Support » Plugin: Theme My Login » Bots bypassing moderation

  • Resolved webrightnow


    I was asked to install this plugin in order to control the registration process. The website owners want to allow anyone to register, but be able to moderate registration and filter out bots.
    It looks like some users are still able to bypass the moderation. This is what I have tried so far:
    – I enabled the E-mail and Moderation modules.
    – I set Moderation to “Admin Approval”
    – Under “E-mail” I configured “User Approval Admin” to send a message to a certain email address with the %pendingurl%, %user_login% and %user_email% variables in the body. I also configured “User Approval” to send a confirmation message to the new user with the %loginurl%, %user_login%, %user_email% and %user_pass% variables in the body.
    When I test the system myself, it works beautifully: I try to register as a new user, the email address I configured gets the moderation notification, I approve the user and a message gets sent to the new user with the login details.
    However, the website owners are reporting that some users (presumably bots) have been able to register without having to go through the moderation steps. WordPress is notifying the main admin (the email address configured under “Settings > General”, NOT the one I setup under the E-mail module) of a new registration, and that’s it. No moderation at all.
    Can you think of a reason why this might be happening? Is there some other URL that I should be disabling and that allows users to bypass the TML custom login screens?

Viewing 4 replies - 1 through 4 (of 4 total)
  • I am having this exact same issue, did you figure it out?

    Plugin Author Jeff Farthing


    The “bots” are using wp-login.php. Disable it using TML’s Security module.

    I had remembered seeing that once before and couldn’t remember which plugin had that option. I had it on once before actually, but I was wanting to block the IP, not the user account so I turned the security module off and used the Limit Login Attempts plugin to accomplish that, but I re-enabled the security module, checked the private login box and just set the numbers high so it can’t lock out user accounts. Hopefully the “bots” won’t be able to register now.

    It would be nice if you either had the option to turn the Limit Logins peice off or the choice to lock the user account or block the IP.

    Otherwise, it’s a great module and I appreciate your work, thanks!!

    Plugin Author Jeff Farthing


    Will consider those ideas for a future release.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Bots bypassing moderation’ is closed to new replies.