Registration spam is nothing short of annoying. We all hate it.
Unfortunately, the way that WordPress is built, a membership site on WP architecture is likely to receive a certain amount of registration spam. Most of this will be by way of automated signups and bots.
Even if you have shut off the ability of users to register, there a number of ways for spammers to submit registrations through WP.
There are two ways to combat registration spam that are most effective, both of which will be covered below; but there is one thing that many people implement to combat form spam that is, in my opinion, grossly ineffective – captcha.
Captcha devices are commonly used to prevent form spam, but they are easily circumvented. This means you don’t really solve the problem of registration spam while at the same time introducing an annoyance for your users who have to complete the captcha to register.
If you believe in the effectiveness of captchas, I do not hold that against you. Use one if you must, but I submit that there are better methods available.
Anti-spam APIs
A very effective method to combat registration form spam is to check the user against a database of known spammers. WP-Members provides two possibilities for this – one freely available, and the other a premium.
The WP-Members Stop Spam Registrations extension is a plugin that utilizes the stopforumspam.com API. It validates the email and IP address of the registration against the database and if found, it halts the registration.
If you’d like to add more, the WP-Members Security plugin, which offers a number of various security features, includes both the stopforumspam.com API as well as the Akismet API. It can run the username, email, and IP address in the registration against either or both APIs.
Either of these are effective tools for stopping registration spam, and are not only more effective than captchas, they are not intrusive to the user experience.
Honey Pot
The single most effective method of preventing a form from being exploited is a honey pot. A honey pot is a field in the form that is not visible to the user, but because it is in the HTML of the page, it is viewable to a bot. In fact, to a bot, it looks like a regular form field and so the bot will fill it out.
When the form is submitted, part of the form validation is to evaluate if the honey pot field contains an entry. If it does, it was likely an automated form submission by a bot, since a human user would not generally see this field.
If you are a premium support subscriber, I have written a tutorial on how to implement a honey pot into the WP-Members registration form. This tutorial will explain what the honey pot is, how it is implemented, and includes all of the necessary code snippets to implement it. As described above, the process involves adding a field to the form for the honey pot, hiding it, and then validating its entry when the form is submitted.
the WP-Members Security plugin, in addition to other security features and options, includes a simple setting for a honey pot field. When using the WP-Members Security plugin, it randomizes the name of the field used for the honey pot so that even if a bot was able to figure out a field was a honey pot (an unlikely event), the randomization factor can change the field. None of this activity is visible to the user, but for a bot it is impossible to circumvent.
Summary
- If you’re a free user and don’t want to spend any money, use the Stop Spam Registrations plugin. It is free and effective.
- If you’re a premium support subscriber, implement a honey pot.
- If you’re a Pro Bundle subscriber or have the WP-Members Security plugin, use either the Stop Spam Registration API or the Akismet API as well as enabling the registration form honey pot.
Lastly, if you’re a DIY-type, I have written a wrapper for the Akismet API, designed specifically for use in WordPress applications. You can use this library to build your own application to stop forum spam.