WordPress.org

Ready to get started?Download WordPress

Ideas

Improve WordPress registration

  1. exilefromgroggs
    Member

    12345

    I am getting what I assume are spam registrations. I don't want them. There are lots of techniques which prevent spam from being posted, but the WordPress front end has no means for preventing spam users from registering. This makes them subscribers - albeit with limited ability to do anything (even comments are moderated!) - but I just don't want them. Why not add things to the WordPress registration window - or at least provide the option for it to be added - so that spambots can't register?

    Posted: 7 years ago #
  2. There are plugins to do this, but yes, some core support (whatever it may be) would be nice...

    Posted: 7 years ago #
  3. coders4hire
    Member

    12345

    A challenge question would work here, too:
    http://www.douglaskarr.com/2006/09/22/wordpress-contact-form-with-spam-protection/

    Posted: 7 years ago #
  4. exilefromgroggs
    Member

    12345

    Just to be clear, it's not spam prevention in comments I'm worried about - by moderating all comments, I can get around this, even without the existing plugins. What I'd like is the mechanisms that are used to spam-protect comments to be available in the WordPress login window, so that spambots (as I assume they are) don't register themselves.

    We are a ways ahead of the previous CMS I was using already, since I can delete a whole batch of users at one go. But it would be nice to ensure that only humans registered on the account.

    Posted: 7 years ago #
  5. exilefromgroggs
    Member

    12345

    Okay. I've come up with a fix, I hope. The aim is to stop people searching for "wp-register.php" in domains, and using the known default behaviour to register accounts automatically. In wp-register.php:

    Find:
    $user_email = $_POST['user_email'];
    and add:
    $user_verify = $_POST['user_verify'];
    as the next line.

    Find:
    $errors['user_login'] = __('<strong>ERROR</strong>: This username is invalid. Please enter a valid username.');
    $user_login = '';
    }

    and add:
    if ($user_verify == '')
    {
    $errors['user_verify'] = __('<strong>ERROR</strong>: You can only register if you are real!');
    $user_verify = '';
    }

    Find:
    <label for="user_email"><?php _e('E-mail:') ?></label> <input type="text" name="user_email" id="user_email" size="25" maxlength="100" value="<?php echo wp_specialchars($user_email); ?>" />

    and add:
    <label for="user_verify"><?php _e('Are you real?') ?></label> <input type="text" name="user_verify" id="user_verify" size="10" maxlength="15" value="" />

    Unless the person registering puts anything non-blank in the "verify" window, the registration won't work, I think - and a spambot would not know to look for this yet. However, by putting particular words in for verification - change the question on each website, or whatever - this fix could be made non-generic.

    Please let me/someone who can do something about it know if this is useful.

    Posted: 7 years ago #
  6. webprofessor
    Member

    I had the same problem lately too. I made a plugin to to blacklist user registration based on the domains their email is from. So in my case I banned registration from "web.de" and "mail.ru" since the bots were using those to register with.

    Hope it helps.

    Post here:
    http://web-professor.net/wp/2007/01/14/new-wordpress-plugin-ban-email-domains-from-user-registration/

    Download here:
    http://web-professor.net/shared/wp-plugins/registration_blacklist.zip

    Posted: 7 years ago #
  7. michaelper22
    Member

    12345

    Blacklisting works only as long as the bots spamming you are on the list. What we need is a real syste, possibly CAPTCHA, or other randomized questions. The plugin that gives commenters math questions is a particularly good method IMO.

    Posted: 7 years ago #
  8. exilefromgroggs
    Member

    12345

    michaelper22 is right - the CMS I used before had a blacklist system, but this is fundamentally reactive - you have to have been visited by a bot before you know that you need to blacklist it. The domains changed too quickly for me ever to get spambot registration under control.

    My system is working at the moment (see above). I had about 10 spam registrations in two days before I put it in place: I've had none since. Of course, if this system were widely used, then it would be worth the while of the bot-writers to code for it, so it has a limited shelf life as it stands, but (for a change!) I find myself one step ahead of the bots.

    There are ways around rewritten bots. At the moment, anything non-blank will convince the registration form that a registration is real - something more specific could be put in there (err, like a sum, I guess?! but that might have overtaxed my limited PHP ability...). Or the name of the additional input could be changed, though this name is readable in the source by a more intelligent bot, I guess.

    The verification is hidden server-side in the PHP (check page source before and after failed registration), so the best solution is probably to make the verification customisable.

    Another option would be to change the name of the registration PHP file, so it wouldn't be where a bot is programmed to look for it.

    However, at least until the widespread copying of my "hack", I can rest in the knowledge that I'm all right, Jack!

    Posted: 7 years ago #
  9. webprofessor
    Member

    Blacklist has proven very effective in cutting down on fake user registrations for me. Usually registrations come from domains like "hotmail.com" or some other free email provider . Once you block users using free email providers your fake user registrations will decrease.

    Posted: 7 years ago #
  10. exilefromgroggs
    Member

    12345

    Okay, I'm glad that it's effective, I notice you have satisfied customers as well, and as I have said, using a plugin makes it substantially more usable than my solution. But a significant number of the users of the site that I am working on use gmail and hotmail, and only about 10% of the bots I have kicked off having registered have been gmail or hotmail. I suppose I could constrain them to refer to their "master" email account, but my aim is to make it as easy for legitimate users as possible whilst ditching illegitimate ones.

    And, as I also said, my previous CMS had blacklisting, and it didn't really help. I was still getting spam registrations having disabled the site. Okay, flawed CMS, I know - that's why I changed it. But I'm not convinced about blacklisting.

    Posted: 7 years ago #

RSS feed for this topic

Topic Closed

This topic has been closed to new replies.

  • Rating

    12345
    191 Votes
  • Status

    This is plugin territory