Hi @filout,
I’m sorry but I ca’t understand what your situation is. My questions:
1. What is “fake registration”? What is “regstrated” to where? Do you mean a domain name?
2. How did you confirm your issue? By browser? Access log on your server? or other tool?
3. How is your server configured? If your server is placed behind a reverse proxy or load balancer, you need to put an appropliate key of server environment variable in “Validation rule settings” section. See “$_SERVER keys to retrieve extra IP addresses“.
Please include as much information as possible.
Thanks for your trying my plugu!
Hi Thomas,
I assume that “fake registration” means “user registration” because of your previous topics posted to WP-Members Membership Plugin forum.
I think you may login as a “fake user” via VPN while you’re login as an admin with different window but on the same browser.
In this case, a fake user could send the same cookie as admin at first access to the login page. This plugin will accespt it.
If my assumption is right, please try “Private window” on Chrome/Firefox for a fake user, or try different browser.
Thread Starter
filout
(@filout)
Hi tokkonopapa,
many thanks for your answer. Please let me explain:
On our homepage we have a registration possibility for our club members (only) – realized with WP-Members, that’s correct. We are only a little model flight club, so we only want to have our club members on our homepage as registered users.
Because we had some registrations of non club members in the past from all over the world at first i installed IP Blacklist Cloud and block (blocked) the ip range from this non club members (registrations), but now the list is very long and can be even longer.
This i mean with fake registrations.
So i installed your plugin too, set Matching rule to whitelist and allowed only five european countries (comma separated DE,AT,CH,LU,LI). So far the story.
Last night we had three more registrations from 162.243.21.112 (US), 188.242.66.165 (RU) and 219.147.13.158 (CN). This i can see it (too) in IP Blacklist Cloud => Failed Login. It doesn’t matter because every new registration must be activated manually by admin, but it sucks.
Our server isn’t behind a reverse proxy or so, we host our homepage on a normal german hoster named manitu and WP is – of course – the newest version v4.9.8.
> I think you may login as a “fake user” via VPN
I don’t know how because i come from DE. How can i fake another country?
Regards, Thomas
Hi Thomas,
Thank you for clarifying your situation so detail. Now I can perfectly catch the issue.
I think the registration requests from US, RU and CN might directly access to some PHP file which can accept the requests. Those did not come through the registration form (or page) but throw the requests using some tools.
The same case happens to BuddyPress that has a dedicated registration page while it can accept a request not through the page. Currently this plugin supports only BuddyPress against that case.
I’ll investigate WP-Members Membership Plugin to check how accept the registration requests.
So I’d appreciate your patience.
P.S. Please refer to How to test prevention of attacks.
-
This reply was modified 5 years, 4 months ago by
tokkonopapa.
Thread Starter
filout
(@filout)
Hi tokkonopapa,
i saw in my settings that in the Front-end target settings section, i didn’t activated Block by country.
I activated it now, set Matching rule on whitelist and the countries on DE,AT,CH,LU,LI too in this section (like in the Validation rules and behavior section).
Is possible this the solution?
Regards, Thomas
P.S. Many thanks for your link. I will read it. 🙂
P.P.S. I set Matching rule to Follow “Validation rules and behavior”
-
This reply was modified 5 years, 4 months ago by
filout.
-
This reply was modified 5 years, 4 months ago by filout.
-
This reply was modified 5 years, 4 months ago by filout.
Hi Thomas,
Is possible this the solution?
Yes, that’s definitely the solution. It will also block the direct requests for login and registration.
Or you can specify the login page and registration page at “Validation target” in “Front-end target settings” section.
I think it’s better to specify those pages instead of specifying “All requests” (means all pages) when you configure “Content Blocking” of WP-Members because it’s human friendly.
You can give some notices on those forms for visitors from unwanted country like this:
-
This reply was modified 5 years, 4 months ago by tokkonopapa.
Thread Starter
filout
(@filout)
Great, i will try (and test) it with this settings. 🙂
-
This reply was modified 5 years, 4 months ago by filout.
