Stop spam user registration

9+ Simple Tricks to Eliminate Spam User Registration (2022)

Do you want to stop spam registrations in WordPress?

Spam accounts can be a security risk for your website. It’s also annoying to have tons of junk accounts cluttering up your database.

In this article, we’ll show you how to stop these spambots from creating user accounts in WordPress.

Create Your User Registration Form Now

Why Do Spammers Register on My Site?

When spammers attack a WordPress site, they’re typically looking to spread even more spam. By creating an account, they potentially have a ‘way in’ to your site.

If there’s a vulnerability in a plugin and you don’t update it, it could be easier for the spammer to exploit that if they can already log in to your dashboard.

WPForms is the best WordPress Form Builder plugin. Get it for free!

Most spambots are just scripts that access example.com/wp-login.php?action=register to create fake accounts. So it’s easy to stop them using the same tools you use to stop contact form spam.

We’ll show you some ways to stop these spambots in their tracks by limiting access to your site and your login page.

How to Eliminate Spam User Registration in WordPress

1. Disable User Registrations in WordPress

Do you need to allow people to register accounts on your WordPress site?

You’ll definitely need to allow user registrations if you’ve started an online store or a membership site.

But if you have a personal blog or a business site, you probably don’t need to allow registration. If you already set up all the logins you need, it makes sense to disable registration completely.

To do that, open up the WordPress dashboard and click Settings » General.

General settings in WordPress

Find the Membership setting and uncheck Anyone Can Register.

Turn off user registrations in WordPress

And that’s it! It’s the easiest way to make sure that no one can create spam user registrations on your site. But it’s best for blogs that are completely closed to new users.

Here’s a tip: if you have a multi-author blog, you could disable user registrations and install the WPForms Post Submissions addon. It lets people contribute guest posts without logging in to your site.

Post Submissions addon

Do you need to leave registration turned on? Let’s look at some more options.

2. Set the Default User Role in WordPress

If you want to leave user registration enabled in WordPress, it’s super important that you never give new members access to your WordPress dashboard.

We always recommend giving new users the Subscriber role. Subscribers have very few permissions in WordPress, so it’s the safest option for new users.

For example, Subscribers can’t access the WordPress Dashboard at all.

To check which role your site assigns when new users register, open up the WordPress dashboard and click Settings » General.

General settings in WordPress

Now look for the dropdown labeled New User Default Role and change it to Subscriber.

Change the new user default role in WordPress to stop spam user registrations

If you’re using a custom user registration form in WPForms, you can control the setting in the User Registration settings panel too.

Set the default role to Subscriber in a custom user registration form

Not sure how to make your own user registration form? We’ll talk about that next.

3. Make a Custom User Registration Form

The default WordPress user registration form is super basic. If you want more control over account creation, you can make a custom user registration form.

WPForms has a User Registration addon that makes it easy to create your own custom forms for:

  • User registration
  • WordPress login
  • Password resets

You can install the addon in the Pro version or higher.

User registration addon

The user registration addon lets you make a much better WordPress registration form compared to the default. You can:

  • Add custom user meta fields to get more information about your users when they sign up
  • Let users register on any form on your site
  • Automatically log in users after registration
  • Hide forms for logged in users
  • Add hCaptcha or other spam prevention methods to stop bots creating user accounts
  • Easily customize the emails that are sent when users register or forget their password.

When you install the addon, you’ll also get 3 pre-made templates for all of these features, making it easy to get started fast.

User registration addon form templates

If you create a custom user registration form, you’ll also want to check out our easy guide to creating a custom login page in WordPress.

4. Turn on Email Activation for User Registration

If you want to stop spam user registrations in WordPress, you can turn on email activation for new user accounts. This won’t stop bots from spamming your forms, but it does mean they won’t be able to log in until they manually confirm the request.

The WPForms User Registration form can automatically send out a link for every new account that’s created on your WordPress website. Real users can just click the link to complete signup.

This is optional, so you can turn activation on or off in your form settings.

enable user activation

Spam user registrations are typically created by bots. So by adding this extra step, you’ll improve your site security. The new registrant will need to click that confirmation link to complete the account setup process.

5. Turn on Administrator Approval for New User Registration

If you’d like an even more secure method of user registration, you can opt for Manual Approval.

This will prompt the site admin to review each user registration request before the new user can log in to their account.  You’ll receive an email notification for each request, and you’ll have the option to approve or deny the new member.

To turn on admin approval, go to Settings » User Registration.

On the right-hand side, scroll down to the User Activation Method and select Manual Approval from the dropdown.

Requiring manual approval for new users

Now you can review every new user that registers on your site to filter out the spammy registrations.

6. Add a CAPTCHA Field to Your User Registration Form

You can also use a CAPTCHA field to stop spam user registrations. This boosts the security of the form token we already turned on.

A CAPTCHA is a challenge or puzzle that the user has to solve to submit a form.

WPForms supports 3 different types of CAPTCHA for your forms:

After activating one of the templates, it’s easy to add reCAPTCHA to prevent spammers from using it. As always, WPForms makes it easy to add reCAPTCHA without writing code.

Here’s how the password reset form template looks after dragging a reCAPTCHA field onto it:

Password reset form with reCAPTCHA

If you prefer, you can use hCaptcha on your user registration, login, or password reset forms instead of the Google version.

Select hCaptcha in WPForms

7. Use Geolocation to Reduce Spam User Registrations

Geolocation plugins automatically detect the user’s location to control the content they can access in WordPress.

You can use a plugin like this to block access to your WordPress registration page or dashboard.

For example, the CloudGuard plugin lets you limit logins from certain countries with geolocation. You can whitelist your own country and then block every other country from reaching your registration page.

Stop spam user registrations using geolocation

Keep in mind that some users may need to access your site to log in. For example, if you have a WooCommerce store, this solution might not work for you because customers in blocked countries won’t be able to access their accounts.

Check out our guide to the best WordPress geolocation plugins to see some more great recommendations.

8. Install a WordPress Security Plugin

WordPress is pretty secure, but you can harden it further by using a good WordPress security plugin.

Many of these plugins keep track of spammy or malicious IP addresses in their own database, so you can use them for spam prevention as well as security.

When you install the plugin on your site, it checks every visitor’s IP against its database. If it sees a match, it refuses access. That will stop the spammer from registering a user account.

Here’s an example of how many spammy visitors the WordFence firewall blocked on our test site:

WordPress firewall to stop spam visitors

Wordfence can also email you when it detects spammy login attempts so you can easily keep an eye on your website security. If you’re not getting security reports from Wordfence, this guide on how to fix Wordfence not sending email will help you to fix the issue.

You can also stop spammers by adding a puzzle that prevents bots from accessing your forms. For example, some security plugins let you add a CAPTCHA to the default user registration page.

Learn more in this WPBeginner article on how Sucuri helped block 450,000 WordPress attacks in 3 months.

To check out some options, read our guide to the best WordPress security plugins for website protection.

9. Manually Block Spam IP Addresses

With WPForms, you can use a smart tag to get the IP address of your visitor with every form submission.

Once you know the IP address of a spam registration you can block that address from accessing your site at all.

To track the IP Addresses on any form submission, go to Settings » Notifications.

Accessing a form's notifications settings

Next to the Message field, click Show Smart Tags and click on User IP Address.

WPForms user IP address smart tag

When you receive your next email notification, you’ll see what the user’s IP address is. You can decide whether to approve that user or block their IP so they cant return.

To learn how, check out this tutorial on how to block IP addresses in WordPress.

Bonus: Connect Your Forms to Akismet

Akismet is an anti-spam plugin that can recognize and block fake submissions automatically. If you have the Akismet plugin set up on your WordPress site, you can easily connect it to your forms to block suspicious entries.

Just open the form you want to protect and go to Settings » Spam Protection and Security. Then toggle on the Enable Akismet anti-spam protection setting.

Enabling Akismet protection for a form

See our guide to filtering contact form spam or our documentation on using Akismet with WPForms for more details.

Create Your User Registration Form Now

Next, Check and Update WordPress Plugins

If your WordPress site isn’t regularly maintained, you could open it up to more spam. Scammers typically look for old plugins and out of date versions of WordPress as a way to break in to your site.

It’s important to update your plugins too.

Now’s a great time to check that:

Ready to build your user registration form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes the User Registration addon and offers a 14-day money-back guarantee.

If this article helped you out, please follow us on Facebook and Twitter for more free WordPress tutorials and guides.

Using WordPress and want to get WPForms for free?

Enter the URL to your WordPress website to install.

Comments

  1. If a user does not complete payment, they are still created as a user in the database and can still log in and access protected content – how can I prevent this from happening?

    1. Hi Zihan! Our User Registration addon is an extension of the default WordPress User system, and you can set it so that new users are not immediately active. By setting the User Activation Method to Manual Approval, those newly created users aren’t active on your site until you’ve had a chance to review payments and then activate the user.

      More details about this can be found in this article.

      I hope this helps to clarify 🙂 If you have any further questions about this, please contact us if you have an active subscription. If you do not, don’t hesitate to drop us some questions in our support forums.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.