Popularity comes with a price. This saying may be true to WordPress.
Endorsed by billions of users from pole to pole, WordPress proves the world’s most favored content management system. However, this immense popularity also brings about many downfalls and unwanted burdens, including becoming a juicy target for spammers worldwide.
One of the most annoying spam on WordPress sites is user registration spam. This happens when attackers program spambots to create fake accounts and gain access to the WordPress admin. The main purposes are no other than exploiting your resources or causing chaos.
To help you completely knock out WordPress user registration spam, we will present 10 simple corresponding tips along with recommended plugins.
Let’s get started!
- How WordPress User Registration Spam Impacts Your Site
- #1 Completely Disable Registration
- #2 Set Up User Roles in WordPress
- #3 Kill Registration Spam with Built-in reCaptcha
- #4 Make Use of Registration Anti-spam Plugins
- #5 Turn on Email Activation
- #6 Use Geo-blocking to Reduce Spam User Registrations
- #7 Change WordPress Registration URL
- #8 Require Admin Approval for New Users
- #9 Manually Block Spam IP Addresses
- #10 Install a Security Plugin
How WordPress User Registration Spam Impacts Your Site
Looking at the default WordPress registration page and you’ll see there is no particular step to prevent spam.
Once you allow public registration, your users easily access your site via the registration page at https://yoursite.com/wp-login.php?action=register:
If you don’t have any action to guard off this page or your site from spam, obviously your hard-to-make WordPress site can be on the prying eye of spambots and hackers.
Normally, spambots tend to create fake accounts as they are just scripts trying to access your site via the registration URL. Fortunately, you can easily swipe them away by just using contact form spam plugins.
On the other hand, you can consider some options, WordPress user registration spam spread by hackers is a real bear and can leave worse damage to your site. Once they get user access to your site, they might:
- Steal user information like email addresses, credit card, or bank account information
- Build backlinks to their websites
- Flood your sites with porn links, scams, and even malware
- Store pirated movies, documents, or software if they have admin access.
And you know what, the impact of such registration spam can be more severe than you can imagine. As soon as users register on your site, all their data will be stored in the database. Tons of registration spams can bulk up your database, which will drag down your site performance.
What’s more, spammy content, including junk links posted by spammers can affect your site ranking on search engines. Regarding junk links, they can redirect users to shady sites selling illegal drugs, weeds, or adult-content sites, which may ruin your site’s reputation.
On top of that, as search engines and hosting providers discover that your site is hacked, they suspend the site, mark it as deceptive, and blacklist it respectively.
Last but not least, your site may suffer from a data breach. Attackers can steal the personal data of your users and sell them online illegally.
Obviously, WordPress user registration spam proves a thorny issue that you shouldn’t turn a blind eye to. So what’s next?
There comes the saying “Prevention is better than cure.” Take our 10 simple and comprehensive tricks below to protect and stop WordPress user registration spam now!
#1 Completely Disable WordPress Registration
If you just run a personal blog, enabling user registration somehow turns out to be unnecessary. In fact, if you want to allow only several people access to your site, creating accounts for them rather than letting them register comes as a better idea.
To completely disable user registration on WordPress, you need to
- Log into your WordPress dashboard, go to Settings > General.
- In the General Settings page, scroll down to the Membership option and uncheck the “Anyone Can Register” box. Make sure to save your changes.
Once you disable registration, anyone trying to visit your default registration page will encounter this message:
#2 Set Up User Roles in WordPress
In case you own a membership site and leaving user registration enabled is a must, it’s highly recommended never granting fresh members access to your WordPress dashboard.
As long as they are not admins, super admins (in a multisite), and editors, they cannot approve spam comments, publish harmful content, or set malicious functions in motion.
The safest user role you can assign to your new users is the Subscriber role as it has limited permissions in WordPress. For instance, Subscriber finds no way to access the WordPress Dashboard.
To set up user roles, what you need to do is:
- Open up the WordPress dashboard and click Settings > General.
- Look for the New User Default Role option and choose “Subscriber” in the drop-down menu. Hit “Save Changes.”
#3 Kill Registration Spam with reCAPTCHAs
Adding reCAPTCHA to the registration page also support reducing the chance for WordPress user registration spam. The birth of reCAPTCHA is to fulfill the duty of telling humans and bots apart, which significantly contributes to stopping spam at the doorstep.
Humans can easily confirm their authentication by doing simple maths. Spambots, meanwhile, are not even able to see images, not to mention solving reCaptcha.
#4 Make Use of Registration Anti-spam Plugins
Installing WordPress anti-spam plugin appears as the most hassle-free and effective way to battle registration spam. All you need to do is install, activate, sit down, relax, and let them handle the task.
Not only can they wide off spam registrations but they also protect your site from, spam comments, emails, and spam contact form submissions.
There are many well-known anti-spam plugins that you can consider, namely WordPress Zero Spam, Antispam Bee, Antispam by CleanTalk, etc.
Don’t know how to choose the suitable anti-spam plugin for your site? Check out our comprehensive review about the 5 best WordPress anti-spam plugins here!
#5 Turn on Email Activation
Email activation requires users to confirm their authentication and humanity via a link attached to the email address used for registration. Clicking on the link means you activate the user account.
In other words, fake email addresses equal no account activation. Since most WordPress user registration spam is created by bots, utilizing the email verification method helps to apply an additional security layer for your site.
So how to implement email activation on your site?
Many versatile WordPress form plugins give the green light to create custom registration forms with an email verification feature. However, it’s available in the premium version only. If you’re willing to dip into your pocket, some options you can consider including Gravity Forms and Formidable Forms with the User Registration add-ons.
#6 Use Geo-blocking to Reduce Spam User Registrations
Geo-blocking refers to limiting users from certain countries from accessing your website.
You can whitelist your own country and then block every other country from reaching your registration page. By doing that, both malicious and legitimate traffic from the country you restrict access will be blocked right away.
Some geolocation plugins lending you a helping hand are iQ Block Country, CloudGuard, etc.
However, keep in mind that this method may not work well in some cases. For example, if you run a global eCommerce store, completely blocking customers from a specific country may refrain your site from driving more traffic and revenue.
#7 Change WordPress Registration URL
Another workable solution for reducing WordPress user registration spam is changing the URL of your registration page.
As mentioned above, the default WordPress registration page is located at https://example.com/wp-login.php?action=register. Customizing this link will fool spambot programmed to look for the default URL.
Considering the registration page is a part of your login page, customizing the login URL will enable you to change the registration page.
Among thousand of plugins excelling at changing the login page URL, WPS Hide Login emerges as a veteran wizard with over 800,000 active installations and an overall 4.9 out of 5 stars rated.
Once you download and activate the plugin, all you need to do is:
- Go to Settings > General
- Scroll down to see the WPS Hide Login area
- Type the new uniquely custom URL.
- Login URL field: input your new Login URL path.
- Redirection URL field: input a specific URL where users will be redirected to. We recommend entering an error like 404 or 503.4. Click on the Save Changes button
Let’s say if your new URL is https://example.com/aef7165B.
The new registration page will be located at https://example.com/aef7165B?action=register
Anyone trying to access the login page using the default login URL will be redirected to this URL https://example.com/404.
You can refer to this article for more plugin options on changing the WordPress login page URL.
#8 Require Admin Approval for New Users
Apart from spam account themselves, you also need to take into account spam activities from registered users. That‘s why administrator approval for new users comes in handy.
As a matter of fact, WordPress offers limited built-in features for admin approval, not to mention sorting out tons of spam registrations manually may drive you overwhelmed.
Let user approval plugin like New User Approve take that weight off your shoulders.
- Log into your WordPress dashboard, click “Users”
- A list of registered users along with their statuses shows up. Hover over each user and you’ll see the “Approve/Deny” option.
- Click “Deny” if you refuse to approve the user
- In case you want to approve/deny/delete multiple users at once, just choose pending users and click on the defined actions in the Bulk Actions dropdown.
#9 Manually Block Spam IP Addresses
This method permits you to stop users with a specific IP address from posting spammy comments on your site. If your registration spam bulk is caused by the same IP addresses, you can fix this problem by restricting those IP addresses from accessing your site in the first place.
We’ll show you how to block spam IP addresses using WordPress itself and the .htaccess file.
- Blocking IP addresses in WordPress
- In your WordPress admin dashboard, head over to Settings > Discussion and scroll down to the “Disallow Comment Keys” option.
- Copy and paste the IP addresses that you want to block to the text box. Make sure to save your changes.
WordPress will now block users with these IP addresses from leaving a comment on your website. Although they are still able to visit your website, they will see an error message when trying to submit a comment.
- Blocking an IP Address Using .htaccess
Note: Since a small coding mistake in the .htaccess file can cause internal server errors, you need to back up your existing .htaccess file beforehand. In case anything goes wrong, you can use the backup file.
- Log into your WordPress hosting account
- Navigate to the cPanel and go to Files > File Manager
- In the File Manager, look for the .htaccess file presented in the public_html folder. Right-click on it and choose Edit
- Add the code snippet below to your .htaccess file and hit Save Changes
order allow, deny
deny from xx.xx.xx.xxx
allow from all
Don’t forget to change “xx.xx.xx.xxx” to the IP addresses you want to restrict access to.
#10 Install a Security Plugin
WordPress security plugins can track down spammy, malicious IP addresses, and turn on a firewall to detect spammy login attempts and prevent hackers.
When you install these plugins on your site, they check every visitor’s IP against its database. If any conditions are met, they will refuse access. That will stop the spammer from registering a user account.
Plus, you can also make use of WordPress security plugins to implement geolocation blocks, scan vulnerabilities, and defense against brute force attacks.
There is a wide range of reliable WordPress security plugins in this field, which several big shots are MalCare, Sucuri, Wordfence, and BlogVault.
Stop WordPress User Registration Spam Now!
We have walked you through the 10 simple and useful tricks to combat WordPress user registration spam. Among them, the easiest ways to deal with registration spam include setting up user roles, changing the login page URL, and adding reCAPTCHA to the registration page.
We also recommended some feature-rich WordPress plugins that assist you in battling spam comments, blocking IP addresses, approving users, or turning on email verification.
WordPress user registration spam can be a frustrating issue! Don’t let it even have a chance to bother you using our comprehensive tactics listed above!