In a situation where your WordPress site allows user registration, it is vulnerable to user registration spam from spam-bots. However, even if your site does not allow user registration, you may still receive spam registrations.
Due to the expansion of WordPress from blogs to membership, multi-user platforms, BuddyPress, and various sites with open registration, spam users have become a common problem for many site owners, especially those with open registration.
These bots can
- bloat up your database, which just generally makes site management difficult and less efficient,
- damage your SEO with spammy outbound links, which can defame your site in the eyes of Googl),
- and adversely affect your real users. For example, if you are using BuddyPress, spam users can send private messages to legitimate users.
Spammers can attack via sources like contact forms, email sign-ups, website comments, and so on, in WordPress. One of the most irksome spam to deal with is the WordPress registration spam. WordPress registration forms are targeted by spammers to create bot accounts that spam links and/or try to inject malicious scripts. These spam sign-ups
- consume large storage in your servers and devices when they appear in bulk,
- can harm your website or devices and can also be automatically forwarded to the registered users on your website through malware, if you click on them by mistake,
- and can slow down your website performance by using your server resources.
- Security weaknesses in plugins and themes can be taken advantage of by such registration spam and can change the roles and credentials of the editors, authors or even admins of the website. creating a dangerous and real threat to your WordPress site.
One of the easiest ways to delete spam users is bulk delete them by choosing the Delete option from the Bulk Actions dropdown through your Users tab. You can also use Bulk Delete, which is a plugin that allows you to automate this process. This is a great option to handle a one-time attack. However, if you have too many users to be able to deal with manually or identify automatically, you can opt for SplogHunter (formerly known as “WangGuard”). Moreover, if you don’t need it, ensure the “Anyone can register” option is switched off in your settings.
Yet another excellent option is to install the Akismet plugin. It is an integration with a hosted spam filtering service made by the folks at Automattic (the commercial company behind WordPress.com). It filters your incoming comment messages for spam content and can automatically file the worst away into your spam folder so that it never even touches your comment moderation queue.
Furthermore, you can prevent spam user registration on WordPress by
- adding CAPTCHAs (Completely Automated Public Turing Tests to Tell Computers and Humans Apart) to your sign up forms as it requires real people to verify that they are not a bot,
- changing your login path,
- using a plugin that checks signups against a database of spam users,
- using the confirmation email verification with a link customers must click to activate their account,
- having an admin manually approve accounts for smaller sites, using multi-factor registrations with SMSesSMSs, OTPs, or apps,
- adding access rules to block spam users,
- or using the Honeypot method that involves the creation of some invisible fields in a user form that should not be filled in by users. Thus, if someone fills in those particular fields, it would mean that they are using a text-based browser (browsing through the source code); robots often fill these fields which gives us the hint that this is not a genuine human.
Spam registrations tend to come in waves when there is a vulnerability of ‘privilege escalation’. This means that when a bot detects that you have a certain vulnerability, such as Contact Form 7 or WordPress GDPR or both, with recent instances of compromised security, it creates a user as a subscriber or customer and tries to use the vulnerability to act as the site administrator. If the plugin has not been updated and they succeed, they can act as administrator, evade security checks, change options, create posts, and so on, and you are hacked. In short, anyone can make changes to your WordPress website without being authenticated.
Unfortunately, most WordPress plugins are vulnerable to privilege escalation. Therefore, some good examples of plugins are WP-SpamShield Anti-Spam that manages every aspect of your website is, and this includes your registration forms and AntiSpam by Fullworks that blocks automated WordPress and WooCommerce registrations. Hence, by installing AntiSpam you can foil potential hackers wanting to exploit privilege escalation.