Do you want to stop spam registrations on your WordPress membership site?
Spam registrations are a common nuisance for site owners who run membership sites or allow users to register and become members of their websites.
In this article, we will show you how to stop spam user registrations on your WordPress membership site.
Why Do Spammers Register On Your Site in the First Place?
Unfortunately, spammers are looking for easy access points to get your way into your site. They often go about making spam accounts on less secure websites using spam bots and other automations.
This allows spammers to collect your email address and try to distribute their phishing links, designed to distribute malware to other members.
And if there’s a vulnerability in a plugin from your site, it could be easier for spammers to exploit that if they can log into your dashboard.
Unfortunately, the default WordPress registration process doesn’t provide many anti-spam mechanisms, which is why you’ll need third-party tools in most cases.
The good news is that if you use a form builder for your site’s user registration, you can deploy the same strategies you would for contact form spam.
That being said, we’ll give you some ways to stop these spam bots in their tracks by ensuring all submissions are from real people. You can click on any of the links below to jump to a method you want to use.
- Method 1: Turn on Email Activation for User Registration
- Method 2: Adding a reCAPTCHA Field to Your User Registration Form
- Method 3: Use Custom CAPTCHA to Prevent User Registration Form Spam
- Method 4: Enable the WPForms Anti-Spam Token
- Method 5: Connect Your Form to Akismet
- Method 6: Block Specific Email Addresses on Your User Registration Forms
- Method 7: Restrict User Registration by Country and Keywords
- Method 8: Use Dedicated Anti-Spam Plugins
- Method 9: Stop Spam Registrations Using Sucuri
Method 1: Turn on Email Activation for User Registration
One of the easiest and most efficient ways to deal with spam registrations is using a form builder with an email activation feature.
Email activation is a feature that automatically sends out a verification link for every new account that’s created on your WordPress site. Real users must click on the email confirmation link to complete the signup.
WPForms is the best form builder plugin on the market, with a variety of spam defense features. It comes with a user Registration addon that allows you to create custom registration forms.
However, to access the user registration addon and the email activation feature, you will need a Pro License to access the user registration addon. WHOOPS.ONLINE users can use this WPForms Coupon to get 50% off their purchase.
The first thing you need to do is install and activate the WPForms plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to visit WPForms » Settings page to verify your license key. You can get this key from your account on the WPForms website.
After verification, you need to visit WPForms » Addons page. Scroll down to locate ‘User Registration Addon.’
You need to click on the Install Addon button.
Next, you need to create a user registration form. Go to WPForms » Add New page.
Provide a title for this form and then find the user registration form template. Click on ‘Use Template.’
This will launch the Form Builder with a user registration form template. You can edit the fields by clicking on them.
You can also drag and drop fields to rearrange them.
Next, you need to click on the ‘Settings’ panel. This is where you can configure form notifications, confirmation, and user registration settings.
Click on the ‘User Registration’ tab to continue.
On this page, you can map the form fields to your WordPress user registration fields.
Scroll down and check the box next to the ‘Enable User Activation’ option. This will reveal a dropdown menu where you can select the User activation method.
WPForms uses two creative ways to prevent spam registrations on a WordPress site. You can choose to send a verification email to each user so that they can confirm their registration.
Alternatively, you can require admin approval for each registration on your WordPress site.
Choose the option that best suits your needs and click on the ‘Save’ button to store your form settings.
You can now add this form to any page on your WordPress site and then use that page as your user registration page.
Simply click the embed up top.
Click on ‘Select Existing Page.
Here, you’ll get to choose which page you want to embed the WordPress registration form into.
Select the page from the dropdown menu.
Then, click on the ‘Let’s Go!’ button.
You’ll be taken to the page editor in WordPress. You can edit the page as needed.
When you’re ready to publish the page with the embedded user registration form, click ‘Publish.’
Visit your website to see your spam-proof user registration form.
Depending on your user activation settings, the plugin will either require users to verify their email address or an admin will have to manually approve each user registration on your site.
Note: If you have trouble with your WordPress emails sending to your users, be sure to check out WP Mail SMTP to be sure they make it to your users’ inboxes.
Method 2: Adding a reCAPTCHA Field to Your User Registration Form
One simple way to block spambots from getting through is to use reCAPTCHA. This is a free Google service that helps protect websites from spam by distinguishing between automated bots and human users.
It’s a more advanced version of the CAPTCHA method.
To add reCAPTCHA v3 to your forms, head over to WPForms » Settings in your WordPress dashboard. Then, click on the ‘CAPTCHA’ tab.
Next, you want to select ‘reCAPTCHA’ and make sure that the ‘Checkbox reCAPTCHA v2’ option is enabled.
This will force new users to check a box that proves they’re human.
WPForms will ask you for a Site Key and a Secret Key. You can get this information by heading over to Google’s reCAPTCHA setup page.
When you’re on the Google reCAPTCHA page, go to ‘v3 Admin Console.’
At the top of the page, you should see an option to create a new reCAPTCHA for your site.
Go ahead and click the ‘+’ button on your corresponding site.
You’ll be taken to a screen where you will register your WordPress website. Type in a name under ‘Label,’ which is used for internal reference and won’t be visible to others.
After that, choose the ‘Challenge v2’ option and the ‘I’m not a robot Checkbox’ underneath that.
From there, type in your website’s domain name in the ‘Domain’ field.
Finally, just click the ‘Submit’ button.
Now, you’ll see a page with the site key and the secret key for your website.
Simply copy this information.
Head back to the WPForms settings page and paste the information into the ‘Site Key’ and ‘Secret Key’ fields.
Once you’ve done that, hit the ‘Save Settings’ button.
From there, go to WPForms » All Forms in your WordPress admin area.
Choose the user registration form you want to add the reCAPTCHA to and select ‘Edit.’
Doing this will now open up the form builder.
Then select the ‘reCAPTCHA’ button in the left side panel.
You should see a message appear telling you that your Google Checkbox v2 reCAPTCHA has been enabled.
Click ‘Ok.’
To confirm that it’s there, you’ll see the ‘reCAPTCHA Enabled’ verification at the top right corner of your form.
When you’re done, remember to save your changes by clicking the ‘Save’ button.
Method 3: Use Custom CAPTCHA to Prevent User Registration Form Spam
Sometimes, you may want to use a custom captcha instead of reCAPTCHA. That’s because some users have privacy concerns since it involves interacting with Google’s servers.
WPForms Pro comes with a custom CAPTCHA addon allowing you to create a question-based CAPTCHA, typically in the form of a math equation, to block user registration form spam.
All you have to do is go to WPForms » Addons in your WordPress admin area. Then, find the Custom Captcha Addon, and click on the ‘Install Addon’ button.
After it’s installed, go to WPForms » All Forms.
Find the user registration form you want to add the custom CAPTCHA to and click ‘Edit.’
In the left side panel menu, find the ‘Captcha’ button under ‘Fancy Fields’ and drag it over to your form.
By default, the field shows a random math question.
You can also customize the questions to visitors to challenge users to enter the correct answers.
For example, sometimes, in job or membership applications, you may want to include a keyword that you want users to mention in the form. This shows that they read through the application and aren’t blindly submitting forms through copy and paste.
Click on the ‘Custom Captcha’ field within your form builder to make edits. In the left-hand menu, go to the ‘General tab.’ Select Question and Answer under the ‘Type’ dropdown. Then, just add any questions you’d like.
If you decide on the ‘Question and Answer’ format, make sure to include a few different questions. That way, WPForms can rotate those questions randomly, so it’s more difficult for spambots to predict.
If you choose the ‘Math’ option, then WPForms will automatically generate random math questions to make it less predictable.
Once you’re done, save your changes up top.
Now, you have a custom CAPTCHA button that can easily prevent new spam user accounts.
Method 4: Enable the WPForms Anti-Spam Token
There are many security advantages to you when using WPForms. For one, WPForms has a built-in anti-spam protection feature that verifies a token for each submission.
Spam bots can’t detect this token and, therefore, won’t be able to submit the form. Since the token is embedded into the HTML, it doesn’t affect the user experience.
Every new form automatically has this feature enabled. If you want to check for yourself, navigate to the ‘Settings’ panel. Then click on the ‘Spam Protection and Security’ tab. You should see that the ‘Enable anti-spam protection’ is toggled on.
Method 5: Connect Your Form to Akismet
Akismet is a popular spam-filtering plugin designed to combat comments and form submission spam on websites. It assesses the submission for signs of spam, including spammy keywords and links to suspicious websites.
If you’re already using the Akismet plugin, you can connect it to WPForms. This ensures your user registration forms get the same spam protection that you also have in your blog comments.
Go to the forms you want to filter spam for and head to Settings » Spam Protection and Security.
From there, you can toggle on the ‘Enable Akismet anti-spam protection’ option.
Note: If you haven’t connected your WordPress site to your Akismet account, you won’t be able to see this integration in the WPForms form builder.
Method 6: Block Specific Email Addresses on Your User Registration Forms
Not all spam registrants will be bots. You may get spam submissions from humans as well. Sales agents and scammers are often lurking on websites trying to solicit their products.
CAPTCHAs won’t work against humans, which is why you’ll need to analyze the common types of spam you get and choose the appropriate method.
One way to deal with solicitors is to create a ‘denylist’ of email addresses so that those visitors with that email address can’t create a new account on your WordPress site.
With WPForms, you can create an allowlist and denylist for each form.
When you’re in the form builder, just navigate to the ‘Fields’ panel.
Then simply select the ‘Email’ block from within your user registration form. Under the ‘Advanced tab,’ you’ll see an ‘Allowlist / Denylist.’
In the dropdown menu, you can choose ‘Denylist.’
In the box below, you can type in all of the email addresses you want to block from registering an account on your form.
The great thing about this feature is that you can simply type a complete email address or use an asterisk to create a partial match. Then, simply separate the email addresses by using a comma.
Method 7: Restrict User Registration by Country and Keywords
If you notice that your forms are targeted from a specific country or often contain specific keywords, WPForms offers various filters to block those entries.
The country filter accepts or denies submissions from specific countries. To activate and add countries to deny, you can go to the ‘Settings.’
Then, you just click the ‘Spam Protection and Security’ tab and make sure the ‘Enable country filter’ is on.
Select ‘Deny’ from the dropdown menu and add all the countries that you want to deny user registrations from.
That said, country filtering may not be the best option for online stores. For instance, if you own a WooCommerce store, any customers in the blocked countries won’t be able to access their accounts.
Method 8: Use Dedicated Anti-Spam Plugins
If you aren’t using WPForms to create new accounts, you may need dedicated anti-spam plugins. In that case, there are other options on WordPress that can add additional layers of spam protection for your user registration forms.
The Stop Spammers Security plugin is a reliable tool that gives you a lot of control over how you want to filter spambots.
The first thing you need to do is install and activate the plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Once activated, Go to Stop Spammers » Protection Options. Stop Spammer Security is a powerful WordPress plugin that aggressively monitors your website for suspicious spam activity.
The default settings on this page will work for most websites. However, you can uncheck a few of them if you feel lots of legitimate users are unable to log in.
You can even block users from specific countries if you wish. Once you’re done, click on the ‘Save Changes’ button to store your settings.
The plugin uses a number of spam prevention techniques. It uses HTTP Referrer and Header requests to verify that a user is genuinely accessing your website.
It also checks against Akismet API for known spamming activity. The plugin also maintains a list of bad hosts known for tolerating spam activity and blocks them.
Under Stop Spammer » Block Lists, you can block IP addresses, emails, and spam words.
The great thing about this plugin is that default settings have just about most spam defenses already activated.
That means there’s not much you need to do other than to install the plugin and test to see if it’s working.
Method 9: Stop Spam Registrations Using Sucuri
At WHOOPS.ONLINE, we use Sucuri to protect our website against spammers and other security threats.
Sucuri is a website security monitoring service. It blocks hackers, malicious requests, and spammers from accessing your site or injecting any malicious code.
For more details, check out how Sucuri helped us block 450,000 WordPress attacks in 3 months.