WPForms Blog

WordPress Tutorials, Tips, and Resources to Help Grow Your Business

eliminate spam user registrations

10 Simple Tricks to Eliminate Spam User Registration

Last updated on Apr 5, 2017 by Courtney Robertson

Are you getting hit with notifications of spammy accounts being created on your WordPress website? Take action now to stop spam in its tracks. In this article, we’ll show you 10 simple tricks to eliminate spam user registration.

Stop Spam Registrations in WordPress

Did you know that malicious computer programs called “spambots” search the internet looking for vulnerable websites? One method they have of forcing themselves into your site is by creating spammy user accounts.

By default, WordPress websites allow for user registrations from a specific link: yoursite.com/wp-login.php?action=register.

These spambots are programmed to go looking for that link to register fake users.

To protect your site and stop spammer registrations in WordPress, you can use the simple tricks below.

Note: You don’t need to do ALL of the methods listed here. Instead, just pick the ones that work for you and your site.

1. Set the Default User Role in WordPress

The first way you can protect your website is to change the default settings for new account registrations.

To do that, you can go to Settings » General.  Here you can uncheck the Membership box to make sure that no one can register on your site.

What if you want to allow real visitors to register, though? For example, you might want to require new readers to register for an account before they comment on your blog posts.

In that case, we recommend using the Subscriber role as the default role for new members. It’s more secure than other roles because it doesn’t allow access to the WordPress Admin Dashboard.

To set that up, you’ll need to enable the Anyone can register checkbox and set the default role to subscriber.

stop spam registrations by securing WordPress accounts to the subscriber user role or not allowing registration

For more detailed info on your different options here, you can check out our guide on WordPress user roles and permissions.

2. User Registration Form

If you’re going to allow users to register on your site, it’s smart to create a custom user registration form.

You can use the WPForms User Registration Addon to create a more secure form than the default WordPress user registration form, thanks to WPForms’ built-in form security features.

The first thing you need to do is install and activate the WPForms plugin. Here’s a step by step guide on how to install a WordPress plugin.

Once you have installed WPForms, go to WPForms » Addons and find the User Registration Addon. To access this addon, you must have the Pro license plan.

Next, see our tutorial on How to Create a User Registration Form in WordPress to create a form.

3. Email Activation for User Registration

User Email Activation is an optional security measure is available within the WPForms User Registration addon.

When you require a user to click a confirmation link in their email, spambots are less likely to get through this security step.

Let’s go turn that on now.

Go to Settings »  User Registration.  On the right-hand preview panel, scroll down to the User Activation Method and select User Email.

That’s it! Don’t forget to save your changes.

stop spam registration by requiring user activation by email

4. Administrator Approval for New Users

If you’d like an even more secure method of user registration, you can opt for Manual Approval.

This approval method will require you to review each user registration request before the new user can join your website.  You’ll receive an email notice for each request, and the option to approve or deny the new member.

To activate this method, go to Settings »  User Registration. On the right-hand preview panel, scroll down to the User Activation Method and select Manual Approval.

stop spammers with a user registrations plugin with manual approval

5. CAPTCHA

Another way to stop spam user registrations is to use a CAPTCHA field.

CAPTCHA is a test question that the user must answer in order to submit the form. Sometimes this can be blurry text from an image that they must reenter, a checkbox, or a simple question.

We have created our CAPTCHA field to prompt users for a simple math problem, or to use custom questions.

To set this up on your forms, first you need to activate the Custom CAPTCHA addon. Then a new Fancy Field called “CAPTCHA” will be added to the Form Builder. Simply drag & drop this field in your form.

user registration spam protection in WordPress with captcha

By default, it will show random math questions. However, when you click to edit the CAPTCHA form field it will allow you to choose between the math option or the Question and Answer option. If you select Question and Answer, you can enter your own custom question.

WordPress anti spam technique question answer captcha

Once you’re done configuring the CAPTCHA field, simply save your form. Now users must answer your CAPTCHA question correctly in order for the form to submit.

6. reCAPTCHA

CAPTCHA is an effective way to block spambots, but it can also be annoying for your real users.

Instead of using the custom CAPTCHA option we just mentioned, you can use the reCAPTCHA tool Google created.

The advantage of using reCAPTCHA is that users only need to click a checkbox, instead of having to solve math problems or answer questions. This can improve your form conversions by giving your users less work to do.

recaptcha spam protection wordpress

To activate reCAPTCHA on your form, you can go to WPForms » Addons and find the reCAPTCHA Addon.

Then edit your form and go to Settings » General. Take a look on the right-hand preview panel near the bottom of the screen and check Enable reCAPTCHA.

stop spam registrations in WordPress with honeypot and recaptcha user form registration

7. Honeypot Anti-Spam

Would you rather avoid giving users a CAPTCHA field entirely? In that case, you can use the Honeypot option.

Honeypots are great because they don’t bother users like a CAPTCHA. In fact, they’re completely invisible to your real users.

Basically, a honeypot is a hidden field in your form that’s meant to stay blank. But spambots will see it, and automatically fill it out.

When the honeypot field is filled in, we can reject the form as spam.

user registration form with honeypot spam prevention

WPForms has an anti-spam honeypot feature built in, and it’s enabled on your forms by default. You can find the option under Settings » General when editing your form.

At the bottom of the the right-hand preview panel, you’ll see that Enable anti-spam honeypot is selected by default.

stop spam registrations in WordPress with honeypot and recaptcha user form registration

8. Stop Spammer Registrations

Another step you can take to stop spammer registrations is to use the Stop Spammers Spam Prevention WordPress plugin.

The plugin uses a number of spam prevention techniques, including checking Akismet for known spamming activity to proactively block spammers. The plugin also maintains a list of bad hosts known for tolerating spam activity and blocks them.

Once you’ve activated the plugin, you can go to Stop Spammers » Protection options.

The default settings on this page will work for most websites. However, you can uncheck a few of them if you find that your legitimate users are unable to login.

stop spammers registration plugin protection option

There is a small chance that this plugin could lock you out of your site’s admin area. If this happens, the simplest solution is to connect to your site through FTP and rename the plugin file from stop-spammer-registrations.php to stop-spammer-registrations.locked.

WordPress will automatically deactivate the plugin for you, and you can now access the admin area of your site.

9. IP Address Blocking

Did you know that each computer on the internet can be identified with a unique number known an IP Address?  When you discover which IP Address is sending spam to your site, you can block that address from accessing your site entirely.

To track the IP Addresses that are using your form, go to Settings » Notifications within the form editor.

Next to the Message field, click Show Smart Tags and click on User IP Address.

block WordPress spam registrations with IP blocking

When you receive your next email notification, you’ll see what the user’s IP Address is.

Want to block that IP address from accessing your site?

One way to do this is to go to your web hosting company and ask for support in blocking them. Another way to block an address is to use a security plugin such as Sucuri to blacklist the IP Address.

10. Sucuri

Sucuri stops spam registrations

Sucuri is a website security company that specializes in WordPress security. They protect your website from hackers, malware, DDoS and blacklists.

When you enable Sucuri, all your site traffic goes through their CloudProxy firewall before coming to your hosting server. This allows them to block all the attacks and only send you legitimate visitors.

On top of the increased security, the firewall also makes your website faster, and you may even be able to save money on your hosting bill because your server load will go down significantly.

Learn more about Sucuri’s benefits in our review: How Sucuri Helped Us Block 450,000 WordPress Attacks in 3 Months.

Good work! You now know how to stop spam registrations in WordPress.

Do you want some great tips on how to discover more information about your customers? You might also want to check out our guide on clever web form hacks to unlock hidden customer data.

What are you waiting for? Get started with the most powerful WordPress forms plugin today.

If you like this article, then please follow us on Facebook and Twitter for more free WordPress tutorials.

Comments

  1. Thanks for reading this article – I hope you found it helpful.

    I wanted to let you know about our new WordPress survey plugin that allows you to build interactive polls and surveys within minutes. You also get best-in-class reporting, so you can make data-driven decisions.

    You can get it 100% free when you purchase WPForms Pro plan.

    Get Started with WPForms Today and see why over 1 million websites choose WPForms as their preferred online form builder.

    Syed Balkhi
    CEO of WPForms

  2. How do I use reCAPTCHA on my user registrations? I’m not creating/adding a new WP Form. I just want reCAPTCHA to work where users normally register on my WordPress site. Thanks!

    1. Hi Peter,

      WPBeginner has a helpful article about how to include reCAPTCHA in a regular WordPress registration form. We can’t provide support for this since it’s not for our forms, but hopefully that gets you on the right track!

      Have a good one 🙂

  3. Hi,

    Is it recommended to go with Membership filed on for “Anyone can register” and Role as “Subscriber” because I get lost of registrations for my website and I’m little curious. I’m not sure all of them are real Subscribers, is there any problem my subscribing to my website (http://www.askeygeek.com)? Please check and advise.

    1. Hi Anson,

      It sounds like you’re probably getting spam subscribers, and so I’d suggest you follow some of the additional tips outlined in this article to prevent this.

      If you’re using WordPress’s default user registration form, ‘Anyone can register’ must be checked and, as mentioned in the article, subscriber is the safest default role. This is because subscribers have very low permission levels within WordPress, and so can access very little of your site’s backend.

      That being said, any of the other steps (most of which revolve around using our User Registration addon) would provide additional ways to prevent spam registrations 🙂

    1. Hi Rak,

      We don’t currently have any built-in functionality like this for our forms, but that’s an interesting idea and I’ll make a note of it. Thanks for the suggestion 🙂

    1. Hi Maurice,

      Sure, most of the options shared above can be accomplished without any additional plugin — or even adding any code. Unless you experience an especially heavy amount of spam on your site, simply using our honeypot and reCAPTCHA (integration is built into WPForms) is usually plenty for any form. As an extra precaution for user registration, though, I’d recommend considering #1-4 above (all come built into WordPress/WPForms).

      I hope this helps! If you have any other questions about our user registration addon, please feel welcome to get in touch 🙂

  4. Hi there

    I keep getting emails from WordPress New User Registration and I think all these registrations happen by entering website.com/wp-admin or similar, instead of registering at the website. Because who registers at the website’s registration form I receive different email with my username and users get added to aweber account as I use their service. How do I block the registration at website.com/wp-admin, i think these are all fake registrations who register through domain. Thanks

    1. Hi Martin,

      I’d recommend a couple of options to prevent this from happening:

      1) Set up a redirect so that everyone must register through your form (check out the “Redirect Users to the Custom Registration Page” section of our tutorial for instructions).

      2) Check out our guide on eliminating spam user registrations. It sounds like #8 “Stop Spammer Registrations” would be especially helpful for what you’re seeing.

      I hope this helps! If you have any additional questions, please get in touch with our support team and we’ll be happy to assist further 🙂

  5. Hi Jess,

    it really helped at least to block that default registration URL:

    [URL removed]/wp-login?action=register

    See, it doesn’t find that page anymore, at least some progress.

    I simply added this code into my functions.php

    // Redirect Registration Page
    function my_registration_page_redirect(){
        global $pagenow;
        if ( ( strtolower($pagenow) == 'wp-login.php') && ( strtolower( $_GET['action']) == 'register' ) ) {
            wp_redirect( home_url('/registration-url'));
        }
    }
    
    add_filter( 'init', 'my_registration_page_redirect' );
    

    Now my question is: how do i redirect that default registration url
    to my registration url at: [URL removed]/index.php?/register/ILwx79

    I tired copying it in after wp_redirect instead of ‘/registration-url) didn’t work
    and inside add_filter., where it says my_registration_page_redirect, but no luck.

    Any thoughts? Thanks.

    1. Hi Martin,

      We’d be happy to help! When you get a chance, please drop us a line in support so we can assist.

      If you have a access to our User Registration addon, you have a paid license and so also have access to our email support, so please submit a support ticket. We’ll be able to help further from there.

      Thanks 🙂

  6. My users must have a user name that conforms to a radio license. How can I add checking of the name format and automatically delete those that do not conform to the format? I have reCapture and administrator approval enabled (although reCapture does not seem to work my android phone?). Typically I get 1 real registration for 150 spam registrations so it is an on going problem
    Thanks

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.