How to Stop User Spam Registrations in WordPress

Offering a user registration feature on your website can be a great way to generate leads and encourage brand loyalty. On the other hand, it can also make your site vulnerable to spam registrations.

Fortunately, there are ways to reap the benefits of registrations without opening your site to bad‑faith users. By taking some simple precautions, you can block bots and hackers from creating accounts and accessing your WordPress dashboard.

In this post, we’ll discuss why user registration spam can damage your site. We’ll then share eight ways to stop these unwanted signups. 

What is user registration spam?

User registration spam occurs when unwanted users register for an account for purposes other than what you intended. They may do so to post malicious comments or even gain access to your dashboard.

While many know that spam is a huge problem for almost all websites, unwanted user registrations is a kind of spam that’s often overlooked.

If you allow people to create an account, WordPress’ default registration form is located at‑login.php?action=register. From there anyone can choose a username, enter an email address, and create an account.

default WordPress user registration form

As you can see, malicious third‑parties and bots can use this to create spam accounts. They can just append the same URL to any WordPress domain, enter a bit of information, and create an account — it’s that simple.

Why do spammers create fake registrations?

Once registered on your site, they can start spreading more spam. This may include posting comments that contain malicious links or self-promotion, which can instantly make your site appear less professional. Junk comments are notorious for damaging the visitor experience, and may even negatively impact your Search Engine Optimization (SEO). 

Depending on how you handle registrations, these spam accounts might even have elevated privileges. This can include everything from moderating your site’s comments, to creating new posts, or even accessing your dashboard.

If a spammer manages to reach the WordPress dashboard, the results could be disastrous. Spammers typically want to spread more spam, but in the worst case scenario they may use this elevated access to launch more sophisticated attacks. This might include deleting your content, stealing your data, or even installing dangerous software. 

How to stop spam registrations in WordPress

Hackers and bots are constantly coming up with new techniques for spam registration. For this reason, we recommend using multiple anti-spam strategies simultaneously. This can give you the best chance of catching spambots and malicious third parties. With that in mind, here are eight ways to stop user spam registrations in WordPress: 

1. Disable user registrations

User registrations can benefit your site in lots of different ways. Often, they can be the first step towards monetizing your content. Free registration can also be a great way to generate leads or build a mailing list. 

Yet not every website requires user registration. If you run a personal blog or business website, you may not necessarily need to offer this feature. 

Depending on your goal, there may be alternative, safer ways to achieve the same results. For example, if you’re planning to use registration as a lead generation tool, you could create a newsletter or a callback request form instead. Both of these techniques can generate leads without exposing your site to user spam registrations. 

It’s also possible to accept guest submissions without registration. If you want to feature guest posts on your site, you could use a plugin like User Submitted Posts.

Disabling user registration isn’t appropriate for every website. For membership sites, forums, and eCommerce sites, user registration is a must‑have, and the benefits far outweigh the negatives.

If you do decide to disable registration, navigate to Settings → General in your WordPress dashboard. Then find the Membership setting and deselect Anyone can register.

Anyone can register checkbox in WordPress

Now, no one can register on your WordPress website. This includes those pesky spambots! 

2. Change the WordPress registration URL

By default, all WordPress registration pages are located at /wp‑login.php?action=register. This makes it easy for automated scripts and bots to access your site’s signup form. From there, they can create hundreds or even thousands of spam accounts, and flood your site with unwanted content.

You can reduce this bot-based traffic by changing your registration page URL. Human attackers will still be able to access this form, but an obscure URL can make it virtually impossible for spam bots to attack your site. 

Behind the scenes, the user registration form is actually part of the WordPress login page. This means you can use any plugin that alters the login URL, like WPS Hide Login.

After installing and activating this plugin, navigate to Settings → WPS Hide Login. You can now enter your new URL. To really make life difficult for the bots, try to opt for an address that isn’t easy to guess.

changing WordPress login URL with a plugin

Depending on how your site is set up, you may need to update any links, menus, or other content that points to your old registration page URL.

3. Perform email verification 

Every time someone tries to register with your site, you can send an email to the address they provided. The user can then open this email and perform a verification task, like clicking on a link. In this way, email verification can prevent bot-based spam, and will even stop human spammers from registering using fake contact information. 

The drawback is that email verification does add another step to the registration process. To drive conversions, it’s smart to make registration as smooth as possible, and email verification adds friction.

The good news is that email verification is widely used by many websites. Most internet users are familiar with this technique, and will accept it as a necessary part of creating an account. 

By default, WordPress doesn’t support email verification. But you can add this functionality using the User Verification plugin.

After installing and activating this plugin, navigate to Users → User Verification. You can then set Enable email verification to Yes.

enabling email verification for WordPress registration

You can also configure some additional options, like choosing the page where users will be redirected following a successful verification.

This plugin also comes with built‑in templates that you can use for your verification emails. To take a closer look, click on the Email Templates tab.

email template options for user verification

You can now explore the various templates and make any desired changes. Once you’ve finished, scroll to the bottom of the screen and click on Save Changes

4. Require admin approval for new registrations

One of the best ways to stop spammers in their tracks is to review each registration. This is a manual process, so if your site receives a large number of signups this can quickly become a time‑consuming and frustrating task for your WordPress admin team. For this reason, manual approval is only appropriate for websites that receive a small number of registrations.

You may also want to opt for this method if you’re highly selective about who can register on your site. For example, if you’re running a private company portal for employees only, it may make sense to review each registration manually.

If you’ve weighed the pros and cons and decided that manual approval is the preferred way to handle user registrations, you can add this functionality using the New User Approve plugin.

The plugin works out of the box, so there are no settings for you to configure. As soon as you activate this plugin, it will add an admin approval notification to your registration form.

notice that registration needs to be confirmed

Whenever a user completes the registration form, you’ll receive a notification via email. You can then review the submission by navigating to Approve New Users → Pending New Users. 

5. Add a CAPTCHA field

A CAPTCHA is a puzzle or challenge that visitors must solve in order to register with your site. These can be an easy way to differentiate between genuine registrations and bots.

CAPTCHAs may be effective, but they’re not particularly popular with internet users. There’s even evidence to suggest that CAPTCHAs may reduce your conversion rates by up to 40 percent

If you do add a CAPTCHA to your registration page, you should ensure that the challenge is easy to solve. You may also want to review your registration process to make sure it’s as painless as possible — even with the addition of a CAPTCHA.

You should consider that users with visual impairments may find it more difficult to complete certain CAPTCHAs. In particular, we recommend avoiding picture‑based puzzles, and opting for text‑based challenges wherever possible.

If you’re using the Contact Form 7 plugin for your registration form, you can add a CAPTCHA using the Really Simple CAPTCHA plugin.

You can also add an easy, text‑based CAPTCHA to your login form using Simple Login Captcha. This may not prevent spammers from registering with your site, but it will prevent bots and automated scripts from accessing their new accounts. In this way, Simple Login Captcha can minimize the damage that spammers can inflict on your site.

6. Opt for Google’s reCAPTCHA

When it comes to weeding out the bots, CAPTCHA isn’t your only option. In 2014, Google released No CAPTCHA reCAPTCHA, which simply requires visitors to select an I’m not a robot checkbox.

This is much faster and easier compared to CAPTCHA’s picture-based challenges. It’s also accessible to a wider range of users, particularly people with visual impairments who might be accessing your site using a screen reader. 

It’s important to know that there are privacy concerns surrounding Google’s reCAPTCHA. In particular, some researchers have theorized that Google may be using cookies to determine whether you’re a human or a bot. 

You can add a reCAPTCHA checkbox to your site using a plugin like reCaptcha by BestWebSoft. This plugin has additional features that can make the reCAPTCHA authentication less intrusive, including hiding the reCAPTCHA field for whitelisted IP addresses.

After installing and activating this plugin, navigate to reCaptcha → Settings. In the General section, you can choose which version of reCaptcha you want to use:

reCAPTCHA settings in WordPress

Version 2 simply requires visitors to click on a checkbox. Google then determines whether they’re a bot using advanced risk analysis.

With Version 3, you can either use a checkbox or opt for invisible CAPTCHA. The latter distinguishes between legitimate users and bots by running a script in the background. Since the visitor doesn’t need to manually select a checkbox, this enables you to guard against spammers without affecting the visitor experience.

The final option is “Invisible”. As the name suggests, this setting evaluates the visitor by running an unobtrusive script. Once again, this promises to minimize spam signups without adding friction to the registration experience. After making your selection, you’ll need to generate a site key and secret key, and follow the instructions from Google to configure your reCAPTCHA.

7. Use a geolocation plugin

Some websites have a strong connection to a particular location. This includes online stores that only ship to specific countries and websites that specialize in local news. In this scenario, it’s unlikely that someone outside of these areas will need to register. 

If this is the case, you may want to detect each visitor’s whereabouts using a geolocation plugin. You can then grant or deny access to your WordPress registration form based on their current location. 

This can minimize user spam registrations on your WordPress website. At the same time, it may also prevent some legitimate users from registering with your site. There are always going to be special cases where someone may want to create an account from an unexpected location. For example, someone may try to register with your European-based online store while on holiday in America. 

Before enabling geolocation, it’s smart to examine your traffic using a tool like Google Analytics. By evaluating where your visitors originate from, you can identify areas that you may be able to blocklist without losing out on conversions.

demographics in Google Analytics

You can restrict access to your registration page using the IP2Location Redirection plugin. Unlike some other geolocation plugins, IP2Location enables you to redirect the visitors to an alternative web page depending on their location.

This can improve the experience for any legitimate visitors who may attempt to register from a blocklisted country. After activating this plugin, select Redirection in the left‑hand menu. It will then ask you to complete a registration process in order to generate a download key. After inputting this key into the WordPress dashboard, navigate to Redirection → Rules.

setting up redirections based on location

In the From field, you can either block access to your registration page or your entire website. Then you can specify all of the locations that you want to block.

Protect your registration forms from fake users

Many websites use registrations to monetize their content, generate leads, and build relationships with their visitors. But it isn’t all positive! WordPress user spam registrations can flood your database with junk and even put your site at risk.

While you could simply disable user registrations, this isn’t appropriate for all websites. Fortunately, there are plenty of plugins you can use to offer this functionality safely. This includes performing email verification via the User Verification plugin and adding your choice of visible or invisible reCAPTCHA using reCaptcha by BestWebSoft.