One problem plaguing WordPress especially membership sites that take user registrations is spam user registration, which can also be referred to as user registration spam or spam bot registration. This occurs when user accounts that are spammy are being created at regular interval. If your WordPress site allow users to register, then it is like going to be vulnerable to spammers.
You will also want to read:
Automatic Update in WordPress
This has been a problem or downside for WordPress. Permitting users to register for your WordPress website can invite spam users to register on your site? While one can combat spam user registration similar to comment spam, wouldn’t it be better if one could just regulate user registration like it is done with comments? The good news is that there is a solution and that is the purpose of this post. These steps will guide you through the process.
How to control the process of New User Registrations in WordPress
.To check the activities of spam users is good.. But before we look into that, we should understand why spam users can be a problem to your WordPress website..
Why WordPress Spam Users are a Problem to Your WordPress Website
Spam users can hurt your site both internally and externally, which is why they’re such a nuisance.
On the internal side, spam users bloat up your database and just generally make it harder to manage your site. If you have to sift through hundreds of spam users to manage the real users, you’re going to waste a lot of time. Similarly, if your server has to store heaps of spam users in the database, it’s going to work less efficiently, too.
Spam users can hit you on the external side by posting spammy outbound links, which can hurt your site in the eyes of Google. If you’re running something like BuddyPress, spam users might even send private messages to legitimate users, which your real users certainly won’t appreciate.
So, putting an end to the spam user problem once and for all by learning how to identify, delete, and prevent WordPress spam users is worthwhile.
How to Identify and Delete Existing WordPress Spam Users
Once you implement prevention methods, you hopefully won’t need to do this very often. But if you’re just starting out, you’ll first need to identify (and then delete) any existing spam users.
If your spam problem isn’t too large, you might be able to do this manually by bulk deleting users who exhibit spam behavior. If you’ve got a real infestation, you’ll want to turn to a plugin that can automatically go through and detect spam users.
How to Bulk Delete WordPress Spam Users Manually
The simplest way to delete spam users is to just go through your Users tab and check the users you want to delete. Then, you can bulk delete them by choosing the Delete option from the Bulk Actions dropdown.
Of course, doing this with the default WordPress screen options is infuriating because it only shows 20 users per page. Thankfully, you can change this number by clicking on Screen Options in the top right corner of your WordPress dashboard:
Then, change the Number of items per page box to the number of user accounts you want to display on each page.
If clicking a couple hundred checkboxes doesn’t appeal to you, you can also automate some of this process by using a plugin called Bulk Delete.
Bulk Delete allows you to bulk delete users that meet criteria like:
- Specific User Roles
- Specific Meta fields
- Last login date
- Registration date
If spam users are thoroughly mixed in with real users, these criteria may not be especially helpful. But Bulk Delete is great for cleaning up a one-time attack where the spam accounts all registered on similar dates or eliminating old spam users who logged in once but haven’t been back since.
Identifying and Deleting Spam Users with a Plugin
If you have too many users to identify manually, you can turn to a plugin called SplogHunter (formerly known by the somewhat awkward name “WangGuard”) to automatically identify and remove spam users. There is also a proactive prevention part of this plugin.
SplogHunter goes through your existing users and compares them against its database of sploggers/spam users. If there’s a match, SplogHunter will mark that user in a new “Splogger” column. You can then easily delete spam users after verifying they’re not real people:
SplogHunter also provides an easy Report as Splogger button that both deletes a user and adds them to SplogHunter’s centralized database (similar to how Akismet functions for comment spam).
Note – there is still WangGuard branding in the most recent version of the plugin. Rest assured that SplogHunter and WangGuard are the same thing.
How to Prevent Spam User Registration in WordPress
If you stop spam users from registering in the first place, you won’t need to worry about identifying and removing them. There are a number of ways you can block them:
- Fortify your sign up form with CAPTCHAs – this is my least favorite method because it requires real people to verify they’re not a robot, which isn’t good for user experience.
- Use a plugin that compares signups against a database of spam users – this is a better method because it doesn’t inconvenience real people. It just quietly blocks known spam users.
- Add access rules to prevent sploggers – if you notice that most spam users come from, say, .ru domains, you could create a rule that blocks anyone from using an .ru email to register.
- Default Registration Page Redirect. The default signup of WordPress located at https://yoursite.com/wp-login.php?action=register is often a target for spammers and bots as they are programmed to go looking for that link to register fake users. One efficient way of stopping spam registration is by redirecting requests from the default register page to a custom registration form page. You can use ProfilePress to create a registration form that can be embedded to a page via shortcode to make a custom registration page as well as handle the redirection. It can also redirect default login and lost password pages to their custom equivalents.
- Email Confirmation. User email confirmation or activation is a potent measure in blocking spam registrations. It requires all new users to click a confirmation link sent to their email in order to confirm or verify their email addresses before their accounts are activated, spam bots are less likely to get through this security.
- Admin New User Approval. Another spam registration preventive measure is manual approval of new users. With this feature activated, all new users will have to be manually approved by you, the administrator before they can log in and use the website. And if they appear spammy, you can block or delete them.
Now, we can look at some plugins that can help you implement one or more of these checks:
Captcha by BestWebSoft – Add CAPTCHAs to Registration Forms
If you want to require all your users to fill out a CAPTCHA before signing up, you can use Captcha by BestWebSoft to add a simple math equation to your forms. Again, I don’t think you should go straight to CAPTCHAs. But if you have a really bad spam problem, it’s a good way to knock out spam right away.
Works on login, registration, recover password, comments, and contact forms
Adds a simple math equation that fools spambots
Allows users to get a new question if it’s too difficult
Can configure the difficulty of the math questions
Includes letter and number CAPTCHAs as well
Price: Free | More Information
SplogHunter – Automatically Flag Spammers Without CAPTCHA
In addition to filtering out existing spam users, SplogHunter can also protect your registration forms without requiring users to fill out a CAPTCHA. When users sign up, they will be automatically compared against SplogHunter’s crowd-sourced spam user database.
Blocks spam sign ups without CAPTCHA
Spammer database is constantly updated because it’s crowd-sourced like Akismet
Works with WordPress,WordPress Multi-user, BuddyPress, and bbPress 2.0
Can manually block specific domains from registering
Price: Free at the time of writing (there is talk of moving to a freemium model) | More Information
Note -you will need to obtain a free API key from WangGuard/SplogHunter to properly use the plugin.