The past week has seen a flurry of new user registrations on this blog. Which is extremely suspicious, because I don’t actually have a link anywhere to the user registration page. (Also, they’re all using very similar-sounding Russian e-mail accounts.)

My conclusion? The latest spammer trick is apparently to try to gain access to WordPress blogs by creating new users, in the hope that the blog’s settings allow that user to post unmoderated comments or maybe even articles.

Here are two ways you can keep that from happening on your WordPress blog:

  1. The safest: turn off user self-registration. From your Dashboard, click on the Options tab. Right after the field for entering the admin e-mail address, you’ll see two checkboxes labelled “Membership”. Uncheck “Anyone can register.”
  2. If you don’t want to do that (for instance, if you want people to be able to register on your blog), you can set new users’ permissions as restrictively as possible. Beneath the “Membership” check boxes, you’ll find a pull-down menu labelled “New user default role”. Choose “Subscriber”.
Mastodon