How to prevent Registration Spam on your WordPress website

7 minutes reading

We often talk about how important it is to have a website, especially if you are an upcoming business that needs as much visibility as possible. Thanks to WordPress, today, you have one truly effortless way to create a brilliant website. Combined with HostArmada’s web hosting services, you are just a few steps away from success. Unfortunately, not everyone will be as thrilled about your success as we would, and many will try to hinder your progress in various malicious ways. One of the most frustrating is spam attacks, especially WordPress registration spam.

Image of a hacker

What is registration spam, and why is it harmful?

WordPress registration spam is a type of registration done by a robot(bot) with the sole purpose of harming your website in one way or another. The worst part is that if your WordPress website allows registrations, it’s highly vulnerable to such malicious third-party acts. WordPress’s popularity and open source system make it a lucrative target for all sorts of spam attacks. WordPress registration spam is easily spotted as it’s most often done by an automated system, which makes registration at regular intervals.

There are three main reasons why anyone would flood your website with spam accounts.

  1.  Vulnerabilities – Typically, the attackers will look for breaches in your defenses, and being able to register is a crack in your fortress. From then on, if you delay an essential plugin update, the attacker may get in and steal information about your business, products, or, even worse, your clients.
  2. Spread of Spam – The attacker may flood your forum, comments section, or email with junk mail, spam links, or scams.
  3. Flooding your website – By posting spam comments, you might miss legitimate such or even delete legitimate comments or content from real users.

Luckily there are several ways to cease all malicious registration on your website. Let’s look at the most common practices guaranteeing you wouldn’t get breached.

Disable your registration as a whole

WordPress has been done to be as simple as possible, so even beginners can feel right at home using it. Still, that means its default registration settings are not particularly safe when it comes to WordPress registration spam. It has zero protection from bots, and a simple script can make a new registration every 30 seconds or so.

The most straightforward way to stop them is to cut off any registrations if they are not mandatory. For example, if your website is informative, be it a media, a personal website or a brand website, public registrations are unnecessary. Even if you do need some additional roles for people working on the website, you can create their accounts manually.

To disable public registration, you need to enter the WP Dashboard. Once there, go to Settings > General and unselect the “Anyone can register” option in the “Membership” section.

Image of Disable User Registrations in WordPress Admin

If you want to create a new role for your teammates and contributors, once again, you need to be in the WP Dashboard of your website. Then, go to Users > Add new > Enter the fields, and don’t forget to assign a role. Ensure you don’t give too much access to people you don’t trust completely.

Make a custom user registration form

If blocking public registration is out of the question, there are still a vast number of solutions that will prevent any spam registration. One of them is to create a new, custom user registration form. This way, scripts that target the simple default WordPress registration form won’t be able to finish their predetermined action. Moreover, you will make your page look a bit more stylish, which is a good idea anyway. For this, you may use several plugins, but we suggest using the WP Forms one. Once you install the plugin, you need to add a new form, click on create Blank Form and use the drag-and-drop builder to create your new registration page.

Image of WP Forms Custom Registration Form

You can learn more about how to create a custom registration page here.

Add CAPTCHA to your registration

Of course, among the best ways to deal with registration spam is to get an anti-spam plugin. The basis behind this is the CAPTCHA system, which is designed to distinguish humans from bots. This is done by adding a small test ranging from a simple “I’m not a robot” box to more complex puzzles. There are various CAPTCHAs out there, but most people trust Google’s reCAPTCHA. Among other things, that’s the most user-friendly one, mainly because it remains invisible for trusted users while still appearing for those it deems suspicious.

To set up reCAPTCHA, you’ll need to get a free API key from Google. There you will need to choose which type of reCAPTCHA you will use. After that, you should initialize the system depending on your plugin.

Image of Google ReCaptcha

However, though there are minor differences in how it’s done, you need to enter your API key, adjust the version you will be using and configure to which forms the reCAPTCHA should be added. That’s the easiest and fastest way to get rid of spam not only in your registration form but all across your website. The only downside is that some users get frustrated they need to confirm they are not robots.

Turn email activation on

Adding additional steps to registration might be frustrating to some users, but ultimately it adds an extra layer to their safety. Moreover, getting a registration confirmation email is quite standard, so users should already be accustomed to this extra step. We recommend taking advantage of this option in combination with the captcha option. That is because if you have only email approval activated and your registration form is exposed without additional captcha protection, your website might be used as a spam source as well.

Unfortunately, WordPress doesn’t offer this out of the box, and you will need to add a plugin if you prefer to stay with the default registration form. If, however, you decide to build a new one, most builders offer this option as a basic component, so all you need to do is check one additional box or button. It’s quite effortless to add, and it can genuinely help a lot. Moreover, websites that ask for confirmation via email during registration are typically considered safer by customers.

Add admin approval

Spammers are not necessarily bots and scripts, but sometimes they are a whole office of people somewhere in the world, dedicated to sending links, infiltrating websites, and generally swaying audiences to their point of view. Now with the war in Ukraine, that’s a considerable risk regarding media websites. Therefore, if you suspect you might be under attack or genuinely expect fewer subscribers, it’s best to approve them yourself. Naturally, this won’t work if you expect thousands of subscribers daily. Moreover, you’d want to use this tactic in combination with CAPTCHA, as getting your application box full of bot applications will make your life a living hell.

Several plugins can help you add the admin approval option, but WP Approve Users are the most user-friendly. All you need to do is install, and activate it, and you will get the opportunity to decide which user stays and which is gone. To avoid complications, previous users will be automatically approved, and you will be asked to give access only to new ones.

Change registration URL

Sophisticated bots are tough to stop, and you will need CAPTCHA for them. However, the most common scripts are simple and not very complex. They have one task only, to get to and register. A simple registration URL change can easily dismiss these types of pesky bots.

This can be done by any plugin that allows you to change your login page’s URL, as registration is part of this page. There are many, and it’s pretty simple to set them up. Typically you need to go to the plugin’s settings and only add the new file path. Most of them allow you to redirect the default URL to a different page, for example, a 404 page or the home page.

Block spammers’ IPs

Even if you use all these tactics, some spammers will still breach your defenses, and you will have to deal with them. The best solution is to block their IP address. There are two ways to do this: using a plugin or doing it manually.

Naturally, using plugins is easier, but on the other hand, it adds one additional plugin to your website, making it heavier and slower. So in this instance, it seems like a better idea to do it manually through the cPanel. Of course, the whole pattern depends on your hosting, but if you are a client of HostArmada, you can check our detailed tutorial on how to block IP addresses in cPanel.

Actively battling spammers is the only way to get rid of them

WordPress registration spam is one of those vulnerabilities that cannot be patched at 100%. Creating a system that can automatically evaluate user registrations and correctly categorize each one as spam or legitimate is not something easy. That is why it is important as a WordPress website administrator for you to consider and build a procedure to handle spam registrations. We believe the best way to deal with spam registration is to combine all the tactics we shared today. Of course, all that will take its toll on the overall user experience, so it is up to you to evaluate what is more essential for you and your website.