How to block bot registrations
There is no way to block 100% of spam, but you can block most of the bots if you follow the next recommendations:
- Disable caching for the registration page
- Add captcha to the registration form
- Disable default WordPress registration form
- Disallow third-party plugins to create an account
- Approve new members after email verification
- Block email addresses
- Use unique links
- Use security plugins
1. Disable caching for the registration page #
Disable caching for pages "Login", "Password Reset", "Register". Caching the authentication functionality is a security vulnerability.
Caching plugins usually have settings to disable caching on certain pages.
Some hosting providers have a built-in caching tool. Look at the server settings or ask hosting support for assistance.
2. Add captcha to the registration form #
Add Google reCAPTCHA to the registration form. Add Google reCAPTCHA to the social registration form if you use the extension Ultimate Member - Social Login.
Install a free Ultimate Member - reCAPTCHA extension to use reCAPTCHA. Follow instructions in the article Google reCAPTCHA to configure the reCAPTCHA protection in the form.
Image - Settings on wp-admin > Ultimate Member > Forms > Edit Form (Registration).
You can use the Math Captcha in addition to Google reCAPTCHA or separately.
You can use the Friendly Captcha as an alternative for the Google reCAPTCHA.
3. Disable default WordPress registration form #
Go to wp-admin > Settings > General and disable the setting "Membership - Anyone can register".
Image - General Settings.
4. Disallow third-party plugins to create an account #
Ultimate Member can not forbid another plugin to create an account, you have to do it manually.
For example, if WooCommerce setting Allow customers to create an account during checkout is checked you might encounter a bot spam issue when using WooCommerce and Woo Subscription add-on. Unchecked the boxes of the Allow customers to create an account during checkout and Allow subscription customers to create an account during checkout under Accounts & Privacy in Account creation to avoid the bot registration.
Image - Settings on wp-admin > WooCommerce > Settings > Account & Privacy.
5. Approve new members after email verification #
Set the user role option "Registration Status" to "Require Email Activation". In this case, a new user has to confirm the email to approve the account.
Image - Settings on wp-admin > Ultimate Member > User Roles > Edit Role.
6. Block email addresses #
Block email addresses or entire email domain if spam registrations come from a certain email address or a certain email domain. Use the Blocked email addresses setting on wp-admin > Ultimate Member > Settings > Access > Other. Follow the guide Block Email address on Registration.
7. Use unique links #
Change the registration page URL from default "register" to something unique for your website.
8. Use security plugins #
Install and configure one of the security plugins, such as Wordfence Security, All-In-One Security, Sucuri Security or similar. Please be careful with the security settings, because too strong rules may block useful functionality.