Title: User Registration Exploit? Last modified: August 30, 2016 --- # User Registration Exploit? * [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [10 years, 11 months ago](https://wordpress.org/support/topic/user-registration-exploit/) * Is it possible than someone can use the WordPress registration as a SPAM/DoS attack mechanism? There is no captcha on the registration form and the form is always at the same url “[http://blog/wp-login.php?action=register”](http://blog/wp-login.php?action=register”);. * What prevents someone from creating a program, data-mining all websites with this url from Google, and basically setting up a bot to constantly create new users in ad infinitum? * I don’t understand why in this day and age, there isn’t at least a captcha on this registration page….is there a way to add one? Viewing 3 replies - 1 through 3 (of 3 total) * [mathieuhays](https://wordpress.org/support/users/mathieuhays/) * (@mathieuhays) * [10 years, 11 months ago](https://wordpress.org/support/topic/user-registration-exploit/#post-6186891) * Hi salescart, * I personally tried CleanTalk and seems to work but have a look to all the different solutions: [https://wordpress.org/plugins/search.php?q=registration+spam](https://wordpress.org/plugins/search.php?q=registration+spam) * I guess they didn’t implement it because there are good plugins out there and adding too much stuff to the core would mislead people with little understanding about websites. By default the user registration is closed. If you want to open it you know that anybody could register. As long as you can create unique emails, anybody, even someone with zero knowledge about hacking, could create thousands of accounts on your website if they wanted to. * You have firewall plugins like WordFence or iThemes Security. They can be used to throttle access to your website and detect bots. * It’s also quite likely that you have dozens of captcha plugins for the registration form on the WordPress Plugin Directory. * If you want to prevent DDoS attacks or malware you could also looks into solutions with your hosting company. Cloudflare could be a solution here as well. * Thread Starter [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [10 years, 11 months ago](https://wordpress.org/support/topic/user-registration-exploit/#post-6186905) * Ok, so do you believe by default user registrations should remain off? We don’t remember turning those on but we can certainly turn them back off if we did. * What is the advantage of having this on anyways? * [mathieuhays](https://wordpress.org/support/users/mathieuhays/) * (@mathieuhays) * [10 years, 11 months ago](https://wordpress.org/support/topic/user-registration-exploit/#post-6186975) * If you don’t want people registering on your website, it should be off. Even if your front-end doesn’t display a form to actually do it, bots knows which request to do to create one. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘User Registration Exploit?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [mathieuhays](https://wordpress.org/support/users/mathieuhays/) * Last activity: [10 years, 11 months ago](https://wordpress.org/support/topic/user-registration-exploit/#post-6186975) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics