How To Combat WordPress User Registration Spam

How To Combat WordPress User Registration Spam

WordPress user registration spam is becoming an annoying issue. For bloggers, there’s already too much to tackle.With this new user registration spam issue, there’s one more thing added to their already full plate.

Spam is a word that anyone using the internet is so much aware of. Spam can take any form, can attack you at any time and with any frequency.

With my blogging and online business experience since 2007, I must say spam is taking newer and interesting forms everyday. In this post, I will talk about a form of spam that has particularly annoyed me for about 3-4 months now.

And I got so annoyed and took action just now. After 3-4 months? Yes that’s a much slower reaction, but I wanted to learn the pattern and some of the inside aspects of this particular spam problem.

Well there’s no suspense – the spam I’m talking about is user registration spam pertaining to WordPress blogs or websites.

It all started to me when I opened up guest posting and when this blog got a decent PR from the big G. I’m not scaring you away from accepting guest posts at your blog.

Accepting guest posts and spam user registration

I know many bloggers don’t allow user registrations while they still accept guest posts by email. And, some bloggers allow WordPress user registration and ask the guest bloggers to submit their guest posts via the WordPress Dashboard.

So this particular spam problem, WordPress user registration spam I’m talking about, arises obviously in the second case. The host blogger has to open up registrations in order to allow people to login to their site and submit their guest posts via the WordPress dashboard. Basically the link looks like this http://www.yourdomainname.com/wp-login.

Now, you can enable or disable user registration in WordPress by going to Settings > General > and enabling/disabling “Anyone can register”. And, you can also set the default role of the person who registers (if you enable registration) by choosing from the drop down as shown below.

Wordpress User Registration to combat spam users

By choosing the default level to “Subscriber” you’re actually restricting any new registered user from making any spam submissions or doing anything mischievous (I use Subscriber level as default). Some bloggers allow “Contributor” registrations – this means that when a person registers he/she can submit a guest post for the host blogger’s review.

Apart from the very little number of genuine submissions there can be a bunch of spam and mess that the host blogger needs to clean up every once in a while in this case.

I wouldn’t recommend allowing “Author”, “Contributor” or any other level up for open registration since this may be a threat to your site’s security and integrity. Authors and Admins can publish content to your site without having to get approved by you, the host blogger. And they can do much more nasty stuff apart from this.

If you want to add an admin user (if you want someone else to moderate comments or do some administration or maintenance work for your site) then you can ask them to register and later on go to “Users” and find their username and upgrade their account to “Admin” or any other level you want to.

Now coming to the topic of this post….

How to combat spam user registration in WordPress?

I am not sure if you would believe me if I say that I got about 10-15 new spam registrations per day. Well, its so annoying with the email notifications I get for WordPress new user registration spam. My inbox gets rubbish and sometimes I delete genuine emails and some genuine WordPress user accounts out of frustration.

And so I came to a conclusion that I should stop this anyhow! With WordPress, I was sure that there’s a plugin for this. Not one but many actually.

I currently use SABRE which is a free plugin. And so far I find it to be working great. WordPress spam user registrations are 0 (yes zero) after I started using this plugin.

Installing the plugin won’t do the job, you need to go ahead and configure some settings nicely so that it fits your audience.

Highlights

Here are some of the features I liked the most about this plugin.

  1. A simple text test, which I feel is less intrusive, unlike complex math and Captchas.
  2. Stealth tests (un-obstructive) to check if the registration is done by a human or not.
  3. Registration blocked if javascript is disabled or unsupported by the browser.
  4. Keeps a list of blocked/spam ips and blocks registration from those ips.
  5. Option to make it compulsory to verify registration either by user or by the admin (I love this feature and it blocks people using fake email ids to register. I leave it to users to verify!).
  6. Limit the number of days to confirm. If a user account is not confirmed by X number of days, the account is deleted.
  7. Prohibit login before confirmation (sweet).
  8. Ability to make the user to agree with a license or disclaimer or any other guidelines (I’ve not used it yet).
  9. Ability to enable “invitation only” registration.
  10. User is allowed to choose a password by himself/herself upon registration (instead of the WordPress auto generated password).

The captcha/math options

The thing I liked about this plugin is that it gives me, the blog owner, the option to decide how hard I can make it for a spam user at the same time not harming the genuine user.

I usually tend to stay away from Captcha plugins since filling out a Captcha is not very pleasant. I might annoy the genuine people.

But this plugin has 3 options – Captcha, Math and Text. And I went for the text option (you simply have to check the box against “Text” options and uncheck the other two as shown below to use this feature).

SABRE WordPress user spam registration control plugin

Stealth options

This is something I really love. As you can see from the picture below, the security is pretty much tight and this stealth check won’t interrupt or come in the way when a user is registering.

All these checks are done silently in the background!

SABRE user spam registration plugin stealth options

Click to enlarge

Other plugins I tried to overcome WordPress spam user registration

User spam remover – Good one! However, I personally didn’t like it.

Stop spammer registrations – Sounded all geeky to me.

Registration control – I still got spam registrations.

Skt NURCaptcha – Works good by using a Captcha below the registration form.

WangGuard – A freemium plugin. They have a pricing model based on the number of queries you get. Check out the plugin page to know more. This plugin might conflict with any other minify or caching plugins you use. Make sure you read the instructions carefully and configure the plugin accordingly.

SI CAPTCHA Anti-Spam – Restricts spam user registration by implementing Captcha. This plugin not only works for user registration but also works for comment spam.

A word of caution

The SABRE plugin does a great job, but since I enabled the option to make the users “verify”, all the already existing accounts ran into problems; they received errors while logging in. I had to make them register again and attribute their posts (if any) to their new accounts.

Considering the amount of spam I got, I found this to be a lesser painful job. And the contributors were so kind enough to register again.

So if you are already running a blog with around hundred contributors, you should disable the verification option. Otherwise you should be fine!

WordPress user registration spam: Conclusion

The spam accounts usually can’t cause much “threat” to your blog as long as you give only the “subscriber” level to open registration. But I hear some people say that when hackers attempt to hack your blog, they usually try to use such spam accounts; though I’m not so sure about this fact. In any case make sure you know about the WordPress website basics.

Nevertheless WordPress registration spam is a pretty annoying problem. It is not always possible to turn off website user registration since you might need to allow registration of new users to your WordPress site for various reasons.

I hope the above mentioned plugins can help you solve the spam user registration problem!

I’d love to hear your thoughts on this matter, and any other WordPress plugins that you find to be more effective to combat WordPress user registration spam. 

Don't forget to pick up your FREEBIES!

Blogging Success Foundation course (A 20-part e-course that lays the perfect foundation for your blogging success!) and FREE access to the ever-expanding PBS Library of e-books, workbooks and my exclusive newsletter!

Give me my FREEBIES!

Comments

  1. Tushar says

    For this very reason, I am writing guest posts from my profile using my id and linking to author from the post. It gives me complete control over my blog

    • says

      Yes Tushar, both methods have their own plus and minus. If I allow a guest blogger to login, they can format the post and upload images etc. That is a lot less work, considering the amount of guest post submissions I get. But yes, we need to take a side :) to lose something and gain something else.

  2. says

    really, i’ve never seen this kind of spam, but i will take caution of this! and i think it’s not wise to give administration right to someone that you do not know enough, it’s safer to have the guest post submitted by email. Thank you for the advice, Jane.

  3. Farrell says

    I have been planning to enable my site for guest posts. I have been thinking of the possibility of spams before enabling this option and i’m currently trying to find a good plugin to serve the purpose of blocking spam registrations. I stumbled upon your post and i try the plugin you suggested. I might also try the others that you listed. Thanks for sharing by the way.

  4. says

    It’s kinda irritating to have your inbox messed up with spams but I will explore more this plugin and try myself if it could really combat spams. Thanks for sharing this.

  5. says

    I’ve tried those plugins and they all work well but one of the best is called ‘stop forum spam’. Although it has the word forum in it, it works great on wordpress sites

  6. says

    Even I am experiencing user registrations spam a lot… I like your advice on setting the default role to subscriber and then changing it accordingly.

  7. says

    Jane,

    When I registered here I did wonder how you combat spam users. I believe you when you say you get 10-15 a day. I opened my blog to a forum a few months back and closed it just a few months later mostly because of spam. (And I didn’t have time for a forum and a blog.) But at the time I was getting 2-3 spam users. You are larger than me so 10-15 is believable.

    I accept guest posts but I enter them in myself under “guest writer” user name I created. I thought of allowing repeat writers be “contributors” but that darn spam got in the way.

    If I change my mind I will definitely seek out this plugin. Thanks so much for the tip, it’s a time saver.

    ~Allie

    • says

      Allie, you’re right. Its really hard to pick a side – either to allow writers as contributors or handle the guest posts under our own account by giving a author byline!

  8. Stacy says

    Maybe you should start a campaign about WordPress Spam, just like the Stop SOPA campaign (SOPA=Stop Online Piracy Act). Have you heard about it? I bet lots of people will support you and better tools will appear.

  9. Kent says

    I’v also tried a lot of plug ins before and I will agree with Sim, ‘stop forum spam’ is one of the best plug ins out there.

  10. says

    OMG! I didn’t know that it would be that risky. I allowed users to registered as “contibutor” and yes I do get many spam registrations (not as many as you of course), but after reading this my concerns are now about my blog security. I have to try using SABRE. Btw Jane, what’s the diferrence register as “subscriber” vs “contributor”?

    • says

      Hi Peter, subscriber level is the one with the lowest privileges for people on your site. They can’t do anything but login and edit their profile information etc.

      Contributors, on the other hand, can submit posts for review, will have access to certain areas of your WordPress backend, they can view some posts (just the titles, won’t be able to edit them though). They won’t be able to do any serious harm.

      But still if you just give these permissions to anyone and everyone its not gud!

  11. says

    Hi Jane,
    The moment I changed the guest posting submission process and allowed people to register themselves, the spam started immediately! I wanted people to be able to register as a Contributor – but the spammers totally ruined that. Then I tried the various plugins you’ve mentioned here, and I honestly didn’t find any to be as effective as I needed. So I changed up the process a bit – I still let people register as a subscriber, then they are required to email me to request an account upgrade. Before I upgrade anyone, I check for a gravatar and a bio. If they don’t have either, I request that they add it – usually spammers avoid this. I also check the links that they add in the bio to make sure they are decent sites. So far this process is working better. But it took me a while to clean out all of the spammers and their submissions – I’ll never make that mistake again!

    • says

      Kiesha, thanks for sharing your views. I exactly do what you do. Let them register as subscribers, they need to email me and request an upgrade, I verify their account (gravatar, bio etc) and then upgrade them to a contributor. Just that I’m using SABRE that helps me reduce the number of “subscriber” registrations I get. Coz it really a lot of work to clean up the dormant/fake accounts every week!

  12. Zinedine says

    BUY VIAGRA HERE CHEAP VIAGRA PILLS

    Hehe just kidding ;) I needed to block refferal spam with htaccess. But that solved the issue partially and i decided to use only java script statistics like StatsCounter.

  13. says

    Jane,

    Thanks a million for letting me know about this. I was getting like 30 or more spam submissions to my blog each day. It took me like an hour to clean out all the crap posts last time. So I’m going to try out the plugin you recommend here.

    Sounds like a great solution!

    • says

      Wow look at you! 30 is extremely annoying and with the WordPress email notification whenever someone registers, your inbox should be in chaos :) Glad that I could be of help, Gerald!

  14. says

    Hi Jane,

    That’s great advice. I don’t allow user registrations at all for my guest posts. I know that it’s probably better when it comes to time, because it’s a lot less time consuming when users can register and submit their own guest posts, but on the other hand, I feel that I’m not in control when other people can enter my blog..

    Anyway, great advice.

  15. says

    I also suffered with this problem in my previous blog. Thanks for sharing this plugin,for my new blog, i m gonna install it even before i start guest blogging so that i don’t have to face the problem again in future.

  16. Jym says

    Nice discovery Jane, I can see this plugin being handy.

    When I first started accepting guest posts I had my default subscription set to ‘Contributor’. Within days I was getting all sorts of junk posts as spammers tried to come in and publish stuff to get links without my knowing.

    So I set the default subscription to ‘Subscriber’. As far as I can tell, there’s no harm that can be done from there. But I’m interested to know if anyone has any actual experience or knowledge of site subscription aiding hackers or spammers at all…

    Thanks for sharing.

  17. says

    Very informative post, Jane … I’m seriously tired of fake registrations and spam guest posts on my WP blog since I’ve enabled the option of “Contributors”. I receive minimum 50 spam guest posts everyday and its quite a hectic job to sort out the genuine ones from the spam posts. I will surely change the option from contributors to subscribers. Thank you very much for sharing a detailed information about the plugin – SABRE.

  18. Terence ONeill says

    Is there ANY benefit to having registration open at all if it is only open as ‘Subscribe’ level?

    • Christophe says

      Yes, there is. I use for instance mingle forum which uses as database user the wordpress one, so they need to register via the worpdress login window.
      BR

  19. says

    I was getting so many spammers but after using the plugin suggested by you. I wasn’t getting a single spammer. Thanks a ton for providing the plugin. :)

  20. says

    Even I am experiencing user registrations spam a lot… I like your advice on setting the default role to subscriber and then changing it accordingly.

  21. Shirley Hicks says

    Thanks for this post. Am troubleshooting a similar problem today and you’ve pointed me to appropriate resources.

  22. Neeraj Kulkarni says

    I wasn’t aware of registration spamming. But recently I have been facing that problem. After having a lot of such registrations I got suspicious and checked the usernames and email addresses. They were mostly of hotmail and the username was quite random. I mean why would a real person use something like jjielwk343 as his username. He could simply use Joe or John. Secondly, although some comments which have many links and unreadable text can quickly be discerned as spam there are some intelligently crafted ones which are difficult to weed out. After some experience, these days, I look out for the generic characteristic in the comments so that I can delete them quickly.

    And yes, by default the new registration will be a subscriber, but I have disabled that too. I use Stop Spammer Registration plugin. The plugin author warns that the plugin is so robust that it may block the owner himself if he is not careful.. Anyway, i gave it a try and it does work well. The spam registrations are close to nil now. Sabre seems to be good. I will give it a try.

    Thanks for the post.

  23. says

    Thanks for your helpful tips and plugins,
    i had one site that is getting alot of spam registrations, it’s really annoying, i think using a plugin is the best solution. I’ll go after skt-nurcaptcha plugin and see how everything goes.
    Thank you again,
    Andrew

  24. says

    Thank you so, so much for posting this! I’ve been looking for a solution to the dozens of registrations I get each day. They are so annoying! This was the first post I came across that actually had a solution I could understand. Thank you!

    P.S. – Your anti-spam system may be very effective but it’s definitely a bit annoying for people who are trying to leave a genuine comment. I just got kicked out once because I had too many words in my name and once because I changed it quickly and submitted but “didn’t spend enough time on the page”! I’m still thrilled enough by the post that I wanted to say thank you though.

  25. says

    Thank you so much. After nearly loosing my mind with dumping these spam users every couple of days, I posted this question on several forums. I’m going to give SABRE a try. And you weren’t exaggerating, I get at least 15 of these a day.

  26. says

    Hi Jane,

    I am a new blogger and digging deeply to find a way to stop spam user registrations of my wordpress blog.I am going to use your Tips and will let you know the result.Thanks a ton for sharing this

  27. says

    Thank you for this article, I tried many settings and plugging but could not get it to work. Here you provide succinctly the answer that I was looking for.

    Best regards,
    — Mayel Espino >

  28. Madison Woods says

    I’ve been getting 20-100 spam user registrations per day at my blog. I have close to 200 blog subscribers who are genuine, so I don’t want to do anything to restrict their ability to comment at my blog. One thing I’ve done to combat the email notification irritation you mention is to set my outlook to deposit all of those notifications to a folder. I delete the mails from that folder daily. My users are all set to “subscriber” roles already. Every once in a while I do get spam comments, but Askimet does a fair job of weeding those out (I use the paid version).

    Does the plugin you use affect your blog subscriber’s ability to make comments by making them go through extra security to login to comment?

  29. Salman says

    Hello,
    You can always disable it in wp. Could clarify why we need to enable this option? What benefits a blogger get when it keep accepting registration as users? Does it help in SEO or anything that sort? Still not able to follow why we need to enable it. Please clarify.

Leave a Reply

Your email address will not be published. Required fields are marked *