Most WordPress blogs are protected by the best anti-spam triangle of comment spam defenders: Bad Behavior, Spam Karma 2 and Akismet.
However, little or nothing is available to help prevent registration spam.
Registration spam differs from comment spam as it comes through the WordPress login form, not blog comments. WordPress blogs which require registration to comment, contribute, or participate have little or no protection from spammers hammering away at their registration forms.
There are WordPress Plugins for contact forms which include spam protection such as WordPress Contact Form with Spam Protection Plugin Project Page, based upon Ryan Duff’s popular WordPress Contact Form. But a contact form isn’t your blog’s registration, thus doesn’t help.
There are several WordPress Plugins and hacks which will block registration attempts based upon a blacklist. The problem with this is that you have to put the blacklist together and keep it updated. Spammers are constantly changing their IP addresses and other information to get past blacklists which seem to be obsolete before they are published. This method is a nice band aid, but it isn’t effective in the long run.
There are also some hacks to the WordPress code you can use to put a form of CAPTCHA or test into the Registration screens from Exile from Groggs and Raz-Soft. This involves changing the core programming code for WordPress, something few want to do.
There is also the Themed Login WordPress Plugin which allows the administrator to “theme” the WordPress login, adding words and design elements to customize the look, but it doesn’t add any way of testing the registrant for validity.
There is an idea on the WordPress Ideas pages for improving WordPress registration protection in the core programming. Because this issue applies to so many, any WordPress blog with more than one blogger, required registration to comment or contribute, and private blogs, I think it’s a good idea.
My recommendation would be to get Akismet to cover registration as well as comments.
As a last resort, many are hunting for a WordPress Plugin that will add a CAPTCHA or quiz test to the registration login form for WordPress. I’ve not found one. Have you?
Is this an issue that you have to deal with on your WordPress blog? If so, and you’d like to see something added to the WordPress core programming, let your voice be heard on the idea post for improving WordPress registration protection.
Site Search Tags: wordpress tips, akismet, bad behavior, spam karma, comment spam, registration spam, anti-spam, security, blog security, wordpress security, captcha, prevent registration spam, blog registration 
Subscribe 
Via Feedburner 
Subscribe by Email
Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.
Lorelle on WordPress 
78 Comments
Never thought of this. Luckily my blog is not that known throughout the world, so I only get the ‘normal’ spam, but it is a good thing to think about.
I’m definitely in this boat. I wanted to have my community to register to have some special e-mails, etc., and yet I’m getting “people” registering with weird names.
What is the dangers of having people logged in? Why spam the registration pages? Are they looking for a hole in whatever code base we are running?
It made me seriously think over fighting with the spam because these spammers . But what made me surprise is , I have tried every possible spam prevention tools like captcha and Recaptcha with my blog but everything seems to be sucks. Spams are the biggest bugs of any blog. Bloggers generally are compelled to deal with spam comments and even if the comment moderation is on, spammers find a way out of nowhere to insert trashy links to your blog’s comments.
I think the idea behind registration spam is to try and either appear on the Authors page or hope that the blog admin was silly enough to give new users posting rights by default. At any rate, I agree that some kind of moderation or spam filtering needs to get applied to user logins. I delete one of these registrations every other week, always with a Russian e-mail address.
My site requires registration to post a comment and first-time commeters are moderated. I see 2 to 4 registrations which are obviously spam. They never even tried to post a comment, so what purpose do the spam registrations serve? Normal users can’t see the list of users. Do they think that the site administrators will visit their obviously spammy web sites?
TruBar 3.0(Reg) stops 100% of the spam registration. This plugin requires editing of one core file.
This is definitely something which needs addressing, to bring it into line with the excellent comment spam protection, as mentioned.
The reason seems to be (although I may be wrong) connected with a need to have a web address, although the people using it are clearly spammers.
The reason I say this is that I played around with WordPress Mu (http://mu.wordpress.org) for a while and people were registering and creating a page, but nothing thereafter and they were all spammers. In the end, I gave up on having a community area because the time taken to weed out the idiots did not seem worthwhile.
If anyone can crack this one, there will be a lot of grateful people willing to laud and praise them!
Jesse Harris, I’m one of the “silly admins” who gives new users posting rights by default.
You are The Author in WordPress.Mu
I have never understood why they do this either.
Another enhancement that would make clearing them out easier is knowing which users have commented. The Users admin page shows which ones have posted but not which ones have commented.
I’m pretty sure that such registrations are done for future hack attempts. From time to time new security vulnerabilities may be discovered that will allow unprivileged users to post to the blog (when they are not supposed to) – so spammers will exploit this.
Thanks for the link. The method I described on my blog has completely stopped spam registrations – and they were a nightmare before that. Thanks also for promoting my WP idea!! I agree that this is a big enough issue from an admin point of view to warrant some development, especially since a fix would be so easy.
The only other spam that was a problem was trackback spam – so I simply stopped trackbacks to the site (nobody I knew would have been using them anyway).
I don’t think it’s particularly that the bots are seeking permission to write comments at all. By registering, they create a link to their target page in user lists, which presumably gives them a chance of becoming more visible in search engines. Also, when real users access the user list, they see and can click the links. As to why – don’t ask me. I don’t really understand what the point of sending emails offering enhanced virility is, either, but somebody must find it worth their while.
Have a look at this:-
http://www.homelandstupidity.us/software/bad-behavior/
It can be installed as a normal plugin in moments and in my case, it was catching some of these characters within seconds.
It is also usable as an extension for MediaWiki and other applications.
@ Lorelle – your link to Bad Behaviour in the opening paragraph is out of date. It seems that the current site is here:
http://www.bad-behavior.ioerror.us/
How about capcc? http://wp-plugins.net/plugin/capcc1.0/
Worked right out of the box for me.
I’ve got four sites powered by wordpress and all seem to get different types of spam…
On one, I do get a lot of phoney registrations, who never post anything, and all have a .ru email address.
On that same site, I have contact forms, which are endlessly hammered by one offender.
I think both perpetrators are from the same source, and I am on the “list” of sites to spam regularly (e.g. the contact from spam always features the same words, but links to different sites and the registrations are always VERY similar).
Surely this must work a few times out of a thousand, but are they making any money at it? I mean, does anyone really buy viagra from an unknown source on the internet anyway?
I get a lot of visitors and I still only get one or two registrations spams per month. I think once they find out that your blog is set for new users to be just that, they don’t bother for awhile.
You could also always just hack out wpmu anti-splog release (We give that stuff away for free!) http://wpmudev.org/project/Signup-Security-Question/
I think bot register because evil people look for an admin access to your blog, in previous versions there was a hole, and some bloggers are even don’t install wp properly. That is why they register and don’t write comments because your security has high level, that’s good 🙂
OpenID. Use it. I am and its a good solution, I’d say.
good point as there are lots of clowns and machines on the web that crank out these bogus registrations
I feel that requiring registration in order to comment would turn away some legitimate commenters who are in a hurry. Because I am so desperate for comments, (I know, its sad), I don’t require registration. I have had very few registrations anyway.
I recently started using Bad Behavior to add to Akismet. BB did cut the Akismet caught spam by about 1/3. The think I really don’t like about BB is this: There does not seem to be any way to verify that BB is not blocking valid commenters. All you can do is look in the options panel to see how many “attempts” BB has blocker. Or, look in your WP DB at the BB table. Neither of these gives me any information so I would be able to detect a false block by BB. Because of this, I am thinking of removing BB.
What do you all think? Is this a concern, or is BB basically perfect in its blocking and we don’t need to worry?
Anyway, since you have TruBar, you may be very qualified to address my concern about having no records for the spam being stopped. Are TruBar and BadBehavior so accurate that my worries are much ado about nothing?
I admit I am a bit of a worrier, but I just hate the idea of legitimate comments being blocked by mistake and us never knowing it.
bty: I love your site and your theme.
Thanks for the correction. I sure wish WordPress.com had a complete content area search and replace. SIGH.
Will: Nothing is perfect, but Bad Behavior is so close that there is not a lot of difference.
Bad Behavior works by recognizing certain characteristics of automated systems and blocks them from accessing the site *entirely*. It’s not analyzing the content of comments, it’s analyzing the hidden aspects, like the type of browser they’re using and other such things. So Bad Behavior is not going to block comments, per se.
But it could, in theory, block somebody from seeing your site at all.
Now, when it does block somebody, it gives them links to contact you (if your email is correct) and other such things. So if somebody gets blocked as a false positive they’d probably say so. However, given that Bad Behavior is fairly widespread, they’d likely get blocked from lots and lots of sites, and work out what it is that they’re doing wrong.
Also, Bad Behavior defaults to letting them through. It only blocks when it’s reasonably sure that the client is a bot or other automated system. It’s not going to catch *all* automated systems, just enough of them to help.
In other words, I wouldn’t be concerned about it. It “just works”, so be thankful for it and keep it up to date when new versions are released.
I certainly like the idea of spam check for users, ala Kismet. I also get a lot of the .ru users, and occasionally some attempts from China.
@Otto: Thanks! That was a great explanation. Now all is good and content in the land of worry!
I apparently don’t suffer from it. But then, New Harper’s Mews is not exactly up there with the Daily Kos, et al. (grin)
I use Advanced Textual Confirmation and have no spam problems. ATC is an antispam for forums, blogs, contact forms, and others. It is a smart textual CAPTCHA, which challenges site visitors only once, and then disappears. Here is how to add it to WordPress:
http://bbantispam.com/forum/viewtopic.php?t=285
Hi Lorelle and thanks for the link to my anti-spam registration solution, works like like a charm here, I hope bots will stay away now for good 🙂
Yes it is an increasing problem.
Big problem for me. I’m using Raz Soft & still getting some spam bots that get through & register. We need either a plugin or something built into the WP installation that fights this problem.
Personally, I don’t find Akismet that effective & so don’t use it. So I’d prefer something not dependent on Akismet, but that’s only my own preference.
So far, I have been solving this problem by simply removing the meta section from the sidebar altogether. Maybe I’ll try some of these tips.
Thanks for sharing:)
Removing the meta data section that includes the direct link to your login doesn’t stop registration spam, by the way. The link is known by spammers. It’s the settings within your Administration Panels for allowing users to register and such that activates the registration options.
Yes yes yes! This is needed!
I delete at least 10 spam registrations a day (some of them re register constantly too).
I’d love to see either Akismet or some form of CAPTCHA on WP registration.
Hi,
I’ve completely recoded my captcha hack on WP registration/login and now it’s a fully working plugin with 5 algorithms to play with , you can find it on my home page, sorry for spaming you 🙂
Removing the meta data section that includes the direct link to your login doesn’t stop registration spam, by the way.
http://www.lucidgreen.net/webbybooth/?p=22#comment-5859
With the modifications I made to the WPOpenID plugin, you could disable normal registration and have the OpenID logins run through JanRain’s BotBouncer, giving both WordPress blog owners and OpenID users a one-stop-shop for helping block out spam bots.
I just released my plugin Sabre, acronym for Simple Anti Bot Registration Engine.
It’s a set of counter measures against spam registration on your blog.
It may be an answer to the problem exposed in this post.
Best regards
Yes.
My site suddenly started to get registration spam. Over 100 “new users” in a day. This plugin seems to have stopped it.
Good Job!
Has something changed in WordPress that stops James Kelly’s Themed Registration plugin from working? I have spent WAY too many hours looking at his code.
I think I found a problem on line 415. Shouldn’t the “<?” be “<?php” ? Changing this got WP to activate the code.
Now, although the files are right there, WP can’t open the header.php file. Crazy! Any thoughts would be greatly appreciated.
@ tpetek:
Any thoughts will have to come from the Plugin author. 😀
I wrote a plugin that seems to be working so far on my blog. If anyone has any feedback, I’d love to hear it.
I use combine with Akismet and Spam Karma 2 also Bad Behavior. But Bad Behavior block ping from host-tracker for check Uptime blog. So Bad Behavior has deactivated now.
“As a last resort, many are hunting for a WordPress Plugin that will add a CAPTCHA or quiz test to the registration login form for WordPress. I’ve not found one. Have you?”
I have been using SABRE for some time (comment 38) and it is really good offering a lot of flexibility. I don’t like Capcha so I have configured it for the basic sanity checks plus the maths question and I think I have only had one unexplained registration in almost a year.
This will now be a much bigger issue. I never had registration open on my blog because I am the only author. This week I added facebook connect to my blog, which also our readers to create an account on our blog and link it to their facebook account. The facebook connect plugin opens up registration. I like facebook connect, but hate the registration spam. Will have to balance the pros and cons on this one.
It’s becoming more and more of an issue for me. I constantly get emails of sign ups happening. Stopping spam on comments is working fine for me, it’s just registrations.
Shame there aren’t many decent apps/plugins out there. Would be nice for a solution that integrates easily.
There are getting better, thank goodness. If I hear of any wonderkind types, I’ll post them here.
I apparently got registration spam, but don’t understand what they are registering for??? I can’t find a register button on my site. And if they can register, how do I use this to my advantage… like to collect a user database that I can send notices of updates to?
Are you sure it isn’t a comment? How do you know it’s registration spam? A typical WordPress blog doesn’t have registration spam. It has people attempting to register but unless you have open registration, they can’t.
As for what you do with those who register, that’s up to you. There are WordPress Plugins that can help you open up registration, but really, a newsletter subscription or feed subscription service might be of more value than opening up access for people to comment or publish on your blog.
I now better understand and realize that it is a registration attempt, but for what? The only way you can register on my site is to visit my login to my dashboard… which does not make any sense. There is no login link on my web site with my current theme. Someone would have had to manually or robotically chose to go to my domain.login-php.
Check your site to see if it has been hacked. There’s a lot of that going around, with WordPress and other services.
Yes it is a big problemo, I’ve actually had to close my registration even with captcha enabled I get 300-400 signups a day. I really can’t tell who’s authentic or not, because wordpress does not “already have double opt in enabled”. So they really are not verifying their account. So today I ended up just deleted everyone and closed my registration, and I am thinking of removing the ability to comment as well, that way all people have to do is read my posts and that’s it. I also took down my forum as well.
I provide free graphic design resources and tips and stuff it’s not much but I get an insane amount of traffic.
I don’t contact the people who sign up anyways, I never even read their profiles I don’t have time I run several blogs and care more about giving them good content to read versus collecting their info. I’m not one of those list collectors, I make most of my money with AdSense, I do affiliate marketing for adobe and Lynda.com as well but I try to keep it ad free as much as possible because to many ads can slow down the page load time. And besides no one wants to see a bunch of ads.
Comments are one of the things that makes this a blog. It is an interaction. You can’t delete them. OK, you can, but who will come back? I wouldn’t have gotten your update. And no sense posting if nobody comes back. Why don’t you just get a captcha or quiz plugin to eliminate the bots?
Captchas do not work.
Thanks for the information regarding protecting your blog. I’m relatively new to the blogging world, posting blogs for my course on comedy. I’m a little in the dark on the technology, plugins and protection from malware, which I never thought of until I read your post. So thanks again. I’m going to subscribe to your site so I can keep up to date.
When will WordPress improve its core programming to protect Bloggers from the scourge of registration spam? Multi-authored WordPress blogs need registration protection! Any suggestions for dealing with the problem welcome.
I don’t understand. There are WordPress Plugins which serve to assist those with open registration. In the scale of things, few blogs offer open registration. Most don’t require it for comments or interaction. Therefore, it is doubtful that WordPress will do more than support Plugins and Akismet that work well to protect blogs from comment and registration spam.
I’ve just had 80 spam registrations since the morning – I believe there is an htaccess entry you can put it that will help (by blocking bots that don’t have a valid referrer from registering) – nobody will generally wind up on the reg page without a referrer
This is one option, though many bots use “valid” referrers as they know this trick.
I have not had any registration spam since I originally posted my comment a couple years ago. But I don’t think it is because I use Si Capthch Anti Spam. When I go to my log in page, there is no place to create an account. I think it was an option by default. But in the General Settings tab, if you un-check the “anyone can register” box, registering is not an option. Of course, if you want to let people register, that is up to you. Just check the box. When someone wants to register, they will have to enter the captcha if you have si captcha anti-spam activated.
There is a plugin for WordPress that is simply called “Captcha” that can help a lot with registration (and other) spam.
I would never recommend any CAPTCHA anything. They work for a short time, building confidence, and are quickly defeated. Also, spammers are using humans to spam and they can overcome all of these.
I think I can be a VERY good example for using SABRE. Tonight (30 minutes ago), I came back from an evening with friends. First thing I noticed, I was getting message over message about people registrating on my blog. It used to be one every two days and I was too lazy to remove them. And all of sudden, I got not one every two days, but ONE EVERY MINUTE! My Gmail notifier was poping up all the time! Then I resolved to do something. To do something now. I googled for “spam registration wordpress”. I stumble upon this post and SABRE. I read the post, then downloaded SABRE. Meanwhile, my Gmail notifier was still poping up. I installed Sabre. Like magic, no more registration spam. I really recommend it. Sure, spammers will find a way to circumvent it. But so far, so good.
Long live SABRE! I’m adding it to my must-have list of plugins. Merci Didier !
I’m glad you are so excited about this, but honestly, the test of time will make the difference.
By the way, the over enthusiasm may be just that, but it really feels like you are totally over the top, making me highly suspicious, so I may edit your comment accordingly. Capital letters in a comment are poor form.
“As a last resort, many are hunting for a WordPress Plugin that will add a CAPTCHA or quiz test to the registration login form for WordPress. I’ve not found one. Have you?”
I found si-captcha-for-wordpress to be very useful. You can try it, it’s work with the latest version too.
Since I upgraded my wordpress blogs, I have been getting a ton of registration spam. I noticed this page and saw my comment from several months ago… thanks for leaving it, as it provided the answer (lol). Seriously, I suppose the register boxes were somehow unchecked in the wordpress upgrade process… Unless upgrading my hosting to a different server somehow did it. Is there any known benefit to being registered for a site except that possibly the site might accept comments from registered users without being moderated?
The only benefits for registration is for multiple authors or registered users (for forums, commenting, access, etc.).
Upgrading WordPress should not change your main settings, such as marking comments as requiring login and such, so that’s weird. A Plugin might have done something but that is also odd. Moving can do all kinds of fun things, so that was probably it.
People use registration to control comment moderation but that doesn’t work. Using moderation works, Akismet makes it work better, but limiting comments to only those who register and are logged in isn’t friendly nor welcome on a site with interactivity as its goal.
I’ve been having the same issue for a while regarding spam registrations. However, this past week I have seen the number increase dramatically. I’m assuming that more and more spammers are getting a hold of my website address and adding it to their list(s).
Tried a couple plugins, but no success yet.
These things come in waves. We all just keep putting yo with it instead of stopping it at the source. Someday… sigh.
Thanks.
A CAPTCHA plugin works well on my registration page, but I am still getting Facebook Connect registration spam.
Glad something is working, though registration will still come through even with a CAPTCHA as so many spammers are humans, easily bypassing the torture test. Can’t help you with Facebook stuff. That’s a different animals. Good luck with it. Thanks.
SI CAPTCHA Anti-Spam plugin adds captcha to the registration form. But two weeks after installing the plugin, I’m getting more bogus registrants. Not sure how they’re getting past the captcha.
Because they are human beings spamming your site, not bots.
Hi. Do you happen to know a way to idenitify or get rid of previous registration spam after one has stopped it coming in? How does one tell if it is real email address or not? Advice appreciated! Regards and thanks.
I am not an expert in registration spam. Ask on the WordPress support forums. Thanks.
I have big problem in spam registration. There are hundreds of spam registration in my site everyday. Akismet , recaptcha and other plugins are not working.
Then add Bad Behavior and other registration spam fighting tools specific to those needs.
10 Trackbacks/Pingbacks
[…] Fighting Registration Spam in WordPress [image]Most WordPress blogs are protected by the best anti-spam triangle of comment spam defenders: Bad Behavior, <a […] […]
[…] new user registration with no comments is weird, and probably just spam registrations anyway, but the silence is a little unnerving. I know that I have some readers, though Certain […]
[…] serious! She wrote the article Fighting Registration Spam in WordPress pretending to worry about the registration spam in WordPress blogs. I say “pretending” […]
[…] Auch mit der jüngst erschienenen Version 2.2.3 von WordPress ist das “registration spam” Problem nicht in den Griff zu bekommen. Das dieses Problem aber offenbar immer mehr WordPress-Betreiber umtreibt, zumal es bisher kaum praktische Lösungen dafür gibt, kann den zahlreichen Blogbeiträgen und Kommentaren zum Thema entnehmen. […]
Try to Block Registration Spam on my WordPress Installations
I’ve installed a plugin to attempt to block the registration spam I get. Most of it comes from Russia (mail.ru, yandex.ru, say). It’s not doing damage as I have everyone locked down to subscriber level initially – it’s more a pain…
[…] race will start. But so far, so good.They say fight fire with fire I say:Fight fire with SABRE(My exemplary story: 50 to 0 in 1 minute. Merci Didier !) This entry was posted in Informatique and tagged in english, plugin, registration […]
[…] comment on fighting registration spam in wordpress by arnie […]
[…] Fighting Registration Spam in WordPress […]
[…] Fighting Registration Spam in WordPress […]
[…] Fighting Registration Spam in WordPress: While many concentrate on comment spam, registration spam is very frustrating to all bloggers and forums. What is being done about it? […]