP addresses in WordPress.

Kacie Cooper, Writer at WPForms

“💡 Pro Tip: Before blocking an IP address, verify it’s not a shared IP used by legitimate users. Some ISPs and mobile carriers use shared IPs that could affect multiple users if blocked.”

-Kacie Cooper, Writer at WPForms

10. Connect Your Forms to Akismet

Akismet is an anti-spam plugin that can recognize and block fake submissions automatically. If you have the Akismet plugin set up on your WordPress site, you can easily connect it to your forms to block suspicious entries.

Just open the form you want to protect and go to Settings » Spam Protection and Security. Then toggle on the Enable Akismet anti-spam protection setting.

Enabling Akismet protection for a form

See our guide to filtering contact form spam or our documentation on using Akismet with WPForms for more details.

FAQs on Combatting Fake User Registrations

Got more questions about fake user registrations? This is an issue that we receive a lot of queries about from our customers. I’m listing a few of the common questions that might help illuminate this issue more.

Why do spammers register on my site?

When spammers attack a WordPress site, they’re typically looking to spread even more spam. By creating an account, they potentially have a ‘way in’ to your site.

If there’s a vulnerability in a plugin and you don’t update it, it could be easier for the spammer to exploit that if they can already log in to your dashboard.

Most spambots are just scripts that access example.com/wp-login.php?action=register to create fake accounts. So it’s easy to stop them using the same tools you use to stop contact form spam.

What are some signs that I might have fake registrations?

While it’s not always easy to detect fake registrations, there are some common patterns that you can look for:

  • Incomplete or nonsensical information (such as obviously fake addresses and names)
  • Same IP address behind multiple signups
  • Accounts with no further activity beyond signup
  • WooCommerce customers with no orders
  • Multiple accounts using similar usernames, emails, and other biographical information.

How can I balance security with a smooth user experience?

While CAPTCHAs are effective at preventing registration form spam, some versions of captcha can also be annoying because they require users to solve a puzzle or a math sum.

If you want to maintain a smooth user experience, you can use less intrusive spam prevention methods like Cloudflare Turnstile or Akismet. These tools work quietly in the background and block spam based on patterns of user behavior, balancing security with user experience remarkably well.

What should I do if I suspect I have fake registrations?

If you suspect a fake user signup, you can send an email to that user directly with a warning that their account will be deleted unless they perform a certain action to prove they’re a real user. If you don’t receive a response, you can immediately remove their user account from your WordPress site.

How do I stop spam user registrations in WordPress?

To stop spam user registrations in WordPress, you can implement several effective methods. The easiest way is to use WPForms Pro with the User Registration addon, which includes built-in spam protection features.

Add a CAPTCHA field, enable email verification, and use the Geolocation addon to block registrations from suspicious locations.

For maximum protection, combine these methods with a custom registration form that includes additional validation fields.

Can I block fake signups on my WordPress site?

Yes, you can definitely block fake signups on your WordPress site. The most effective approach is to use a combination of security measures:

  • Enable email activation for new registrations
  • Add CAPTCHA verification to your forms
  • Use country filtering to block high-risk locations
  • Install a WordPress security plugin
  • Manually block suspicious IP addresses

These methods working together can block up to 99% of fake signups while still allowing legitimate users to register easily.

Does WordPress block fake registrations by default?

No, WordPress doesn’t block fake registrations by default. The basic WordPress registration system is fairly simple and doesn’t include built-in spam protection features.

That’s why it’s important to add additional security measures like CAPTCHA, email verification, or a form builder plugin like WPForms that includes anti-spam features.

Without these extra protections, your site could be vulnerable to automated bot registrations and spam accounts.

Next, Check and Update WordPress Plugins

If your WordPress site isn’t regularly maintained, you could open it up to more spam. Scammers typically look for old plugins and out-of-date versions of WordPress as a way to break into your site.

It’s important to update your plugins too. Now’s a great time to check that:

Create Your WordPress Form Now

Ready to build your form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes lots of free templates and offers a 14-day money-back guarantee.

If this article helped you out, please follow us on Facebook and Twitter for more free WordPress tutorials and guides.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPForms is funded, why it matters, and how you can support us.

Claire Broadley

Claire is the Content Manager for the WPForms team. She has 13+ years' experience writing about WordPress and web hosting. Learn More

The Best WordPress Drag and Drop Form Builder Plugin

Easy, Fast, and Secure. Join over 6 million website owners who trust WPForms.

Please enable JavaScript in your browser to complete this form.

6 comments on “10 Simple Tricks to Eliminate Fake User Registration (2025)

  1. If a user does not complete payment, they are still created as a user in the database and can still log in and access protected content – how can I prevent this from happening?

    1. Hi Zihan! Our User Registration addon is an extension of the default WordPress User system, and you can set it so that new users are not immediately active. By setting the User Activation Method to Manual Approval, those newly created users aren’t active on your site until you’ve had a chance to review payments and then activate the user.

      More details about this can be found in this article.

      I hope this helps to clarify 🙂 If you have any further questions about this, please contact us if you have an active subscription. If you do not, don’t hesitate to drop us some questions in our support forums.

  2. I have “allow anyone to register” unchecked, yet I still keep getting spam registrations to delete every few days.

    1. Hey Lori – Sorry to hear about the trouble you are facing here!

      Looks like you have a paid license. Would you mind reaching out to us via Support Channel? and we will be happy to take a closer look.

      Thanks,

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by Cloudflare Turnstile and the Cloudflare Privacy Policy and Terms of Service apply.