Trying to stop WordPress registration spam at your site?
Because of WordPress’ immense popularity, it’s a juicy target for spammers around the world. They might just be trying to exploit your site and gain access. Or, they might want to spam your community, like filling up your forum with spam topics.
If you allow public registration on your WordPress site, you’re almost certainly going to run into problems with spam registrations in some form or another.
In this post, you’re going to learn how to cut down on spam registrations using a mixture of built-in WordPress features and free plugins.
Prefer to watch the video version?
The Default WordPress Registration Process
Before we get to the tactics, let’s briefly discuss the default WordPress registration process.
If you allow public registration at your site, the default WordPress registration page is located at https://yoursite.com/wp-login.php?action=register:
As you can see, there’s not much stopping malicious actors or bots from creating spam registrations.
Bots can go straight to your registration page by appending the same formula to every WordPress domain and there’s nothing to stop them from filling out the form fields.
How to Stop WordPress Registration Spam
There are a number of different strategies that you can use to stop WordPress registration spam. Depending on your site’s needs and the severity of your problem, you might need to implement just one of these strategies or you might need to try multiple tactics to stop the spam.
Here’s the full list of strategies:
Disable WordPress Registration Completely
First off, if you don’t need public registration on your WordPress site, it’s better to just disable registration altogether rather than trying to fight spam registrations.
Even if you need to give others user accounts at your site, that doesn’t necessarily mean you need to enable public registration. For example, if you only need a small number of people to have their own accounts, you could manually create accounts for them rather than letting them register themselves.
To completely disable user registration on WordPress, go to Settings → General and make sure that the Anyone can register box is unchecked:
Once you disable registration, anyone trying to visit your default registration page will see this message:
Add CAPTCHA to Your Registration Form
Another way to fend off user registration spam is to add a CAPTCHA to the default WordPress registration form.
There are various types of CAPTCHAs that you can use, but most people find Google’s reCAPTCHA service to be the most user-friendly one (also known as No CAPTCHA reCAPTCHA). It aims to be invisible to most legitimate human visitors, while still displaying a CAPTCHA test to visitors that it determines are likely bots.
To add NoCAPTCHA reCAPTCHA to your WordPress registration form, you can use the free CAPTCHA 4WP plugin.
To set up the plugin, you’ll first need to generate a free reCAPTCHA API key from Google – which just involves entering your website and choosing which type of reCAPTCHA to use:
Then, you can go to Settings → Advanced noCaptcha & invisible captcha to set up the plugin:
- Choose the version (make sure this matches what you selected when you created your API key).
- Add your Site Key and Secret Key (Google gives you these after you submit the form from the previous screenshot).
- Choose where to enable your CAPTCHA. Beyond your registration form, you can also enable it for other parts of your site, like your login form.
Once you save your changes, you should see your CAPTCHA form on your registration page (unless you chose an invisible method, in which case it would only be visible for suspected bots):
Use a Dedicated WordPress Registration Spam Plugin
Some all-purpose WordPress anti-spam plugins can help stop WordPress registration spam, as well as spam in other areas, like your comments section or form submissions.
Unfortunately, the popular Akismet comment spam plugin from Automattic doesn’t work for registration spam, but some other popular options that do block registration spam include:
Again, these plugins are not limited to just registration spam, but they do help you block spam registrations as part of their general anti-spam efforts.
Require Admin Approval for New Users
If beyond the spam accounts themselves, you’re also worried about what people do after registering, another good strategy is to require admin approval for new users.
For example, if you’re worried about people spamming your bbPress forum or BuddyPress community, requiring admin approval lets you avoid that situation.
This is a good one to combine with a CAPTCHA or another strategy: the CAPTCHA will filter out low-level automated spam and you can use manual approval to catch everything else.
However, if you have tons of spam registrations and try to implement this strategy by itself, you might find yourself overwhelmed trying to sort through all of the registrations.
To require admin approval for new users, you can use the free WP Approve User plugin.
Once you install and activate the plugin, it starts working right away. All your existing users will already be approved (to avoid issues).
New users, however, will require manual approval, which you can do from the existing Users area in your WordPress dashboard:
You also have the option to both send and customize emails for when a user is:
- Approved
- Unapproved
You can enable these emails and customize their contents by visiting Settings → Approve User.
Block Malicious IP addresses
If the bulk of your registration spam is coming from the same IP addresses, you can cut down on the problem by blocking those IP addresses from accessing your site in the first place.
If you host at Kinsta, we offer an IP deny tool in the Kinsta dashboard. To access it, open the site where you’re having problems and choose the IP Deny option in the sidebar of the site’s dashboard:
Most cPanel hosts should also give you an IP blocking tool.
Change the WordPress registration URL
If you want to add some “security by obscurity” to your registration page and cut down on low-level bot traffic, you can change the URL of your registration page away from the default that all WordPress sites use.
The registration page is actually part of the WordPress login page, so you can accomplish this with any plugin that lets you change the WordPress login URL.
A good option is the free WPS Hide Login plugin.
Once you install the plugin, go to Settings → WPS Hide Login to enter your new URL. You can also redirect the default URL to another page, like your 404 page:
For example, if you change your login URL to yoursite.com/sneakylogin, then the default registration page will no longer function. Your new registration page would be yoursite.com/sneakylogin/?action=register.
Use a Custom WordPress Registration Form Plugin
Another good alternative to stop WordPress registration spam is to use a custom WordPress registration form plugin.
These plugins let you bypass the normal WordPress registration process and also implement a number of useful anti-spam tactics like:
- Custom registration URL – changing your registration URL away from the default can cut down on some low-level spam, though it’s unlikely to stop user registration spam by itself.
- Email confirmation – this prevents spam users with fake emails by requiring new users to confirm their email. If a user doesn’t confirm their email, the plugin will automatically discard that registration.
- Admin approval for new users – these plugins can usually help you implement the admin approval feature from above.
- Spam prevention – these plugins can also help you add CAPTCHA or honeypot fields to your custom registration form.
Many all-purpose WordPress form plugins also include the ability to create custom registration forms with anti-spam features. However, the downside here is that you’ll usually only get the registration features in the premium version. If you’re willing to pay, some good options are:
- Gravity Forms with the User Registration add-on (available with the Elite license)
- Formidable Forms with the User Registration add-on (available with the Business license)
Let’s have a closer look on how to use two free solutions provided by the User Registration and Profile Builder plugins.
1. User Registration
When you install the free User Registration plugin, it will give you an option to automatically create your custom registration page located at yoursite.com/registration (you can always change this URL).
You have a few other options for reducing spam during the registration process.
First, in the General Options tab of the plugin’s settings, you can use the User login option dropdown to require admin approval after a user registers:
You can also go to the Integration tab to set up Google reCaptcha (you’ll need your API keys – you can follow the same steps from earlier in this post):
To enable CAPTCHA on a specific registration form, you’d also need to edit that form and enable it there. When you edit a form, you can also add additional profile information fields if desired.
2. Profile Builder
The free Profile Builder plugin follows the same basic approach.
To customize your registration form fields, you can go to Profile Builder → Form Fields. To add a CAPTCHA to your form, you can include a reCAPTCHA field, in which you’ll need to add your API keys:
Then, to display your custom registration form, you can add the [wppb-register] shortcode anywhere on your site.
Profile Builder also includes a feature to require admin approval for new registrations, but it’s only available in the premium version.
Summary
If you need to allow public registration on your WordPress site, registration spam can be a frustrating issue. You can reduce or even completely eliminate registration spam combining different tactics.
The simplest, most lightweight option is to add a NoCAPTCHA reCAPTCHA to the default WordPress registration form. Most human visitors won’t notice anything different, but Google will display the CAPTCHA tests to bots to prevent them from spam registrations.
If you want a complete overhaul, you can also use a dedicated WordPress registration plugin to create a custom registration form that includes its own anti-spam properties, as well as features like admin approval for new users.
Thanks for putting this guide together. Much appreciated!
I have been looking for a long time to prevent registration spam and read a lot of tutorials. But even when the option “anyone can register” is deacivated, I got new registrations on the sites. So I still looking to prevent this.
Thanks a lot for this guide, I’ve been having nightmares with that “Blogspot” spam (accounts registered with that domain as the username). The best solution for now is the “WPS Hide Login” plugin. It seems the bot is not “smart” enough to guess the new registration URL