As with many WordPress sites, Martech Zone is open to anyone registering. I don’t want to shut down open Registration, as I’ve welcomed hundreds of contributors and partners to the site. However, having an open registration form on the site has invited thousands (I’m not kidding) of bots to register accounts to publish malware and spam articles.

A bot that automatically tries to crawl and register on a site is typically called a registration bot or a registration spam bot. These bots are designed to programmatically fill out website registration forms, providing fake or fraudulent information to create user accounts. The motivations behind registration bots can vary, but they generally fall into a few categories:

• Spamming: Some bots are programmed to create accounts on websites for the sole purpose of sending spam messages or advertisements. By creating multiple accounts, spammers can amplify their reach and increase the chances of their messages being seen.
• Malicious activities: Registration bots can also be used for malicious purposes, such as creating accounts to launch cyber attacks, distributing malware, or engaging in phishing activities. These accounts may be used to exploit vulnerabilities, steal sensitive information, or gain unauthorized access to systems.
• Account farming: In some cases, registration bots create many accounts on a website or online service, which can then be sold to other users. These accounts may be used for various purposes, such as gaming, social media, or online marketplaces.
• Data harvesting: Bots can automatically create accounts to collect information from websites. This data can be aggregated, analyzed, and potentially sold to third parties for marketing, research, or other purposes.

Registration bots are unethical and potentially illegal, depending on the intent and actions associated with their usage.

How to Fight Registration Bots in WordPress

If you want to keep your registration form open on WordPress but minimize the amount of registrations and any risk associated with it, here’s how I did it:

1. New User Default Role: Along with open registration, ensure that the default role of your user is set to Subscriber. This will allow anyone to register and even login, but they are unable to add, edit, delete, harvest, or perform any other activity. Subscribers can only manage their own profile and cannot even add comments. This can be found on your General Settings page:

2. Registration Form Challenge: Add a challenge to your registration form that requires human interaction like a CAPTCHA. I recommend hCaptcha because it’s private (Google’s Captcha harvests data) and loads much faster than other solutions. You can read about it in my post about hCaptcha. They also have a great WordPress plugin that enables you to deploy it on login forms, registration forms, and more. Here’s what it looks like on your registration form:

3. Remove Spam Users: Optionally, you can also clean out all your spam accounts already registered using CleanTalk. CleanTalk has been the best system I’ve used to deal with spam (comments and users). The status of the user (or bot’s) IP address and emails in the CleanTalk database are checked on the date of appearing of the comment or signup, and known spam users can be deleted.

You may notice that I named this article Fight and not Stop registration spam bots. All systems are fallible to bots, which are getting far more sophisticated over time.

Soapbox: WordPress Spam and Malware

Issues like this really hurt WordPress’s credibility, and I wish fighting bots and malware were core to their platform. No user should have to pay for third-party tools or managed hosting to use a system safely and effectively. Rarely a week goes by that I don’t hear about someone’s WordPress site being hacked, so it’s not as though it’s not a known issue. I would love to see WordPress do more, like:

• A native setting to set your login and registration pages to whatever path you’d like. Having tens of millions of platforms with the same login path is simply begging for trouble.
• Using Ajax, the forms could publish dynamically after the page loads. That means a bot typically wouldn’t even see the form to attempt to post through it.
• Akismet should honestly buy CleanTalk; it’s a far superior system that even works with third-party form plugins.
• Build a native human challenge feature into the platform. It could be a CAPTCHA or a simple challenge question like a math problem. Having to program these solutions in or add plugins shouldn’t be required.

Having implemented, developed, integrated, and optimized WordPress for over a decade, feel free to contact me if your company is in need of assistance to harden WordPress from spam and malware.

© %currentyear% DK New Media, LLC, All Rights Reserved.