WPForms Blog

WordPress Tutorials, Tips, and Resources to Help Grow Your Business

eliminate spam user registrations

10 Simple Tricks to Eliminate Spam User Registration

by Courtney Robertson on Jan 19, 2017

Are you getting hit with notifications of spammy accounts being created on your WordPress website? Take action now to stop spam in its tracks. In this article, we’ll show you 10 simple tricks to eliminate spam user registration.

Stop Spam Registrations in WordPress

Did you know that malicious computer programs called “spambots” search the internet looking for vulnerable websites? One method they have of forcing themselves into your site is by creating spammy user accounts.

By default, WordPress websites allow for user registrations from a specific link: yoursite.com/wp-login.php?action=register.

These spambots are programmed to go looking for that link to register fake users.

To protect your site and stop spammer registrations in WordPress, you can use the simple tricks below.

Note: You don’t need to do ALL of the methods listed here. Instead, just pick the ones that work for you and your site.

1. Set the Default User Role in WordPress

The first way you can protect your website is to change the default settings for new account registrations.

To do that, you can go to Settings » General.  Here you can uncheck the Membership box to make sure that no one can register on your site.

What if you want to allow real visitors to register, though? For example, you might want to require new readers to register for an account before they comment on your blog posts.

In that case, we recommend using the Subscriber role as the default role for new members. It’s more secure than other roles because it doesn’t allow access to the WordPress Admin Dashboard.

To set that up, you’ll need to enable the Anyone can register checkbox and set the default role to subscriber.

stop spam registrations by securing WordPress accounts to the subscriber user role or not allowing registration

For more detailed info on your different options here, you can check out our guide on WordPress user roles and permissions.

2. User Registration Form

If you’re going to allow users to register on your site, it’s smart to create a custom user registration form.

You can use the WPForms User Registration Addon to create a more secure form than the default WordPress user registration form, thanks to WPForms’ built-in form security features.

The first thing you need to do is install and activate the WPForms plugin. Here’s a step by step guide on how to install a WordPress plugin.

Once you have installed WPForms, go to WPForms » Addons and find the User Registration Addon. To access this addon, you must have the Pro license plan.

Next, see our tutorial on How to Create a User Registration Form in WordPress to create a form.

3. Email Activation for User Registration

User Email Activation is an optional security measure is available within the WPForms User Registration addon.

When you require a user to click a confirmation link in their email, spambots are less likely to get through this security step.

Let’s go turn that on now.

Go to Settings »  User Registration.  On the right-hand preview panel, scroll down to the User Activation Method and select User Email.

That’s it! Don’t forget to save your changes.

stop spam registration by requiring user activation by email

4. Administrator Approval for New Users

If you’d like an even more secure method of user registration, you can opt for Manual Approval.

This approval method will require you to review each user registration request before the new user can join your website.  You’ll receive an email notice for each request, and the option to approve or deny the new member.

To activate this method, go to Settings »  User Registration. On the right-hand preview panel, scroll down to the User Activation Method and select Manual Approval.

stop spammers with a user registrations plugin with manual approval

5. CAPTCHA

Another way to stop spam user registrations is to use a CAPTCHA field.

CAPTCHA is a test question that the user must answer in order to submit the form. Sometimes this can be blurry text from an image that they must reenter, a checkbox, or a simple question.

We have created our CAPTCHA field to prompt users for a simple math problem, or to use custom questions.

To set this up on your forms, first you need to activate the Custom CAPTCHA addon. Then a new Fancy Field called “CAPTCHA” will be added to the Form Builder. Simply drag & drop this field in your form.

user registration spam protection in WordPress with captcha

By default, it will show random math questions. However, when you click to edit the CAPTCHA form field it will allow you to choose between the math option or the Question and Answer option. If you select Question and Answer, you can enter your own custom question.

WordPress anti spam technique question answer captcha

Once you’re done configuring the CAPTCHA field, simply save your form. Now users must answer your CAPTCHA question correctly in order for the form to submit.

6. reCAPTCHA

CAPTCHA is an effective way to block spambots, but it can also be annoying for your real users.

Instead of using the custom CAPTCHA option we just mentioned, you can use the reCAPTCHA tool Google created.

The advantage of using reCAPTCHA is that users only need to click a checkbox, instead of having to solve math problems or answer questions. This can improve your form conversions by giving your users less work to do.

recaptcha spam protection wordpress

To activate reCAPTCHA on your form, you can go to WPForms » Addons and find the reCAPTCHA Addon.

Then edit your form and go to Settings » General. Take a look on the right-hand preview panel near the bottom of the screen and check Enable reCAPTCHA.

stop spam registrations in WordPress with honeypot and recaptcha user form registration

7. Honeypot Anti-Spam

Would you rather avoid giving users a CAPTCHA field entirely? In that case, you can use the Honeypot option.

Honeypots are great because they don’t bother users like a CAPTCHA. In fact, they’re completely invisible to your real users.

Basically, a honeypot is a hidden field in your form that’s meant to stay blank. But spambots will see it, and automatically fill it out.

When the honeypot field is filled in, we can reject the form as spam.

user registration form with honeypot spam prevention

WPForms has an anti-spam honeypot feature built in, and it’s enabled on your forms by default. You can find the option under Settings » General when editing your form.

At the bottom of the the right-hand preview panel, you’ll see that Enable anti-spam honeypot is selected by default.

stop spam registrations in WordPress with honeypot and recaptcha user form registration

8. Stop Spammer Registrations

Another step you can take to stop spammer registrations is to use the Stop Spammers Spam Prevention WordPress plugin.

The plugin uses a number of spam prevention techniques, including checking Akismet for known spamming activity to proactively block spammers. The plugin also maintains a list of bad hosts known for tolerating spam activity and blocks them.

Once you’ve activated the plugin, you can go to Stop Spammers » Protection options.

The default settings on this page will work for most websites. However, you can uncheck a few of them if you find that your legitimate users are unable to login.

stop spammers registration plugin protection option

There is a small chance that this plugin could lock you out of your site’s admin area. If this happens, the simplest solution is to connect to your site through FTP and rename the plugin file from stop-spammer-registrations.php to stop-spammer-registrations.locked.

WordPress will automatically deactivate the plugin for you, and you can now access the admin area of your site.

9. IP Address Blocking

Did you know that each computer on the internet can be identified with a unique number known an IP Address?  When you discover which IP Address is sending spam to your site, you can block that address from accessing your site entirely.

To track the IP Addresses that are using your form, go to Settings » Notifications within the form editor.

Next to the Message field, click Show Smart Tags and click on User IP Address.

block WordPress spam registrations with IP blocking

When you receive your next email notification, you’ll see what the user’s IP Address is.

Want to block that IP address from accessing your site?

One way to do this is to go to your web hosting company and ask for support in blocking them. Another way to block an address is to use a security plugin such as Sucuri to blacklist the IP Address.

10. Sucuri

Sucuri stops spam registrations

Sucuri is a website security company that specializes in WordPress security. They protect your website from hackers, malware, DDoS and blacklists.

When you enable Sucuri, all your site traffic goes through their CloudProxy firewall before coming to your hosting server. This allows them to block all the attacks and only send you legitimate visitors.

On top of the increased security, the firewall also makes your website faster, and you may even be able to save money on your hosting bill because your server load will go down significantly.

Learn more about Sucuri’s benefits in our review: How Sucuri Helped Us Block 450,000 WordPress Attacks in 3 Months.

Good work! You now know how to stop spam registrations in WordPress.

Do you want some great tips on how to discover more information about your customers? You might also want to check out our guide on clever web form hacks to unlock hidden customer data.

What are you waiting for? Get started with the most powerful WordPress forms plugin today.

If you like this article, then please follow us on Facebook and Twitter for more free WordPress tutorials.

Comments

  1. How do I use reCAPTCHA on my user registrations? I’m not creating/adding a new WP Form. I just want reCAPTCHA to work where users normally register on my WordPress site. Thanks!

    1. Hi Peter,

      WPBeginner has a helpful article about how to include reCAPTCHA in a regular WordPress registration form. We can’t provide support for this since it’s not for our forms, but hopefully that gets you on the right track!

      Have a good one 🙂

  2. Hi,

    Is it recommended to go with Membership filed on for “Anyone can register” and Role as “Subscriber” because I get lost of registrations for my website and I’m little curious. I’m not sure all of them are real Subscribers, is there any problem my subscribing to my website (http://www.askeygeek.com)? Please check and advise.

    1. Hi Anson,

      It sounds like you’re probably getting spam subscribers, and so I’d suggest you follow some of the additional tips outlined in this article to prevent this.

      If you’re using WordPress’s default user registration form, ‘Anyone can register’ must be checked and, as mentioned in the article, subscriber is the safest default role. This is because subscribers have very low permission levels within WordPress, and so can access very little of your site’s backend.

      That being said, any of the other steps (most of which revolve around using our User Registration addon) would provide additional ways to prevent spam registrations 🙂

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.