How to block bot registrations
There is no way to block 100% of spam, but you can block most of bots if you follow next recommendations:
- Disable caching for important pages
- Disable default WordPress registration form
- Disallow third-party plugins to create an account
- Approve new members after email verification
- Use Google reCAPTCHA
- Use unique links
- Use security plugins
1. Disable caching for important pages #
Disable caching for pages "Login", "Password Reset", "Register". Caching of the authentication functionality is a security vulnerability.
Caching plugins usually have settings to disable caching on certain pages, use them.
Pay attention that some hosting providers have a built-in caching tool on the server side. Please look at the server settings or ask hosting support for assistance.
2. Disable default WordPress registration form #
Go to the page [wp-admin > Settings > General] and disable setting "Membership - Anyone can register".
3. Disallow third-party plugins to create an account #
Ultimate Member can’t forbid another plugin to create an account, so you have to do it manually. See the example for WooCommerce plugin below:
[wp-admin > WooCommerce > Settings > Account & Privacy]
4. Approve new members after email verification #
Set the user role option "Registration Status" to "Require Email Activation". In this case a new user have to confirm the email to approve the account.
[wp-admin > Ultimate Member > User Roles > Edit Role]
5. Use Google reCAPTCHA #
Add Google reCAPTCHA to the login form and to the registration form. Add Google reCAPTCHA to the social login registration overlay form if you use the extension " Ultimate Member - Social Login".
[wp-admin > Ultimate Member > Forms > Edit Form (Registration)]
6. Use unique links #
Change the register page link from default "register" to some other.
[wp-admin > Pages > Edit]
7. Use security plugins #
Install and configure one of security plugins, such as Wordfence Security, Sucuri Security, Cerber Security or similar. Please be careful with the security settings, because too strong rules may block useful functionality.