Support » Plugin: Ultimate Member - User Profile & Membership Plugin » Nothing Can Stop Spam Registration

  • Howdy friends!

    We’re getting really tired of trying to stop spammers from registering on our site. Do you have any solution?

    Here’s what we have:

    UM ver. 2.1.2
    reCAPTCHA plugin ver. 2.1.2
    Disabled Anyone can register
    All default WP forms redirect to UM login/registration forms.
    Enabled reCAPTCHA on all login/registration forms
    reCAPTCHA ver. 3 by the way
    Installed WP Bruiser and enabled their protection for UM forms.

    And still no luck 🙁

    They manage to create an account, some even activate it via email link and edit one profile field (text area) and insert links that lead to spammy sites.

    The only thing that slows them down is adding their domains to black list but they always come back with new domains.

    What else can we do? 🤷‍♂️

    The page I need help with: [log in to see the link]

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Support mansurahamed

    (@mansurahamed)

    Hi @dkornyukhov,

    You can try taking down your registration page for couple days too if possible. If you still have spam registration, that will confirm it’s not done through registration page, and you may have to discuss further with a security/malware expert. The security steps you have taken should be enough to stop spam registration if done correctly.

    Thanks.

    Thank you, Mansur! I went ahead and disabled registration page. I’ll reach out again in 3 days with an update.

    I started having that problem as soon as one of my client’s rabbit forums (based on BuddyPress) went live. The only thing that seems to help is this combination:

    1. WordFence
    2. Stop Spanners (https://wordpress.org/plugins/stop-spammer-registrations-plugin/)

    HTH.

    Thank you, Joni! Are there any specific settings you’ve enabled in those 2 plugins? Or did you simply installed them and they worked out of the box?

    For the spam registration plugin, I had a lot of spammy registrations from *.ru so I included that as well as *.cn (china) and that seems to have dome the trick. Also finding that yandex.com is a spammy email exchange so might add that one as well. Just check your logs periodically and when you see a pattern developing, add it; and that should nip things in the bud.

    Wordfence pretty much stops most DOS attacks and repeated attempts to login within seconds (as a spammer or bot might try to do when trying to hack). So it works right out of the box as is.

    • This reply was modified 5 days, 17 hours ago by jonimueller.
    • This reply was modified 5 days, 17 hours ago by jonimueller.

    And you should be using the free version of Wordfence on *every* WP install you have, no matter what. 🙂

    Hey guys!

    So just an update: hiding UM registration page indeed stops all spam registration, which means they somehow come through YOUR plugin even with all the precautions taken in the description above. I’ll go ahead and try the solution by Joni above to see if it makes a difference and will update this topic.

    In the meantime, I think you need to look into securing your plugin even more to stop this spam activity without any other third party solutions. I’m sure that if you can fix this in future releases it would benefit all users of UM community.

    Ok, so even after installing Joni’s plugins and configuring them, spammers still able to register. So I’m again at a loss here.

    There doesn’t appear to be any challenge to registration. I clicked the registration link above and started the registration process. I checked two boxes regarding policies and procedures. There was no Captcha in place or anything else keeping a “bot” from registering.

    If you have access to your server logs, check there to see what URL string they are using to get through. But I suspect it’s just not hardened enough as far as keeping a bot out. But those plugins should have stopped even some of that traffic.

    Who is your host?

    Use Recaptcha v.2; that’s the one that Google development console recommends and it works just fine and dandy for me.

    You don’t see a Recaptcha? That’s weird! I use Recaptcha 3 and when I test it on my end I see “Protected by Recaptcha” in the lower right corner. I’ll try ver 2 to see if it make a difference. From what I see they keep hitting that registration page and manage to get through somehow. The host I’m at is cloudways.

    Nope. I am behind a corporate firewall right now using Google Chrome and Windows 10. I’ll try from home in about an hour and see if maybe something on my side is blocking it. But I didn’t complete the registration when i didn’t see a Captcha.

    J

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.