WordPress.org

Ready to get started?Download WordPress

Forums

Theme My Login
[resolved] Bots bypassing moderation (5 posts)

  1. webrightnow
    Member
    Posted 5 months ago #

    I was asked to install this plugin in order to control the registration process. The website owners want to allow anyone to register, but be able to moderate registration and filter out bots.
    It looks like some users are still able to bypass the moderation. This is what I have tried so far:
    - I enabled the E-mail and Moderation modules.
    - I set Moderation to "Admin Approval"
    - Under "E-mail" I configured "User Approval Admin" to send a message to a certain email address with the %pendingurl%, %user_login% and %user_email% variables in the body. I also configured "User Approval" to send a confirmation message to the new user with the %loginurl%, %user_login%, %user_email% and %user_pass% variables in the body.
    When I test the system myself, it works beautifully: I try to register as a new user, the email address I configured gets the moderation notification, I approve the user and a message gets sent to the new user with the login details.
    However, the website owners are reporting that some users (presumably bots) have been able to register without having to go through the moderation steps. WordPress is notifying the main admin (the email address configured under "Settings > General", NOT the one I setup under the E-mail module) of a new registration, and that's it. No moderation at all.
    Can you think of a reason why this might be happening? Is there some other URL that I should be disabling and that allows users to bypass the TML custom login screens?
    Thanks!

    https://wordpress.org/plugins/theme-my-login/

  2. bentonhall
    Member
    Posted 3 months ago #

    I am having this exact same issue, did you figure it out?

  3. Jeff Farthing
    Member
    Plugin Author

    Posted 3 months ago #

    The "bots" are using wp-login.php. Disable it using TML's Security module.

  4. bentonhall
    Member
    Posted 3 months ago #

    I had remembered seeing that once before and couldn't remember which plugin had that option. I had it on once before actually, but I was wanting to block the IP, not the user account so I turned the security module off and used the Limit Login Attempts plugin to accomplish that, but I re-enabled the security module, checked the private login box and just set the numbers high so it can't lock out user accounts. Hopefully the "bots" won't be able to register now.

    It would be nice if you either had the option to turn the Limit Logins peice off or the choice to lock the user account or block the IP.

    Otherwise, it's a great module and I appreciate your work, thanks!!

  5. Jeff Farthing
    Member
    Plugin Author

    Posted 3 months ago #

    Will consider those ideas for a future release.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.