How to stop new-user spam on WordPress
The past week has seen a flurry of new user registrations on this blog. Which is extremely suspicious, because I don’t actually have a link anywhere to the user registration page. (Also, they’re all using very similar-sounding Russian e-mail accounts.)
My conclusion? The latest spammer trick is apparently to try to gain access to WordPress blogs by creating new users, in the hope that the blog’s settings allow that user to post unmoderated comments or maybe even articles.
Here are two ways you can keep that from happening on your WordPress blog:
- The safest: turn off user self-registration. From your Dashboard, click on the Options tab. Right after the field for entering the admin e-mail address, you’ll see two checkboxes labelled “Membership”. Uncheck “Anyone can register.”
- If you don’t want to do that (for instance, if you want people to be able to register on your blog), you can set new users’ permissions as restrictively as possible. Beneath the “Membership” check boxes, you’ll find a pull-down menu labelled “New user default role”. Choose “Subscriber”.
Subscribe to comments on this post
May 19th, 2006 at 10:07
Phillip Djwa says:
Interesting, we’ve been inundated on a client’s forum with the same .ru spam registrations. They are able to get by the captcha deal which really sucks. Are they doing this by hand?
May 19th, 2006 at 10:44
Rob says:
I’d thought it was just a script, but if they’re getting past captchas, you’re probably right… it sounds like this is hands on keyboards.
May 19th, 2006 at 19:39
Evan Leeson says:
wow…that’s a lot of hands, since my blog has been swamped with at least 100 of these in the last couple days…there must be some machine intelligence at work with humans just sitting there entering one captcha after another. Nice job for ex-party officials.
May 20th, 2006 at 11:11
Evan Leeson says:
I just implemented http://wp-plugins.net/plugin/did_you_pass_math/ on my blog. We’ll see if this gets rid of them.