Most WordPress blogs are protected by the best anti-spam triangle of comment spam defenders: Bad Behavior, Spam Karma 2 and Akismet.
However, little or nothing is available to help prevent registration spam.
Registration spam differs from comment spam as it comes through the WordPress login form, not blog comments. WordPress blogs which require registration to comment, contribute, or participate have little or no protection from spammers hammering away at their registration forms.
There are WordPress Plugins for contact forms which include spam protection such as WordPress Contact Form with Spam Protection Plugin Project Page, based upon Ryan Duff’s popular WordPress Contact Form. But a contact form isn’t your blog’s registration, thus doesn’t help.
There are several WordPress Plugins and hacks which will block registration attempts based upon a blacklist. The problem with this is that you have to put the blacklist together and keep it updated. Spammers are constantly changing their IP addresses and other information to get past blacklists which seem to be obsolete before they are published. This method is a nice band aid, but it isn’t effective in the long run.
There are also some hacks to the WordPress code you can use to put a form of CAPTCHA or test into the Registration screens from Exile from Groggs and Raz-Soft. This involves changing the core programming code for WordPress, something few want to do.
There is also the Themed Login WordPress Plugin which allows the administrator to “theme” the WordPress login, adding words and design elements to customize the look, but it doesn’t add any way of testing the registrant for validity.
There is an idea on the WordPress Ideas pages for improving WordPress registration protection in the core programming. Because this issue applies to so many, any WordPress blog with more than one blogger, required registration to comment or contribute, and private blogs, I think it’s a good idea.
My recommendation would be to get Akismet to cover registration as well as comments.
As a last resort, many are hunting for a WordPress Plugin that will add a CAPTCHA or quiz test to the registration login form for WordPress. I’ve not found one. Have you?
Is this an issue that you have to deal with on your WordPress blog? If so, and you’d like to see something added to the WordPress core programming, let your voice be heard on the idea post for improving WordPress registration protection.
Site Search Tags: wordpress tips, akismet, bad behavior, spam karma, comment spam, registration spam, anti-spam, security, blog security, wordpress security, captcha, prevent registration spam, blog registration 
Subscribe 
Via Feedburner 
Subscribe by Email
Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.
41 Comments
Never thought of this. Luckily my blog is not that known throughout the world, so I only get the ‘normal’ spam, but it is a good thing to think about.
I’m definitely in this boat. I wanted to have my community to register to have some special e-mails, etc., and yet I’m getting “people” registering with weird names.
What is the dangers of having people logged in? Why spam the registration pages? Are they looking for a hole in whatever code base we are running?
I think the idea behind registration spam is to try and either appear on the Authors page or hope that the blog admin was silly enough to give new users posting rights by default. At any rate, I agree that some kind of moderation or spam filtering needs to get applied to user logins. I delete one of these registrations every other week, always with a Russian e-mail address.
My site requires registration to post a comment and first-time commeters are moderated. I see 2 to 4 registrations which are obviously spam. They never even tried to post a comment, so what purpose do the spam registrations serve? Normal users can’t see the list of users. Do they think that the site administrators will visit their obviously spammy web sites?
TruBar 3.0(Reg) stops 100% of the spam registration. This plugin requires editing of one core file.
This is definitely something which needs addressing, to bring it into line with the excellent comment spam protection, as mentioned.
The reason seems to be (although I may be wrong) connected with a need to have a web address, although the people using it are clearly spammers.
The reason I say this is that I played around with WordPress Mu (http://mu.wordpress.org) for a while and people were registering and creating a page, but nothing thereafter and they were all spammers. In the end, I gave up on having a community area because the time taken to weed out the idiots did not seem worthwhile.
If anyone can crack this one, there will be a lot of grateful people willing to laud and praise them!
Jesse Harris, I’m one of the “silly admins” who gives new users posting rights by default.
You are The Author in WordPress.Mu
I have never understood why they do this either.
Another enhancement that would make clearing them out easier is knowing which users have commented. The Users admin page shows which ones have posted but not which ones have commented.
I’m pretty sure that such registrations are done for future hack attempts. From time to time new security vulnerabilities may be discovered that will allow unprivileged users to post to the blog (when they are not supposed to) - so spammers will exploit this.
Thanks for the link. The method I described on my blog has completely stopped spam registrations - and they were a nightmare before that. Thanks also for promoting my WP idea!! I agree that this is a big enough issue from an admin point of view to warrant some development, especially since a fix would be so easy.
The only other spam that was a problem was trackback spam - so I simply stopped trackbacks to the site (nobody I knew would have been using them anyway).
I don’t think it’s particularly that the bots are seeking permission to write comments at all. By registering, they create a link to their target page in user lists, which presumably gives them a chance of becoming more visible in search engines. Also, when real users access the user list, they see and can click the links. As to why - don’t ask me. I don’t really understand what the point of sending emails offering enhanced virility is, either, but somebody must find it worth their while.
Have a look at this:-
http://www.homelandstupidity.us/software/bad-behavior/
It can be installed as a normal plugin in moments and in my case, it was catching some of these characters within seconds.
It is also usable as an extension for MediaWiki and other applications.
@ Lorelle - your link to Bad Behaviour in the opening paragraph is out of date. It seems that the current site is here:
http://www.bad-behavior.ioerror.us/
How about capcc? http://wp-plugins.net/plugin/capcc1.0/
Worked right out of the box for me.
I’ve got four sites powered by wordpress and all seem to get different types of spam…
On one, I do get a lot of phoney registrations, who never post anything, and all have a .ru email address.
On that same site, I have contact forms, which are endlessly hammered by one offender.
I think both perpetrators are from the same source, and I am on the “list” of sites to spam regularly (e.g. the contact from spam always features the same words, but links to different sites and the registrations are always VERY similar).
Surely this must work a few times out of a thousand, but are they making any money at it? I mean, does anyone really buy viagra from an unknown source on the internet anyway?
I get a lot of visitors and I still only get one or two registrations spams per month. I think once they find out that your blog is set for new users to be just that, they don’t bother for awhile.
You could also always just hack out wpmu anti-splog release (We give that stuff away for free!) http://wpmudev.org/project/Signup-Security-Question/
I think bot register because evil people look for an admin access to your blog, in previous versions there was a hole, and some bloggers are even don’t install wp properly. That is why they register and don’t write comments because your security has high level, that’s good
OpenID. Use it. I am and its a good solution, I’d say.
good point as there are lots of clowns and machines on the web that crank out these bogus registrations
I feel that requiring registration in order to comment would turn away some legitimate commenters who are in a hurry. Because I am so desperate for comments, (I know, its sad), I don’t require registration. I have had very few registrations anyway.
I recently started using Bad Behavior to add to Akismet. BB did cut the Akismet caught spam by about 1/3. The think I really don’t like about BB is this: There does not seem to be any way to verify that BB is not blocking valid commenters. All you can do is look in the options panel to see how many “attempts” BB has blocker. Or, look in your WP DB at the BB table. Neither of these gives me any information so I would be able to detect a false block by BB. Because of this, I am thinking of removing BB.
What do you all think? Is this a concern, or is BB basically perfect in its blocking and we don’t need to worry?
Anyway, since you have TruBar, you may be very qualified to address my concern about having no records for the spam being stopped. Are TruBar and BadBehavior so accurate that my worries are much ado about nothing?
I admit I am a bit of a worrier, but I just hate the idea of legitimate comments being blocked by mistake and us never knowing it.
bty: I love your site and your theme.
Thanks for the correction. I sure wish WordPress.com had a complete content area search and replace. SIGH.
Will: Nothing is perfect, but Bad Behavior is so close that there is not a lot of difference.
Bad Behavior works by recognizing certain characteristics of automated systems and blocks them from accessing the site *entirely*. It’s not analyzing the content of comments, it’s analyzing the hidden aspects, like the type of browser they’re using and other such things. So Bad Behavior is not going to block comments, per se.
But it could, in theory, block somebody from seeing your site at all.
Now, when it does block somebody, it gives them links to contact you (if your email is correct) and other such things. So if somebody gets blocked as a false positive they’d probably say so. However, given that Bad Behavior is fairly widespread, they’d likely get blocked from lots and lots of sites, and work out what it is that they’re doing wrong.
Also, Bad Behavior defaults to letting them through. It only blocks when it’s reasonably sure that the client is a bot or other automated system. It’s not going to catch *all* automated systems, just enough of them to help.
In other words, I wouldn’t be concerned about it. It “just works”, so be thankful for it and keep it up to date when new versions are released.
I certainly like the idea of spam check for users, ala Kismet. I also get a lot of the .ru users, and occasionally some attempts from China.
@Otto: Thanks! That was a great explanation. Now all is good and content in the land of worry!
I apparently don’t suffer from it. But then, New Harper’s Mews is not exactly up there with the Daily Kos, et al. (grin)
I use Advanced Textual Confirmation and have no spam problems. ATC is an antispam for forums, blogs, contact forms, and others. It is a smart textual CAPTCHA, which challenges site visitors only once, and then disappears. Here is how to add it to WordPress:
http://bbantispam.com/forum/viewtopic.php?t=285
Hi Lorelle and thanks for the link to my anti-spam registration solution, works like like a charm here, I hope bots will stay away now for good
Yes it is an increasing problem.
Big problem for me. I’m using Raz Soft & still getting some spam bots that get through & register. We need either a plugin or something built into the WP installation that fights this problem.
Personally, I don’t find Akismet that effective & so don’t use it. So I’d prefer something not dependent on Akismet, but that’s only my own preference.
So far, I have been solving this problem by simply removing the meta section from the sidebar altogether. Maybe I’ll try some of these tips.
Thanks for sharing
Removing the meta data section that includes the direct link to your login doesn’t stop registration spam, by the way. The link is known by spammers. It’s the settings within your Administration Panels for allowing users to register and such that activates the registration options.
Yes yes yes! This is needed!
I delete at least 10 spam registrations a day (some of them re register constantly too).
I’d love to see either Akismet or some form of CAPTCHA on WP registration.
Hi,
I’ve completely recoded my captcha hack on WP registration/login and now it’s a fully working plugin with 5 algorithms to play with , you can find it on my home page, sorry for spaming you
Removing the meta data section that includes the direct link to your login doesn’t stop registration spam, by the way.
http://www.lucidgreen.net/webbybooth/?p=22#comment-5859
With the modifications I made to the WPOpenID plugin, you could disable normal registration and have the OpenID logins run through JanRain’s BotBouncer, giving both WordPress blog owners and OpenID users a one-stop-shop for helping block out spam bots.
I just released my plugin Sabre, acronym for Simple Anti Bot Registration Engine.
It’s a set of counter measures against spam registration on your blog.
It may be an answer to the problem exposed in this post.
Best regards
Has something changed in WordPress that stops James Kelly’s Themed Registration plugin from working? I have spent WAY too many hours looking at his code.
I think I found a problem on line 415. Shouldn’t the “<?” be “<?php” ? Changing this got WP to activate the code.
Now, although the files are right there, WP can’t open the header.php file. Crazy! Any thoughts would be greatly appreciated.
@ tpetek:
Any thoughts will have to come from the Plugin author.
I wrote a plugin that seems to be working so far on my blog. If anyone has any feedback, I’d love to hear it.
5 Trackbacks/Pingbacks
[...] Fighting Registration Spam in WordPress [image]Most WordPress blogs are protected by the best anti-spam triangle of comment spam defenders: Bad Behavior, <a […] [...]
[...] new user registration with no comments is weird, and probably just spam registrations anyway, but the silence is a little unnerving. I know that I have some readers, though Certain [...]
[...] serious! She wrote the article Fighting Registration Spam in WordPress pretending to worry about the registration spam in WordPress blogs. I say “pretending” [...]
[...] Auch mit der jüngst erschienenen Version 2.2.3 von WordPress ist das “registration spam” Problem nicht in den Griff zu bekommen. Das dieses Problem aber offenbar immer mehr WordPress-Betreiber umtreibt, zumal es bisher kaum praktische Lösungen dafür gibt, kann den zahlreichen Blogbeiträgen und Kommentaren zum Thema entnehmen. [...]
Try to Block Registration Spam on my WordPress Installations
I’ve installed a plugin to attempt to block the registration spam I get. Most of it comes from Russia (mail.ru, yandex.ru, say). It’s not doing damage as I have everyone locked down to subscriber level initially - it’s more a pain…
Post a Comment