Registration Control

If your website has open user registration, it is highly likely that spam registration will be happening very often, because spam-bots will take any opportunity to infiltrate the website, especially if they can do it easily. The reasons for spam registrations include: comments and forum posting, vulnerability probes that only work for logged-in users, exploration of website for other potential exploits.

To make sure you can minimize spam registrations, and ban source IPs to prevent future attempts, Registration Control feature offers plenty of methods and settings to do exactly that.

Validation of registration data

WordPress’ registration requires email and username. There are 3 major areas where registration control is involved, with additional check done before all that, and few more advanced checks after.

Project Honeypot

If you have configured API key for Project Honeypot service, you can enable this check whenever user access the registration page, even before any information is filled. If the user IP is on the Project Honeypot spam list with minimal threat level of 25 (or whatever you set in the settings), the request will be prevented, with the 403 error. This will practically prevent the spammer to even get the chance to register an account.

Email Domain Validation

If the registration is attempted, plugin will get Username, Email and also a domain from the Email. Each option for the Domain validation is explained in the settings for this feature, so there are few things that is important to remembed:

  • If you want to always allow users from certain domain (internal company domain), just set that domain in the Allow list, and if allowed, all other checks will be skipped.
  • Email on subdomain is very unusual, and other than EDU/AC/GOV based domains, it is not used anywhere else, and no commercially available email services have subdomain emails, so it is safe to assume that these will be bots and spam.
  • If the domain is on the list of disposable domains, it is best to prevent the registration too. Disposable domains are giving temporary email accounts that are deleted after hour or two.

Email Validation

If the domain has passed the validation, email is checked against two deny lists, one with exact emails to deny, and other is more versatile regular expressions based validation.

Username Validation

If the domain has passed previous checks, username is checked against basic deny list and the more advanced regular expressions deny list.

Additional Validation

You can check the user agent for the request, and deny any registration attempt without user agent. And finally, very important is check the email and username on the StopForumSpam website, which is very, very reliable source to identify spam.

Supported Registration Methods

This feature hooks into WordPress main registration system, so it should work with any registration methods. Plugin fully support normal registration and multisite registration method too.

Plugin is tested with WooCommerce, BuddyPress, bbPress, and works fine. Other registration methods will be tested in the future. But, any other plugin that goes through the normal WordPress registration process (regardless of the interface), will be processed by the coreSecurity Pro.

Feature Limitations

As with any set of filters that need to work with wide range of input data, Registration Control is never 100% effective, and some spammer accounts will still get registered, and in the same time, it is possible that legitimate registration attempts are caught.

While the plugin filters are very effective against bots based registration, and the real human spammers registration attempts, spammers can learn to adapt by using legitimate emails or domains, try using original usernames. This is rare, because the spammers goal is to quickly create accounts and post spam, without wasting moo much time trying to beat every website antispam measures.

It is always a good idea to check registrations from time to time to see if some registrations could be filtered out by creating new regular expressions filters, or by banning domain.

Rate this article

You are not allowed to rate this post.

Leave a Comment