User Registration: How to really really disable it

  • hipogrito

    (@hipogrito)


    1 year, 3 months ago

    Hi,

    First post.

    I have a WordPress site with a wpforo and few thousand users for quite a few years already.

    I have disabled User Registration. It is not shown anywhere in the site, but, I’m still getting the antispam plug-in reporting bogus SPAM users trying to register. Even if they are caught in the antispam plug-in it is still bad for me as Google will find them and will send me a Google Adsense violation report because of course those spammers are trying to sell you bad stuff.

    So, I imagine that even if the site doesn’t show the Registration button, spammers might have that link, and that link still works even if it isn’t shown. But, that’s just a guess.

    How do I really really really disable user registration?

    By the way, After deleting 40.000 spam accounts, yup, 40.000!!!!, I decided to go fully manual with user registrations, as I get only a couple of week at this point, and that’s less time than dealing with thousands of fake spam accounts trying to access the site constantly.

    Thanks,

    Regards,

    Fran

    • This topic was modified 1 year, 3 months ago by hipogrito.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Kaavya Iyer

    (@kaavyaiyer)

    1 year, 3 months ago

    Hi @hipogrito,

    Assuming that you have unchecked the ‘Anyone can register’ box and under Settings → General, and are still seeing bot/spam registrations, you can try using the Stop Spammers plugin. I haven’t used the plugin myself, so I cannot comment on its effectiveness.

    You can read about more ways to prevent spam registrations here.

    I hope this helps!

    Thread Starter hipogrito

    (@hipogrito)

    1 year, 3 months ago

    hi,

    thanks for the comments.

    Yes, I have the box uncheck and I have Stop Spammers and, yet, Stop Spammers still reports bogus spam registrations. I just added two to the not allowed list.

    So, what is the link that the spammers are using that still tries to create a user?

    I disabled the social media plugin too, but still getting those.

    Thanks,

    regards,

    Fran

    Moderator bcworkz

    (@bcworkz)

    1 year, 3 months ago

    The default registration link is well known — wp-login.php?action=register
    Anyone is free to POST registration data to that location, it’s a public website. However, if you’ve unchecked the anyone can register option, nothing will come of it. An “Error: User registration is currently not allowed.” message is displayed. Registration will be unsuccessful.

    If you are getting successful spam registrations despite the anyone can register option being unchecked, there’s an unintentional security hole somewhere. Likely candidates are lesser known or custom built themes or plugins. If your theme and plugins are all well known and established, it’s possible your site has been compromised by a hacker who had installed “back door” access.

    I think it’s unlikely, but if there are other signs of a security compromise, we have some suggestions on how to deal with a security breach.

    Thread Starter hipogrito

    (@hipogrito)

    1 year, 3 months ago

    Thanks for the advice.

    I’ve done a couple of things and I haven’t gotten any spam registration in the last few hours, which is encouraging.

    One, I have made sure that both in the WordPress regular Dashboard AND in the WPForo settings the registration is disabled. I’m not sure if both were disabled when I posted the first message.

    Two, I have remove all the Socializer log in, which I wonder if it could have been the way the spammers were trying to get it.

    I’ve checked a couple of the sites that check the site for virus and the site looks clean.

    I’ll report in a few days if everything is resolved with those actions.

    Thanks,
    Regards,
    Fran

    Moderator bcworkz

    (@bcworkz)

    1 year, 3 months ago

    An alternative login process through some plugin is a likely attack vector. If you still get spam registrations, as soon as one is discovered search through your access logs for POST requests that could result in a registration. Whatever file is requested likely leads to the security hole.

    Not all POST requests are suspicious, especially if they are for core wp-admin/ files or wp-login.php (normal user access). If repeated registration attempts mostly come from one IP address, you could block that IP through .htaccess. Whatever security hole might exist still needs to be patched, but blocking a nuisance IP will reduce how much processing the server has to do.

    Thread Starter hipogrito

    (@hipogrito)

    1 year, 3 months ago

    Great advice to check the logs.

    I haven’t had any case in the last day, so it’s looking good.

    They were coming from multiple IPs for sure as I was blocking them with the anti-spam plug-in.

    Thanks so much,
    Regards,
    Fran

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘User Registration: How to really really disable it’ is closed to new replies.