Trying to stop WordPress registration spam at your site?
Because of WordPress’ immense popularity, it’s a juicy target for spammers around the world. They might just be trying to exploit your site and gain access. Or, they might want to spam your community, like filling up your forum with spam topics.
If you allow public registration on your WordPress site, you’re almost certainly going to run into problems with spam registrations in some form or another.
In this post, you’re going to learn how to cut down on spam registrations using a mixture of built-in WordPress features and free plugins.
Before we get to the tactics, let’s briefly discuss the default WordPress registration process.
If you allow public registration at your site, the default WordPress registration page is located at https://yoursite.com/wp-login.php?action=register:
The default WordPress registration form
As you can see, there’s not much stopping malicious actors or bots from creating spam registrations.
Bots can go straight to your registration page by appending the same formula to every WordPress domain and there’s nothing to stop them from filling out the form fields.
There are a number of different strategies that you can use to stop WordPress registration spam. Depending on your site’s needs and the severity of your problem, you might need to implement just one of these strategies or you might need to try multiple tactics to stop the spam.
Here’s the full list of strategies:
First off, if you don’t need public registration on your WordPress site, it’s better to just disable registration altogether rather than trying to fight spam registrations.
Even if you need to give others user accounts at your site, that doesn’t necessarily mean you need to enable public registration. For example, if you only need a small number of people to have their own accounts, you could manually create accounts for them rather than letting them register themselves.
To completely disable user registration on WordPress, go to Settings → General and make sure that the Anyone can register box is unchecked:
How to disable WordPress registration
Once you disable registration, anyone trying to visit your default registration page will see this message:
An example of disabled registration
Another way to fend off user registration spam is to add a CAPTCHA to the default WordPress registration form.
There are various types of CAPTCHAs that you can use, but most people find Google’s reCAPTCHA service to be the most user-friendly one (also known as No CAPTCHA reCAPTCHA). It aims to be invisible to most legitimate human visitors, while still displaying a CAPTCHA test to visitors that it determines are likely bots.
To add NoCAPTCHA reCAPTCHA to your WordPress registration form, you can use the free Advanced noCaptcha & invisible Captcha (v2 & v3) plugin.
To set up the plugin, you’ll first need to generate a free reCAPTCHA API key from Google – which just involves entering your website and choosing which type of reCAPTCHA to use:
Generating reCAPTCHA API key
Then, you can go to Settings → Advanced noCaptcha & invisible captcha to set up the plugin:
How to set up WordPress reCAPTCHA
Once you save your changes, you should see your CAPTCHA form on your registration page (unless you chose an invisible method, in which case it would only be visible for suspected bots):
An example of reCAPTCHA on the default registration form
Some all-purpose WordPress anti-spam plugins can help stop WordPress registration spam, as well as spam in other areas, like your comments section or form submissions.
Unfortunately, the popular Akismet comment spam plugin from Automattic doesn’t work for registration spam, but some other popular options that do block registration spam include:
Again, these plugins are not limited to just registration spam, but they do help you block spam registrations as part of their general anti-spam efforts.
If beyond the spam accounts themselves, you’re also worried about what people do after registering, another good strategy is to require admin approval for new users.
For example, if you’re worried about people spamming your bbPress forum or BuddyPress community, requiring admin approval lets you avoid that situation.
Want to know how we increased our traffic over 1000%?
Join 20,000+ others who get our weekly newsletter with insider WordPress tips!
This is a good one to combine with a CAPTCHA or another strategy: the CAPTCHA will filter out low-level automated spam and you can use manual approval to catch everything else.
However, if you have tons of spam registrations and try to implement this strategy by itself, you might find yourself overwhelmed trying to sort through all of the registrations.
To require admin approval for new users, you can use the free WP Approve User plugin.
Once you install and activate the plugin, it starts working right away. All your existing users will already be approved (to avoid issues).
New users, however, will require manual approval, which you can do from the existing Users area in your WordPress dashboard:
Approving users with WP Approve User plugin
You also have the option to both send and customize emails for when a user is:
You can enable these emails and customize their contents by visiting Settings → Approve User.
If the bulk of your registration spam is coming from the same IP addresses, you can cut down on the problem by blocking those IP addresses from accessing your site in the first place.
If you host at Atakdomain, we offer an IP deny tool in the Atakdomain dashboard. To access it, open the site where you’re having problems and choose the IP Deny option in the sidebar of the site’s dashboard:
How to block IP addresses with MyAtakdomain
Most cPanel hosts should also give you an IP blocking tool.
If you want to add some “security by obscurity” to your registration page and cut down on low-level bot traffic, you can change the URL of your registration page away from the default that all WordPress sites use.
Tired of WordPress issues and a slow host? We provide world-class support from WordPress experts available 24/7 and blazing fast servers. Check out our plans
The registration page is actually part of the WordPress login page, so you can accomplish this with any plugin that lets you change the WordPress login URL.
A good option is the free WPS Hide Login plugin.
Once you install the plugin, go to Settings → WPS Hide Login to enter your new URL. You can also redirect the default URL to another page, like your 404 page:
How to change WordPress registration URL
For example, if you change your login URL to yoursite.com/sneakylogin, then the default registration page will no longer function. Your new registration page would be yoursite.com/sneakylogin/?action=register.
Another good alternative to stop WordPress registration spam is to use a custom WordPress registration form plugin.
These plugins let you bypass the normal WordPress registration process and also implement a number of useful anti-spam tactics like:
Many all-purpose WordPress form plugins also include the ability to create custom registration forms with anti-spam features. However, the downside here is that you’ll usually only get the registration features in the premium version. If you’re willing to pay, some good options are:
Let’s have a closer look on how to use two free solutions provided by the User Registration and Profile Builder plugins.
When you install the free User Registration plugin, it will give you an option to automatically create your custom registration page located at yoursite.com/registration (you can always change this URL).
You have a few other options for reducing spam during the registration process.
First, in the General Options tab of the plugin’s settings, you can use the User login option dropdown to require admin approval after a user registers:
Enabling admin approval in User Registration plugin
You can also go to the Integration tab to set up Google reCaptcha (you’ll need your API keys – you can follow the same steps from earlier in this post):
Enabling reCAPTCHA in User Registration plugin
To enable CAPTCHA on a specific registration form, you’d also need to edit that form and enable it there. When you edit a form, you can also add additional profile information fields if desired.
The free Profile Builder plugin follows the same basic approach.
To customize your registration form fields, you can go to Profile Builder → Form Fields. To add a CAPTCHA to your form, you can include a reCAPTCHA field, in which you’ll need to add your API keys:
Adding a CAPTCHA field in Profile Builder plugin
Then, to display your custom registration form, you can add the [wppb-register] shortcode anywhere on your site.
Profile Builder also includes a feature to require admin approval for new registrations, but it’s only available in the premium version.
Summary
If you need to allow public registration on your WordPress site, registration spam can be a frustrating issue. You can reduce or even completely eliminate registration spam combining different tactics.
The simplest, most lightweight option is to add a NoCAPTCHA reCAPTCHA to the default WordPress registration form. Most human visitors won’t notice anything different, but Google will display the CAPTCHA tests to bots to prevent them from spam registrations.
If you want a complete overhaul, you can also use a dedicated WordPress registration plugin to create a custom registration form that includes its own anti-spam properties, as well as features like admin approval for new users.
Save time, costs and maximize site performance with: