Registration spam is nothing short of annoying. We all hate it.
Unfortunately, the way that WordPress is built, a membership site on WP architecture is likely to receive a certain amount of registration spam. Most of this will be by way of automated signups and bots.
Even if you have shut off the ability of users to register, there a number of ways for spammers to submit registrations through WP.
There are two ways to combat registration spam that are most effective, both of which will be covered below; but there is one thing that many people implement to combat form spam that is, in my opinion, grossly ineffective – captcha.
Captcha devices are commonly used to prevent form spam, but they are easily circumvented. This means you don’t really solve the problem of registration spam while at the same time introducing an annoyance for your users who have to complete the captcha to register.
If you believe in the effectiveness of captchas, I do not hold that against you. Use one if you must, but I submit that there are better methods available.
A very effective method to combat registration form spam is to check the user against a database of known spammers. WP-Members provides two possibilities for this – one
freely* available, and the other a premium.
The WP-Members Stop Spam Registrations extension is a plugin that utilizes the stopforumspam.com API. It validates the email and IP address of the registration against the database and if found, it halts the registration.
If you’d like to add more options than that, the WP-Members Security plugin, which offers a number of additional security features, includes both the stopforumspam.com API as well as the Akismet API. It can run the username, email, and IP address in the registration against either or both APIs.
Either of these are effective tools for stopping registration spam, and are not only more effective than captchas, they are not intrusive to the user experience.
The single most effective method of preventing a form from being exploited is a honey pot. A honey pot is a field in the form that is not visible to the user, but because it is in the HTML of the page, it is viewable to a bot. In fact, to a bot, it looks like a regular form field and so the bot will fill it out.
When the form is submitted, part of the form validation is to evaluate if the honey pot field contains an entry. If it does, it was likely an automated form submission by a bot, since a human user would not generally see this field.
If you are a premium support subscriber, I have written a tutorial on how to implement a honey pot into the WP-Members registration form. This tutorial will explain what the honey pot is, how it is implemented, and includes all of the necessary code snippets to implement it. As described above, the process involves adding a field to the form for the honey pot, hiding it, and then validating its entry when the form is submitted.
The WP-Members Security plugin, in addition to other security features and options, includes a simple setting for a honey pot field. When using the WP-Members Security plugin, it randomizes the name of the field used for the honey pot so that even if a bot was able to figure out a particular field was a honey pot (an unlikely event), the randomization factor changes the field name. None of this activity is visible to the user, but for a bot it is essentially impossible to circumvent.
- If you’re a free user and don’t want to spend any money, use the Stop Spam Registrations plugin. It is
free* and effective.
- If you’re a premium support subscriber, implement a honey pot.
- If you’re a Pro Bundle subscriber or have the WP-Members Security plugin, use either the Stop Spam Registration API or the Akismet API as well as enabling the registration form honey pot.
Lastly, if you’re a DIY-type, I have written a wrapper for the Akismet API, designed specifically for use in WordPress applications. You can use this library to build your own application to stop forum spam.
*The Stop Spam Registrations plugin is no longer “free”. I have started charging $1.00 for it. I still consider that as “essentially free”, but not “technically” so. I had to change this primarily because I wasn’t aksing for anything other than your email address in exchange for this free plugin and as a result I simply had too many people signing up with bogus info which I found, quite frankly, insulting. I don’t send out spam, but I may send an occasional email, some of which may be promotional, and I don’t think it’s a lot to ask in exchange for a good plugin. You may disagree and that’s fine; we don’t have to be of like mind here. So, the plugin is now a buck if you want it. If not, the WP-Members API necessary to hook into for writing your own methods is publicly available on this site, and the stopforumspam.com API is free to use, and I wrote a publicly available API wrapper for Akismet (linked above where it says DIY).