The past week has seen a flurry of new user registrations on this blog. Which is extremely suspicious, because I don’t actually have a link anywhere to the user registration page. (Also, they’re all using very similar-sounding Russian e-mail accounts.)
My conclusion? The latest spammer trick is apparently to try to gain access to WordPress blogs by creating new users, in the hope that the blog’s settings allow that user to post unmoderated comments or maybe even articles.
Here are two ways you can keep that from happening on your WordPress blog:
- The safest: turn off user self-registration. From your Dashboard, click on the Options tab. Right after the field for entering the admin e-mail address, you’ll see two checkboxes labelled “Membership”. Uncheck “Anyone can register.”
- If you don’t want to do that (for instance, if you want people to be able to register on your blog), you can set new users’ permissions as restrictively as possible. Beneath the “Membership” check boxes, you’ll find a pull-down menu labelled “New user default role”. Choose “Subscriber”.
I’d thought it was just a script, but if they’re getting past captchas, you’re probably right… it sounds like this is hands on keyboards.
Interesting, we’ve been inundated on a client’s forum with the same .ru spam registrations. They are able to get by the captcha deal which really sucks. Are they doing this by hand?
wow…that’s a lot of hands, since my blog has been swamped with at least 100 of these in the last couple days…there must be some machine intelligence at work with humans just sitting there entering one captcha after another. Nice job for ex-party officials.
I just implemented http://wp-plugins.net/plugin/did_you_pass_math/ on my blog. We’ll see if this gets rid of them.