How to stop WordPress registration spam
In this article, we’ll investigate the different types of WordPress registration spam, and how to prevent it. In addition to describing the methods, we’ll go over the advantages and disadvantages of each. Furthermore, we’ll look into how to setup from start to finish a WordPress spam prevention system.
Quite often we need open user registration in our sites. Unfortunately, this opens our sites to WordPress registration spam. Spam is, at least annoying. It causes a flood of unwanted user registrations and this generates a lot of noise.
In extreme cases, spam can be very expensive. It can cause server slowdowns and missed orders from real customers. Additionally, it can cost a lot of time and effort to fix your database and removed invalid entries. But probably the biggest cost is in terms of credibility. If users see spam content or spam users, this may reflect badly on your brand.
There are many options in terms of spam prevention. But it may be hard to define which one is the best option for you. Therefore, on this guide, we’ll go through the different WordPress registration spam prevention methods. More important than the advantages, we go over the shortcomings of each method. This allows you to make a better-informed decision for your site.
Let’s get started!
Types of registration spam
In order to choose the most appropriate method for spam protection, we first need to understand how registration spam can be generated. Some of the methods listed in this article work better for only one type of registration spam. There are two main types of registration spam:
- robot generated spam
- human generated spam
Robot generated spam
This is probably the most common type of registration spam. This type of spam is caused by custom created scripts that can submit thousands of registration requests in a very short time. If your server doesn’t have some kind of built-in protection to detect and block these type of requests, your WordPress installation could end up with thousands of spam accounts in no time. Not to speak that this could also make your site slower or even get your site down.
Human generated spam
With this type of registration spam, humans can manually create one or multiple accounts that are not genuine. While it is really hard for a human to generate hundreds or thousands of accounts, they could still create tens of them and mess with your data. For example, if you have a site where people can review products, one might create tens of accounts to submit fake reviews. The human generated spam is a bit harder to prevent, but not impossible.
Google’s invisible CAPTCHA
CAPTCHA means Completely Automated Public Turing Tests to Tell Computers and Humans Apart. That’s a funny acronym for tools that help you to automatically stop spam robots. At first, these tests were based on characters reading tests. Quite often you’d see in sites a test like this one:
But robots evolved. Nowadays it’s quite common to find spam robots that can crack these tests even faster than humans. After this Google took over and created different methods for CAPTCHA tests. The next version was the one that asks you to confirm that you are not a robot:
However this still required from the visitor to interact with the reCAPTCHA form.
The last current version of Google reCAPTCHA is secret, not visible to the user and and it’s called Invisible reCAPTCHA. There are no characters to fill anymore, and it’s likely that this test is based on multiple factors. Loading times, typing speeds, typing errors and many other factors play a role in their test. Only in the cases when Invisible reCAPTCHA cannot confirm that the visitor is a human, it will output a dialog with an image challenge. In most cases though, your visitors will not know that it is there.
- Very effective on preventing robot generated registration spam, especially if we take into account results for the cost
- In most cases the test is seamless to users
- Easy to implement
- When implemented properly, there will be no records created in the database unless the challenge is passed
- It has nice fallbacks in case results aren’t consistent for the automated test
- Relying on an external service. Although it has incredibly high accuracy and uptime, this can change at any time. If Google removes this service, for example, you may end up with no solution for spam prevention
How to implement Google’s invisible Captcha
The WordPress registration spam using Google’s invisible CAPTCHA is quite an easy process. Once you know how it works internally you may imagine how simple its implementation is. For this tutorial, we simply install the Invisible reCaptcha for WordPress plugin.
Then you activate it and add your Google API settings. These are added under Settings > Invisible reCaptcha > Site / Secret key:
In case you don’t have these keys, you can get them on your Google’s reCAPTCHA panel.
That’s it! Now you just need to enable Google’s invisible reCaptcha to your registration and login forms. This is done in the plugin settings as well. You can include protection for WooCommerce, Gravity Forms, ContactForms 7 and other plugins as well.
The email verification method can be used in any WordPress site. It consists of sending users a confirmation email with a link they must click to activate their account. Usually, these links are encoded, thus users can’t automatically force their account verification, they need to wait for the link.
This method can mostly work for robot generated registration spam. It can also help with the human generated spam as well – it won’t prevent it, but it will make it harder for people to create multiple manual registrations, since they will need to create a new email account for each registration.
- By sending an email to the user, it verifies that the email address exists and in most cases, that would indicate a genuine account creation
- It can rule out spelling mistakes in the email address which can later lead to lost communication
- Emails can get lost. They can get into the spam folder of your users, or even get trashed. Hence, it may not only fail as spam prevention but block real users as well.
- Email verification still requires records to be created in the database. This means that your database can still be filled up with lots of spam records. Additionally this may require some manual work to clean up the unconfirmed records later.
- Though not easy, it is possible to create an automated script that generates email accounts and reads the upcoming emails. In this case this method will not work.
How to implement email verification in WordPress
There are various plugins that support email verification upon registration. Some of them are dedicated form plugins providing having this feature complement their forms. So, if you are using a custom registration form plugin, there’s a chance that your plugin already provides this feature.
Other plugins are specifically designed for email verification. The User Verification plugin can be used to implement email verification. It also has some other useful spam-preventing features, such as enabling reCAPTCHA on the login and registration forms.
This method consists of having an admin manually approving accounts. It could work for smaller sites, but for big sites, the number of validations needed may be too high. To make this method more effective, you might consider adding additional fields to the registration form. You can ask questions that can be both beneficial to you to know and also can give you a hint about whether this is a genuine user. For example, you can use questions like “How did you hear about us?” or anything that might be related with your products and services.
It’s a good idea to combine this method with one of the other methods that prevent robot generated spam. For example, you could have Google reCAPTCHA to prevent most of the automated spam first. In this way the administrator will have to go through a lot less spam registrations. And that will most likely be the human generated spam.
- People can be often more effective in detecting spam than pure code
- Requires lots of manual work
- Database records will be still generated, which could flood your database
- Users won’t be able to access your services until someone approves their account
- If additional information is required from the users to fill in, this could make some of them leave your site
How to implement admin confirmation
There are some dedicated plugins that can help you implement admin approval functionality for registrations. Some of them are:
The honeypot method is quite an ingenious one. Usually, spam systems are going to fill all fields they see in a form. They do this since they assume there might be required fields.
Then, this method consists of creating some fields that should not be filled in by users. They are in fact invisible. Thus, if anyone fills that field, this means that they are using a text-based browser (browsing through the source code). So, robots often fill these fields which gives us the hint that this is not a real human.
- Seamless to most of the users
- Some bots actually work on visual mode. Therefore, these honeypots are going to be ignored by them.
- It may block screen reader users. These pieces of software may include auto-fill options for forms as well. Additionally, usually, these are users with vision impairments. They won’t even know what is going on, and they’ll probably get frustrated by being blocked from a site. For these users you would need to set a label for the honeypot fields explaining that they should not fill the field.
Implementing Honeypot in your registration forms
Usually most of the plugins that provide custom registration forms support honeypot and/or captcha protection. For example, the Clean Login plugin has honeypot enabled by default.
This method requires two devices to create a registration. For example, in addition to emails, you may use an app or SMS for user validation. In order for the form to be submitted successfully, your users will also have to fill in a one time password (OTP) that is sent to their device. A well implemented SMS verification can be a very effective way of preventing registration spam, especially if uniqueness of the phone number is enforced. In other words, if one phone number can be assigned to one user only, there can be at most one spam registration linked to one phone number.
- this could rule out the majority of bots, as reading sms introduces another level of complexity for them
- if implemented well, in most cases it will not generate database records until verification has passed
- this method introduces complexity for both robots and genuine users. Additionally, many people don’t feel comfortable with sharing their phone number.
Implementing multi-factor Registration
The Orion SMS OTP Verification plugin can help you to easily implement two-factor registration in WordPress. With this plugin the registration form will be only submitted when the phone verification is passed. It also works well with some of the most popular registration form plugins, such as Ultimate Member.
How to clean up spam registrations
If your spam detection method fails, you need to remove these users. We have a guide on how to bulk delete users, in case you want to learn more about this. But let’s see some tips on how to do that.
The first element we usually check is user activity. Every website has its own definitions of user activity. For e-commerce sites that would be lack of orders. For other sites that could be content creation, such as post or comment creation. Users Insights includes many features and support for some of the post popular 3rd party plugins to help you find inactive users, depending on your setup.
Once you apply the filters, you would need to carefully inspect the results to make sure that there are no genuine accounts in the resulted list. When you believe that you have segmented the user list to show only the spam registrations, you can go ahead and delete these users. To do that, first create a backup of your site, as the deletion process cannot be reverted. After this you can either manually delete the accounts or bulk delete them as explained in our WordPress Bulk Delete Users article.
The most simple example would be filtering the users by content created.
In addition, you may want to filter users based on their registration date. This is useful if you noticed a spike on bots visits for a particular day. Thus, filtering users based on that will give you possible spam users. Remember – always make sure to check each of the results, to make sure that you are only deleting spam registrations.
There are other elements that could tell humans and robots apart. For instance, you may want to filter users based on custom fields values. For instance, if your audience is usually developers and designers, you can filter users based on their job title. Often bots will fill in all your form fields, but the content may be just placeholder text:
In our example, we can see two values that are unrelated to the actual custom field. Then we can further investigate these issues and check if they are spammers.
Today we looked into different methods for WordPress registration spam prevention. In addition to a deep dive into different methods, we went through how to implement Google’s invisible CAPTCHA. Furthermore, we investigated how to clean up your site using Users Insights.
We hope you enjoyed and see you again next time!