WordPress forms offer a valuable chance for you to connect with your website visitors and potential customers. Those people may be signing up for a mailing list or creating an account on your eCommerce store. But what if they’re not people at all? Today, spambots are increasingly exploiting popular WordPress sites, creating fake accounts that put your company at risk. The good news is that there are ways to reduce WordPress registration spam so you can focus on legitimate subscribers. This guide will show you how.
WordPress registration spam occurs when unwanted users create fake accounts on your WordPress site. This is usually done via bots and can create problems for website owners, such as flooding your database with fake users and making your website vulnerable to cyberattacks.
Chances are you’ve already experienced this if your WordPress-powered website allows for public registration, such as joining your membership program or requesting more information about a service you offer like digital contact center solutions.
If your site doesn’t require user registration, the simplest solution is to disable this feature entirely. Just go to Settings > General and uncheck the box next to “Anyone can register”, and make sure you remove any user registration widgets from your site.
Spam accounts are annoying—period. But you have to be aware of spammers’ motivations for attacking your website if you’re to understand how to stop them. Here are some of the most common reasons spammers might target you:
Of course, you can’t always know the true reason for spambots targeting your website. But with the below steps, you can safeguard your site from malicious actors regardless of their motivation. Even if you are just setting up your website, it’s worth adding some of these to your launch checklist so you start with a solid and secure foundation.
Install Honeypot Plugins
Spambots typically fill out all fields of a form, including ones that genuine human users can’t access or even see. This is where you can essentially trick the bots into filling out fields targeted specifically at them.
This is known as the ‘Honeypot technique’, and there are several security plugins to help you implement it.
Two options are ‘Honeypot for Contact Form 7’ and ‘WP Armour’, which provide honeypot functionality. They’ll automatically add invisible honeypot fields to forms and automatically block spam registrations.
The honeypot technique isn’t perfect as attackers can train bots to bypass these plugins. So, while it’s worth trialing this tactic, keep in mind that it may not block every spam registration attempt.
Install Captcha or reCAPTCHA
Captcha and reCAPTCHA are popular tactics for preventing WordPress registration spam. You’ve probably seen these on registration forms before, asking users to select the traffic lights or buses out of a selection of images.
Bots struggle to answer these automated questions or solve problems created by Captcha, making this a simple way to block them from registering. With a plugin like CAPTCHA 4WP or Friendly Captcha, you can easily integrate an anti-bot tool into your WordPress forms, choosing the relevant type or criteria.
The downside? Some users find reCAPTCHA frustrating.
Let’s say you’ve been trying to convert leads to sign up for a free trial of your cloud phone systems. They’ve already taken a few steps – perhaps watching a demo and filling out a contact form. One or more Captcha puzzles or questions could deter your potential customer and lead them to exit the site without signing up at all.
Captcha can also negatively impact your site’s accessibility, particularly for people who are visually impaired. Make sure the process is simple enough for genuine users and provide different options for audio or visual forms to maintain accessibility.
Manually Approve Registrations
Automation is becoming increasingly useful for helping people be more productive. It’s why tools like virtual agents and customer service chatbots are so popular. But in this context, taking the manual approach has its benefits. Sometimes, the human eye is the best tool for differentiating between human and spam registrations.
Plugins use algorithms to automatically block bots, but they’re not foolproof. Manually approving registrations allows you to decide what’s legitimate and what’s spam.
To do this, go to Settings > General, and uncheck the “Anyone can register” option. From the “New User Approve” menu item in the admin sidebar, you can approve registrations one by one. Alternatively, you can use plugins like ‘New User Approve’.
Because it’s time consuming, this tactic works best for small websites. If you have a giant website with a lot of website traffic and registrations, the admin approval takes considerable time.
Manual approval also means a delay between registration and follow-up, whether that’s an email confirmation or link to account setup, which might put off your users.
Even if you decide not to manually approve every user registration, checking in on your user registration regularly is an important part of WordPress website maintenance. This can help you spot-check for any technical problems that your plugins aren’t picking up (or are causing).
Use a Custom Registration URL
Bots usually target default URLs – that is, the well-known URLs that WordPress automatically generates for your homepage and user registration page.
For WordPress, the default login URL is yourwebsite.com/wp-login.php, and the registration page is typically accessible through a link on this page or directly at yourwebsite.com/wp-register.php.
By creating a custom URL for the registration page, you prevent bots that are trained to hit the default URLs from finding the actual registration page. To change the default login and registration URLs in WordPress, you can use anti-spam plugins like ‘WPS Hide Login,’ ‘Theme My Login,’ or ‘Custom Login URL.’
Limit Registration Attempts
Bots often try to register multiple times in quick succession. That’s why they can so effectively spam your user registration inbox with fake accounts, making it difficult to separate them from genuine users and organize your business contacts.
Plugins like ‘Loginizer’ and ‘WP Limit Login Attempts’ restrict repeated login and registration attempts and reduce WordPress registration spam as a result.
Your genuine users, however, do make mistakes. Multiple typos in an email address can completely block a user from signing up, so be aware of this potential downside and implement workarounds where possible.
Add Custom Questions to Registration Forms
Your WordPress site can include custom questions for user sign-ups that root out bots.
By installing registration form plugins like ‘Custom Registration Form Builder’ or ‘Registration Magic’, you can add custom questions to your registration form, preventing spam bots from creating fake accounts. You might have human-targeted questions like “What is 5 + 3?” or site-specific questions.
An irrelevant or unclear question can also put off genuine users, so think carefully about what questions to pose and be aware of this as a potential deterrent for human sign-ups too.
Use an IP Blocking Plugin
Plugins like ‘IP Location Block’ and ‘Wordfence’ as well as third-party tools like Cloudflare detect and block IP addresses exhibiting suspicious behavior. This is another quick and easy way to reduce WordPress user registration spam, particularly if it’s coming from one or a small group of sources.
When spammers create spam bots to target WordPress sites, each bot operates from a device, or more commonly, a network of devices that each have an IP address.
Additionally, you can enhance your IP blocking strategy by incorporating cloud email security. These services use AI to help you identify and block spammy IP addresses based on their email sending behavior, giving you an extra layer of protection against malicious registration attempts.
IP blocking tools monitor suspicious behavior related to specific IP addresses, such as repeated failed login attempts or a high frequency of registration attempts in a short span. They then automatically block all access attempts from these addresses.
Maintain Updates
Finally, it’s essential to implement regular updates to solve common WordPress issues and keep your site secure. Relevant notifications usually appear on your WP dashboard, so take note of these.
Make sure you do core, theme, and plugin updates to ensure software patches are entirely secure and help prevent cyberattacks.
When you update anything on WordPress, check that new updates are compatible with existing plugins. Sometimes, updates can cause non-approved WordPress plugins to fail, which could make your website more vulnerable.
The most important thing is to remain vigilant. Regularly test your website’s security measures and check plugins for compatibility and effectiveness. If you use a remote access solution to manage your WordPress site, be especially vigilant and regularly check your dashboard directly.
While WordPress registration spam is common and frustrating, there are a wide range of WordPress plugins and third-party tools out there for effectively reducing fake accounts.
Many of these, like CAPTCHA 4WP, have multiple functionalities that cover more than one of the tactics in this guide.
IP blocking, limited registration attempts, and customized forms are all essential tactics for beating the bots and ensuring your user registration portal only accommodates real users, adding an extra layer of security to your WordPress website.
Even when a plugin is installed, remain vigilant and regularly check in on your website’s security measures to protect yourself and your business from potential cyberattacks.
