Dealing with spam registrations on your WordPress membership site can be a real headache. Spam users can clutter your database and waste your time.
We heard from many of our readers that they notice this issue when they allow user sign-ups. We also have our free video tutorials set up on a members’ only site, so we have dealt with spam registrations firsthand. They are annoying and can slow down your website.
In this guide, we will help you stop spam registrations on your WordPress membership site. With just a few simple steps, you can keep your site spam-free.
Why Do Spammers Register On Your Site in the First Place?
Generally, spammers are looking for easy access points to get their way into your site. They often go about making spam accounts on less secure websites using spam bots and other automation.
This allows spammers to collect your email address and try to distribute their phishing links, which are designed to distribute malware to other members.
Let’s say a plugin on your site has a vulnerability. Then, spammers can easily exploit it if they can log into your dashboard.
Now, the default WordPress registration process lacks strong anti-spam mechanisms. That’s why you’ll need third-party tools in most cases.
Fortunately, if you use a form builder for user registration, you can apply the same anti-spam strategies as you do for contact form spam.
With that in mind, we’ll give you some ways to stop these spam bots and ensure all submissions are from real people. Simply follow these methods to maintain a clean and efficient membership site:
- Turn on Email Activation for User Registration
- Adding a reCAPTCHA Field to Your User Registration Form
- Use Custom CAPTCHA to Prevent User Registration Form Spam
- Enable the WPForms Anti-Spam Token
- Connect Your Form to Akismet
- Block Specific Email Addresses on Your User Registration Forms
- Restrict User Registration by Country and Keywords
- Use Dedicated Anti-Spam Plugins
- Stop Spam Registrations Using Sucuri
Ready? Let’s say goodbye to the hassle of spam.
Method 1: Turn On Email Activation for User Registration
One of the easiest and most efficient ways to deal with spam registrations is using a form builder with an email activation feature.
Email activation is a feature that automatically sends out a verification link for every new account that’s created on your WordPress site. Real users must click on the email confirmation link to complete the signup.
WPForms is the best form builder plugin on the market, with a variety of spam defense features. It also comes with a User Registration Addon that allows you to create custom registration forms.
You will need a Pro License to access the user registration add-on and the email activation feature. The good news is that WPBeginner users can use the WPForms Coupon to get 50% off their purchase.
Now, the first thing you need to do is install and activate the WPForms plugin. For more details, you can see our step-by-step guide on how to install a WordPress plugin.
Upon activation, you’ll want to go to WPForms » Settings to verify your license key. You can get this key from your account on the WPForms website.
After verification, you can navigate to WPForms » Addons. Then, simply scroll down the page to locate the ‘User Registration Addon.’
Once found, go ahead and click the ‘Install Addon’ button.
The next step is to create a user registration form. To do this, let’s go to WPForms » Add New.
You’ll then be prompted to provide a title for your new form. After that, you’ll want to find the user registration form template. Once you have found it, simply hover over it and click on ‘Use Template’.
This will launch the form builder with a user registration form template. You can edit the fields by clicking on them.
You can also drag and drop fields to rearrange them.
In the ‘Settings’ panel, you can configure form notifications, confirmation, and user registration settings.
Let’s open the ‘User Registration’ section.
On this page, you can map the form fields to your WordPress user registration fields. Then, you might want to scroll down and check the box next to the ‘Enable User Activation’ option. This will reveal a dropdown menu where you can select a user activation method.
WPForms uses 2 creative ways to prevent spam registrations on a WordPress site.
You can choose to send a verification email to each user so that they can confirm their registration. Alternatively, you can require admin approval for each registration on your WordPress site.
Feel free to choose the option that best suits your needs and click the ‘Save’ button to store your form settings.
You can now add this form to any page on your WordPress site and then use that page as your user registration page.
Simply click the ‘Embed’ button at the top.
Then, you can either click the ‘Select Existing Page’ or ‘Create New Page’ option.
For this tutorial, we’ll choose the ‘Select Existing Page’ to embed the new form into an existing page on our website.
On the next pop-up window, you’ll select a page from the dropdown menu.
After that, you can go ahead and click on the ‘Let’s Go!’ button.
You’ll then be taken to the block editor in WordPress.
From here, you can click the ‘+’ button to add the WPForms block. Then, you’ll select the form you just created from the dropdown menu. You should then be able to see the form in your editor.
When you’re ready to publish the page with the embedded user registration form, simply click ‘Save’ or ‘Publish’ to launch it.
Now, if you visit your website, you will see your spam-proof user registration form.
Depending on your user activation settings, the plugin will either require users to verify their email address or an admin will have to manually approve each user registration on your site.
Note: If you have trouble sending WordPress emails, you might want to check out WP Mail SMTP to ensure they make it to your users’ inboxes. Then, you can refer to our guide on how to fix WordPress not sending emails.
Method 2: Adding a reCAPTCHA Field to Your User Registration Form
Another simple way to block spambots from getting through is to use reCAPTCHA.
This free Google service is the more advanced version of the CAPTCHA method, and it helps protect websites from spam by distinguishing between automated bots and human users.
To add reCAPTCHA v3 to your forms, head over to WPForms » Settings in your WordPress dashboard. Then, click on the ‘CAPTCHA’ tab.
Next, you want to select ‘reCAPTCHA’ and make sure that the ‘Checkbox reCAPTCHA v2’ option is enabled.
This will force new users to check a box that proves they’re human.
WPForms will also ask you for a ‘Site Key’ and a ‘Secret Key.’ You can get this information by heading over to Google’s reCAPTCHA setup page.
When you’re on the Google reCAPTCHA page, you’ll want to click on ‘v3 Admin Console.’
You’ll then be taken to a screen where you will register your WordPress website. Simply type in a name under ‘Label,’ which is used for internal reference and won’t be visible to others.
After that, you can choose the ‘Challenge v2’ option and the ‘I’m not a robot Checkbox’ underneath that.
From there, you can type in your website’s domain name in the ‘Domain’ field.
Then, you might want to check out the Google Cloud Platform Terms of Service and check the agreement box.
When everything is set, just click the ‘Submit’ button to finish the configuration.
Now, you’ll see a page with your website’s site key and secret key.
Simply copy this information.
Now, you can head back to the WPForms » Settings » CAPTCHA page.
Then, be sure to click the reCaptcha box to open its customization panel. After that, simply paste your keys into the ‘Site Key’ and ‘Secret Key’ fields.
Once you’ve done that, simply scroll down the page and hit the ‘Save Settings’ button.
From there, you’ll want to go to WPForms » All Forms from your WordPress admin area. Then, let’s choose the user registration form to which you want to add the reCAPTCHA and select ‘Edit.’
Doing this will now open up the form builder.
Then select the ‘reCAPTCHA’ button in the left side panel.
You should see a message appear telling you that your Google Checkbox v2 reCAPTCHA has been enabled.
Go ahead and click ‘OK.’
To confirm that it’s there, you’ll see the ‘reCAPTCHA Enabled’ verification at the top right corner of your form.
When you’re done, remember to save your changes by clicking the ‘Save’ button.
Method 3: Use Custom CAPTCHA to Prevent User Registration Form Spam
Sometimes, you may want to use a custom captcha instead of reCAPTCHA. That’s because some users have privacy concerns since it involves interacting with Google’s servers.
WPForms Pro comes with a custom CAPTCHA add-on allowing you to create a question-based CAPTCHA, typically in the form of a math equation, to block user registration form spam.
All you have to do is edit the user registration form to which you want to add the custom CAPTCHA. This will open the form builder.
In the left side panel menu, you’ll want to find the ‘Custom Captcha’ button under ‘Fancy Fields’ and drag it over to your form.
By default, the field shows a random math question. If you use this default setting, then WPForms will automatically generate random math questions for every user who fills out the form to make it less predictable.
You can also customize the questions to visitors to challenge users to enter the correct answers.
For example, sometimes, in membership or job application forms, you may want to include a keyword that you want users to mention in the form. This shows that they read through the application and aren’t blindly submitting forms through copy and paste.
To make edits, you’ll want to click on the ‘Custom Captcha’ field within your form builder. Then, let’s make sure you’re on the ‘General tab’ in the left-hand panel.
Simply select ‘Question and Answer’ under the ‘Type’ dropdown, and just add any questions you’d like.
If you decide on the ‘Question and Answer’ format, make sure to include a few different questions. That way, WPForms can rotate those questions randomly, so it’s more difficult for spambots to predict.
Once you’re done, go ahead and save your changes.
Now, you have a custom CAPTCHA button that can easily prevent new spam user accounts.
Method 4: Enable the WPForms Anti-Spam Token
Using WPForms offers many security advantages. For one, It has a built-in anti-spam protection feature that verifies a token for each submission.
Spam bots can’t detect this token and, therefore, won’t be able to submit the form. Since the token is embedded into the HTML, it doesn’t affect the user experience.
Every new form automatically has this feature enabled. If you want to check for yourself, navigate to the ‘Settings’ panel. Then click on the ‘Spam Protection and Security’ tab.
You should see that the ‘Enable anti-spam protection’ is toggled on.
Method 5: Connect Your Form to Akismet
Akismet is a popular spam-filtering plugin designed to combat comments and form submission spam on websites. It assesses the submission for signs of spam, including spammy keywords and links to suspicious websites.
If you’re already using the Akismet plugin, then you can connect it to WPForms. This ensures your user registration forms get the same spam protection that you also have in your blog comments.
Let’s edit the forms you want to filter spam for and head to Settings » Spam Protection and Security. From here, you can toggle on the ‘Enable Akismet anti-spam protection’ option.
Note: If you haven’t connected your WordPress site to your Akismet account, you won’t be able to see this integration in the WPForms form builder.
Method 6: Block Specific Email Addresses on Your User Registration Forms
Not all spam registrants will be bots. You may get spam submissions from humans as well. Sales agents and scammers are often lurking on websites trying to solicit their products.
CAPTCHAs won’t work against humans, which is why you’ll need to analyze the common types of spam you get and choose the appropriate method.
One way to deal with solicitors is to create a ‘denylist’ of email addresses so that those visitors with that email address can’t create a new account on your WordPress site.
With WPForms, you can create an allowlist and denylist for each form.
When in the form builder, simply navigate to the ‘Fields’ panel.
Then, you’ll want to select the ‘Email’ block from within your user registration form. Under the ‘Advanced tab,’ you’ll see an ‘Allowlist / Denylist.’
In the dropdown menu, you can choose ‘Denylist.’
In the box below, you can type in all of the email addresses you want to block from registering an account on your form.
The great thing about this feature is that you can simply type a complete email address or use an asterisk to create a partial match.
Then, simply separate the email addresses by using a comma. WPForms will automatically tidy up the list for you like so:
Method 7: Restrict User Registration by Country and Keywords
If you notice that your forms are targeted from a specific country or often contain specific keywords, WPForms offers various filters to block those entries.
The country filter accepts or denies submissions from specific countries.
To activate and add countries to deny, you can go to the ‘Settings.’ Then, you just need to click the ‘Spam Protection and Security’ tab and make sure the ‘Enable country filter’ is on.
Once you do that, you should be able to select ‘Deny’ from the dropdown menu and add all the countries that you want to deny user registrations from.
That said, country filtering may not be the best option for online stores.
For instance, if you own a WooCommerce store, any customers in the blocked countries won’t be able to access their accounts.
Method 8: Use Dedicated Anti-Spam Plugins
If you aren’t using WPForms to create new accounts, you may need dedicated anti-spam plugins. In that case, there are other options on WordPress that can add additional layers of spam protection for your user registration forms.
The Stop Spammers Security plugin is a reliable tool that gives you a lot of control over how you want to filter spambots.
The first thing you need to do is install and activate the plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Once activated, you’ll want to navigate to Stop Spammers » Protection Options. Stop Spammer Security is a powerful WordPress plugin that aggressively monitors your website for suspicious spam activity.
The default settings on this page will work for most websites. However, you can uncheck a few of them if you feel lots of legitimate users are unable to log in.
You can even block users from specific countries if you wish. Once you’re done, click on the ‘Save Changes’ button to store your settings.
The plugin uses a number of spam prevention techniques. It uses HTTP Referrer and Header requests to verify that a user is genuinely accessing your website.
It also checks against Akismet API for known spamming activity. The plugin also maintains a list of bad hosts known for tolerating spam activity and blocks them.
Under Stop Spammer » Block Lists, you can block IP addresses, emails, and spam words.
The great thing about this plugin is that default settings have just about most spam defenses already activated.
That means there’s not much you need to do other than to install the plugin and test to see if it’s working.
Method 9: Stop Spam Registrations Using Sucuri
At WPBeginner, we used to use Sucuri to protect our website against spammers and other security threats.
Sucuri is a website security monitoring service. It blocks hackers, malicious requests, and spammers from accessing your site or injecting any malicious code.
For more details, you can check out how Sucuri helped us block 450,000 WordPress attacks in 3 months.
If you want an alternative, then MalCare is a great choice. It’s a powerful security plugin that comes with a bot protection feature.
Note: When a WordPress crisis strikes, keep calm and get immediate assistance from our expert team! Whether your site is broken or you’re dealing with persistent spam, we provide on-demand support to get you back online fast. Schedule a call with our Emergency WordPress Support today!
We hope this article helped you stop spam registrations on your WordPress membership site. You may also want to read our guides on how to protect emails from spammers with WordPress email encoder and how to use Antispam Bee to block spam comments in WordPress.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Moinuddin Waheed
This is very helpful tutorial in helping to ward off spam registration.
I think the first method mentioned to send email confirmation and validation through email is very effective in preventing spam registrations.
This serves two main aspect, one is it gives a credibility in users minds and helps make a sense of branding and second it gives option to manually approve by the admin.
I have a query regarding implementing more methods of spam protection simultaneously.
is it good practice to use two or three of the mentioned methods like captcha and email authentication both?
or it is okay to use any one of them?
WPBeginner Support
It is a question of persona preference but you can use multiple of the methods for your registration without much worry.
Admin
Jiří Vaněk
I am deploying and gradually launching the MemberPress plugin. After my experiences with a discussion forum where I struggled with spam (and am still partially fighting it), I was really worried that I might end up with spam registrations again. So, thank you for the very detailed guide and the methods that will hopefully help me avoid spam this time. MemberPress and user registrations are important for me to build a community, but spam is a problem. Thanks for the great tips.
Ahmed Omar
A crucial guide on putting a halt to spam registrations on WordPress membership sites!
Your insights into CAPTCHA implementation and user registration settings are golden. A technical suggestion: combining these strategies with Anti-Spam Plugin can provide an extra layer of defense.
Thanks for addressing this headache-inducing issue
Travis
If I activate the Stop Spammers Plugin does it make sense to also have the Akismet plugin active or is this redundant?
WPBeginner Support
Unless we hear otherwise, you can use this plugin and Akismet at the same time and they do work together
Admin
Travis
Sounds good to me. Thank you!
Aniekan Etop
Please what should I do to gain access back to my blog’s admin area if ‘Stop Spammers plugin’ logs me out
WPBeginner Support
If the plugin is preventing you from logging in then you can disable the plugin by following our guide here: https://www.wpbeginner.com/plugins/how-to-deactivate-all-plugins-when-not-able-to-access-wp-admin/
Admin
smaqsood
are you sure wpforms pro version is needed?. i see user registration and spam protection is included in basic version of wpforms… please confirm from your side before i buy basic version. i don’t want to spend $200 for pro version to stop spam.
WPBeginner Support
Hi Smaqsood,
Basic plan includes spam protection but does not include user registration addon.
Admin
Matt
What about recaptcha by Google? I thought they would have this down but the headache continues!
Thanks for the advice. Your site has become by go-to.
Matt
matin gholami
hi there, are U sure SUCURI protects my website???
I always had 2 spam registration per day, but after installing sucuri I have 5 spam registration every day
is there any better way to stop spam registration?? TNX
Arize
Try stop spammers plugin.
Dan Awontis
Great post, as always. Theory and practice together, easy to read, to understand and to implement. But without promoting any company, I’d suggest.
moumita
I hope this process will help me to get away with spam registrations.
Ishtiak
Can this plugin prevent visitors from registering with sensitive usernames like ‘Admin’, ‘admin’, ‘administrator’ etc?
Blake
So, I think I have a bunch of spam subscribers–like 400 out of 400 subscribers to my blog–but what I can’t figure out is WHY I have them.
What does a spam subscriber get? They’re not leaving comments. So what would be the purpose of subscribing to a random WordPress blog?
WPBeginner Support
See our tutorial on how to reset passwords for all users in WordPress. This will send out an email to all users that their password has been reset. Since most spam registrations are generated by spam bots, those users may not verify and recreate new passwords.
Admin
Blake
Thank you. I have done this.
I still don’t understand WHY they do it, though. What do they get out of creating user logins for my site? They’re not leaving comments, after all.
Blake
And now, having done this, I don’t know what I got out of it.
So what if they all have new passwords? Is there a way I can tell whether they’re real? Should I just deleted everyone?
Chiara
Hey Blake,
I’m in the same situation and I was looking for answers. I’m glad that at least I’m not the only one with this problem. The option I found was to disable registration for users. But since I’m looking to sell an online course I’ll need to find alternative ways to let user register. And by the way, I was wondering exactly the same thing: WHY do they register? If anyone has an answer he will make 2 people happy
Caren Pretorius
I’ve learned the hard way. They gather information, especially emails. A light went on for me and I have more control over the register spam problem now. I’ve added a field under users on dashboard and made it a requirement. The bots can’t get past the register page without filling out this field.
ReidGuy
I had this thought as well, I was planning on giving it a go, but first thought I would give Google a try to see if there were any plugins that could help. This is probably the best way to stop the spam bots.
Md Abul Bashar
Can you help me please? how can i block specific word when visitor want to register in my site, then go to my site register page, then normally register, but i want to some word block, example: if i block “Admin” word. when visitor want to register in my site and he/she try registration username “Admin” then show error “Admin username is not allow for register in this site”.
so please help me.
Rashed khan
Hello Admin and everyone,
I have already your article and comment.Wow, I got the lot of thinks from there. This article and every comment is very helpful.However, I want to add something, and recently I just released the membership plugin in the wordpress repository who is called “rs-members”. Before developing I just studied existence all membership wordpress plugin.I got many problems from the those.As a result; I just tried to include many useful features.Without programming skill any guys can easily maintain this plugin. I hoped this plugin will be helpful fill up your all demand. Guys you can visit my “rs-members” from wordpress repository.
Thank you gentleman for patiently reading.
Shanna
This was a great find as I’m putting together a membership site. Thank you! However, as I was about to install it and was reviewing the FAQs I read at the bottom that he no longer has time to maintain the plugin in. See the thread here on wordpress.org… http://wordpress.org/support/topic/ending-this-plugin
I’m going to install it anyway, hopefully his hard work and dedication can be carried on by equally dedicated plugin programmers in the wp space.
Biggani
Configuration of Stop Spammer Registrations plugin is very hard to understand.
Theo
Great blog post. This is just what I desperately needed. I’ve been receiving a barrage of sign ups from spammers for some months now. Hopefully this will bring that to a minimal.
Duane Reeve
I’ve installed the WangGuard Plugin to help with Spam User Registrations. It’s the only such plugin I know that also helps clean out your database of ‘Sploggers’ (Spam Users), as well as blocking new Spam User Registrations.
WangGuard is FREE for personal use, but does require an API key. It is available on the WP Repository, or from Wanguard Website, where you need to sign-up for your API key anyway. There are too many features to mention here, but it may be a consideration for others looking to resolve Spam User issues.
Steve Lamb
Just installed this plugin on our membership site. Hopefully, it helps cut back some of the SPAM registrations we’ve been receiving. We’re receiving on average around 100 SPAM registrations per day using fake Gmail addresses.
RethaGroenewald
What about spammers that have already registered. Will this plugin pick them up as well?
Editorial Staff
No it will not pick those.
Admin
RethaGroenewald
I have installed this plugin. Any ideas how do I get rid of spam user before this plugin was installed?
Steve
Any advice on how to get rid of existing spam sign ups would be helpful? I don’t really want to delete all users and ask them to signup again. Thanks for the post though.
Editorial Staff
No real easy way.
One option would be to send an email blast to every user. If user does not open the email, then send it to them again. Then after the second try (everyone who never opened this email) gets deleted. You can write a SQL query to delete only the accounts that have specific email addresses tied to it.
Rakesh Luthra
The only “realistic” way of removing the existing SPAM user accounts is by using User Spam Remover plugin whereby you can remove all user accounts that have not been used within last X days
Albert Albs
This is good plugin. But Expecting feature from “Growmap Anti Spambot Plugin”. Like: “Confirm you are not a spammer”. Is it possible in this plugin?