I was asked to install this plugin in order to control the registration process. The website owners want to allow anyone to register, but be able to moderate registration and filter out bots.
It looks like some users are still able to bypass the moderation. This is what I have tried so far:
- I enabled the E-mail and Moderation modules.
- I set Moderation to "Admin Approval"
- Under "E-mail" I configured "User Approval Admin" to send a message to a certain email address with the %pendingurl%, %user_login% and %user_email% variables in the body. I also configured "User Approval" to send a confirmation message to the new user with the %loginurl%, %user_login%, %user_email% and %user_pass% variables in the body.
When I test the system myself, it works beautifully: I try to register as a new user, the email address I configured gets the moderation notification, I approve the user and a message gets sent to the new user with the login details.
However, the website owners are reporting that some users (presumably bots) have been able to register without having to go through the moderation steps. WordPress is notifying the main admin (the email address configured under "Settings > General", NOT the one I setup under the E-mail module) of a new registration, and that's it. No moderation at all.
Can you think of a reason why this might be happening? Is there some other URL that I should be disabling and that allows users to bypass the TML custom login screens?