Learn how to stop WordPress registration spam with simple steps. Protect your site from fake users and spam sign-ups using easy tips and tools.
Approximate read time: 6.5 minutes
Stopping WordPress registration spam is a headache.
The constant spam bots spamming your WordPress registration form may cause you to consider turning user registrations completely.
But it's not time to shut down user registrations in WordPress just yet. There are a few easy ways to stop spam in its tracks. Many of them can be done right from your WordPress dashboard! Only real people can sign up by understanding the best ways to stop fake user registration in WordPress.
In this post, we'll show you how to do it in a few simple ways. Let's dive in.
Why spam can harm your website
Not only is spam annoying, but it can cause issues for a website and the website owner.
And I don't mean just with upkeep. Fake user registration spam:
- Slows your website down: Imagine your website as a building with water pipes. Spammers are like a bunch of faucets turning simultaneously and slowing everything down. The same can happen with your server.
- Makes your website less secure: Fake accounts are a way for hackers to get into your website and cause more problems.
- Makes your website look bad: Spam comments and links to weird sites can give people the wrong idea about your website.
- Gives you wrong data: Fake accounts can skew analytics and give you wrong data about your website.
So, stopping spam is essential — for the website and its visitors. And now that you know why you should stop it, I'll show you how.
7 ways to stop WordPress registration spam
1. Turn off WordPress user registration
You might think that fake signups come through custom registration forms. However, the default WordPress registration page is the biggest spam user registration source.
Imagine — 40% of all websites run on WordPress, and each one of those sites has the same URL to create user accounts. That's a goldmine for spammers.
So, disable the registration page. Go to Settings → General:
Then, uncheck Anyone can register.
However, completely disabling registration isn't an option for some WordPress websites. Online stores and membership sites, in particular, rely on user profiles. The good news is you can use eCommerce plugins or form plugins that don't need the WordPress registration page.
2. Create a custom WordPress user registration form
So, you've disabled the WordPress user registration, and now it's time to create your form.
A WordPress form builder like Formidable Forms helps you build a form quickly, avoiding time-consuming code. Plus, it has pre-made form templates to save you even more time.
Most WordPress plugins come with anti-spam features (more on this in a second). So not only do you get to build a custom form (dodging spammers), but also easy-to-add spam protection to lower spam risk even more.
3. Set user roles
WordPress allows you to assign different abilities to users based on their roles.
For spam prevention, restrict the default registration role to the lowest permission level. To find this, go to Settings → General and change New User Default Role to Subscriber:
This lowers the risk of letting in people who aren't allowed. If you have custom user roles set up, choose the lowest role with the highest restrictions.
4. Require a confirmation email
Another spam registration prevention method requires email verification.
All you have to do is require users to submit their email addresses during registration. Then, you can set the password to generate the email notification. Fake users never click the link. And without a password, they can't log in and use their accounts.
This can also help you catch spam that gets past your form security. If the email bounces back, you know it's probably not a real person.
It varies by form builder, but in Formidable, you can set up your confirmation like this ⬇️
Go to your registration form and Settings → Actions & Notifications. Then, select the form action Register User:
Under password, select Set with link in email notification. Then, save your form. It now sends emails that detect real users. Consider using confirmation emails for other forms you want to keep safe, too.
5. Turn on admin approval
You can also run all users past an admin before they're confirmed to stop spammers.
This requires someone to manually approve each user to access your site. It's a more manual way and will take time to stop spam registration in WordPress. But if you want legitimate users, this is a good one.
In Formidable, go to your registration form. Next, add a new drop-down field and include three options: Pending, Approved, and Denied. You'll also need to set the default value to Pending:
Now, go to Settings → Actions & Notifications. Select the form action Register User once again. However, this time, we'll edit a few different fields.
Start with the Trigger this action when drop-down and select Entry is updated. Then, scroll down to the Allow logged-in users to create new users with this form field and check the box.
Make sure you select Administrator from the resulting drop-down. Choosing any lower-level roles could be a huge security risk that only leads to more spam.
Finally, move on to the conditional logic section. Click on Add Conditional Logic. Then, select the options so that it will register users only when you change the status to Approved. Here's an example of what it should look like:
And that's it. Another layer of protection for your registration forms.
6. Use anti-spam checks in your forms
As mentioned above, you can add spam protection or Captcha to your form.
reCAPTCHA, Honeypot, Cloudflare Turnstile, and other reCaptcha alternatives are a few I recommend. Each gives you a quick spam check to stop spam user registrations with a quick challenge or puzzle and doesn't hurt the user experience.
It's invisible spam protection, but bots won't have the secret password to submit a form. So, these fields can prevent spam without annoying your users. And it's as easy as setting up your Captcha and adding the Captcha field in Formidable:
7. Install a security plugin
A good WordPress security plugin protects against spam and other malicious activity.
Look for an anti-spam plugin specifically targeting registration spam on your WordPress site, such as:
- Brute force protection: Limits login attempts to prevent bots from guessing passwords, which helps with spam registration attempts.
- IP address monitoring: Block or limit registrations from known spam accounts.
- Web Application Firewall (WAF): Filters out malicious traffic before it reaches your registration forms.
- Integration with spam blacklists: Compares registrations against known spam databases for automatic rejections.
I recommend plugins like WordFence or Sucuri, but you can check out the complete list of best WordPress security plugins.
Ready to stop WordPress registration spam on your site?
Fake user accounts are bad for a website and its audience. So, registration spam prevention is a top priority for many sites. Fortunately, you can choose from several strategies to protect your website.
And in this post, I showed you a few different ways to use it. And best of all, you can use one plugin to solve most of them — Formidable Forms! So, grab the free or paid version of Formidable Forms and start with simple form spam protection today!
9 Best reCAPTCHA Alternatives To Try Today!
What is Honeypot Anti-Spam? [And How To Use It!]
Cloudflare Turnstile vs. Google reCAPTCHA [Which is Best?]