The Best Methods for Preventing Spam Registrations in WordPress

Spammers are getting sneakier all the time, making it easy for your site to be quickly overcome with fake comments and bogus sign-ups.

Trying to outmaneuver this never-ending influx can feel like a futile effort. Leaving it makes your site look messy, and clutters your database. Deleting it takes chunks of your valuable time, on a repeated basis.

The best solution? Putting protections in place that prevent them from flooding your site in the first place.

In this article, we’re going to look at some easy options you can implement to prevent spam registrations in WordPress that will result in immediate, effective, and on-going results.

Continue reading, or jump ahead using these links:

Let’s take a look at how to put the squeeze on WordPress spam registrations.

Plugin Possibilities

Defender is a deluxe—and free—WordPress security plugin that protects your site from a laundry list of malicious acts. Brute force attacks, SQL injections, cross-site scripting (XSS) and more don’t stand a chance with this armory in place.

It’s also extremely effective at filtering out spam. In addition to using Google reCAPTCHA, Defender’s Geolocation IP Lockout allows you to cut off registrations based on location and country—very helpful if there is a known regional source of spambots.

To use the IP Banning feature in Defender:

You’ll first need to get an account with MaxMind (it’s free), to gain access to the GeoLite2 Database (also free). Once your account is created and confirmed, generate a license key, then copy it for the next step.
From the WordPress Dashboard, navigate to Defender > Firewall > IP Banning, then scroll down to the Locations section.
Paste your key in the License key field, then click the Download button.(Wait 5-10 minutes for your license to fully activate, or you will likely get an invalid license key error message.)

Now you can click the field with the global icon, beneath Blocklist Banned countries or Allowlist Allowed countries, and select those from the dropdowns that you want to ban or permit. (Your home country is added to the Allowlist by default.)

IP banning is a quick & effective method to block known spam sources.

There is yet another additional spam protection built into Defender: User Agent Banning. The User-Agent request header it is a string that is shared with a server when a request is made, to identify visitors browser application name and version, and the host operating system & language.

To activate this feature from the WP Dashboard, head to Defender > Firewall > User Agent Banning, and click the blue Activate button. From here, you can add User Agents to the Blocklist or Allowlist, permanently preventing or permitting them access to your site. (By default, WPMU DEV includes several known bad user agents in the blocklist.)

One last trick in Defender, for even more effective results. Scroll down to Empty Headers, and toggle the button on for Block IP addresses with empty Referrer and User-Agent headers (it will go from gray to blue). There are still a lot of bots that uses empty HTTP referrer, and these are almost always malicious, so it’s a good idea to enable it.

Defender user agent banning — The User Agent allow & block lists in Defender are powerful allies in the fight against spam.

Your access logs are viewable at any time, here: Defender > Firewall > Logs. A point of clarification: If the same bot or user agent appears in both the allow and block lists, Allow will always override Block.

There is also a Pro version of this plugin, which adds more features, such as: white labeling 2FA, and best-in-class, real-time support.

Forminator is a free, easy-to-use WordPress form builder plugin that protects your forms from spam at all times with your choice of Captcha (ReCAPTCHA or hCaptcha), plus Honeypot, and Akismet integrations.

Spammers know that the default WordPress registration page is /register, so it’s an oft-used target. Forminator knows this, and puts smart tools in place to prevent spam from barreling through on registration pages.

Enabling spam protections in Forminator is a breeze; check out this tutorial for a complete walk-through.

Forminator does much more than put the kibosh on registration spam. It’s a comprehensive form creator (contact forms, order forms, polls & quizzes, and payment options) that uses a smart drag and drop visual builder, making setup in WordPress a cinch.

There is also a Pro version, which adds an e-signature feature, along with premium, 24/7 support.

Profile Builder Plugin

Profile Builder is another free plugin which allows you to restrict content based on user role or logged in status.

It uses invisible support for Google’s reCAPTCHA for WordPress default forms, and content restrictions based on current user roles or logged in status.

To customize registration form fields:

From the WP dashboard, navigate to Profile Builder > Form Fields.
From the uppermost Field row, click the dropdown for Select an option; start typing reCAPTCHA (it’s under Advanced), then select it.

Using search to access the reCAPTCHA settings in Profile Builder’s form fields.

Choose the reCAPTCHA you prefer from the dropdown menu.
Enter your API keys – Site & Secret.
Check the desired options under Display on PB forms and Display on default WP forms.
Copy the shortcode from the right sidebar menu that corresponds with your selection.
Paste the shortcode where you would like the custom form to be displayed on your site.

We’ve chosen PB & Default WP Register here, so would use the shortcode [wppb-register].

There is a premium version as well, which offers extra user fields, custom redirects, advanced add-ons, as well as the ability to require admin approval for new registrations.

The User Registration plugin is free, lightweight, and highly responsive. It offers spam protection with Google reCaptcha and Honeypot.

When you install the User Registration plugin, it will give you an option to automatically create a custom registration page, using this URL: yoursite.com/registration.

You could also do one of the following:

Require Admin Approval

Navigate to the General > General Options tab on the plugin Dashboard.
From the User login dropdown menu, select Admin approval after registration.

Choosing the option for Admin approval after registration. — Choosing the option for *Admin approval after registration*.

Enable reCAPTCHA

Navigate to the Integration tab on the plugin Dashboard.
Enter your API keys – Site Key & Secret Key.

Site and secret key APIs are needed to use reCAPTCHA in the User Registration plugin. — Site and secret key APIs are needed to use reCAPTCHA in the *User Registration* plugin.

To enable reCAPTCHA on a specific registration form, you will need to edit that form and enable it from within.

There is a premium version of User Registration as well, which lets you integrate with WooCommerce, and adds the ability to import users.

Next, we’ll look at using Cloudflare in the fight against registration spam.

Cloudflare Capable

Cloudflare is best known as a Content Delivery Network (CDN). Through its massive network of servers, Cloudflare helps speed up and protect websites from malicious attacks, while caching across 165+ data centers the world over to supercharge the performance of your website.

By cutting off location/country-based registrations from known bot sources, Cloudflare offers spam protection in two forms: IP Block, and Firewall Rules.

Their IP Block feature is only available under the Enterprise plan, which comes with an Enterprise-level ($$$) price.

But worry not; Firewall Rules can be used on any plan. Firewall Rules can block by location, IP address, user agent, and more. You’re allowed up to five active Firewall Rules under the free plan, then progressively more as you go up in the paid tiers.

Regardless of plan type, creating an account is required to partake in any of Cloudflare’s features. You will also need to point your existing DNS servers (aka, Nameservers) to the ones provided by Cloudflare. This provides a better browsing experience for your users, so there is additional value.

Once done, you can get to creating your Firewall rules, as follows.

Log in to your Cloudflare account.
Select one of your websites.
From the left sidebar menu, select Firewall Rules.
From the main page, click on the blue Create a Firewall rule button.

Cloudflare firewall rules — Cloudflare’s free plan permits you to have up to five active Firewall rules.

Enter a name in the Rule name text field.
Beneath When incoming requests match…, select the desired options from the corresponding dropdown menus for Field, Operator, and Value.Optional: add additional parameters to this rule by clicking the And / Or buttons; then select the corresponding options in the resultant row.
The following row shows the Expression Preview, which is editable by clicking the Edit expression link above the open text field. (Action not required.)
From the dropdown menu under Then…, choose an option.
Click on the Deploy button to save the rule.

Cloudflare firewall rules 2 — Creating a rule in Cloudflare’s Firewall settings.

IMPORTANT: Your rule isn’t active yet. To make it so, you must return to your Firewall Rules list, and toggle the button ON (it goes from gray-with-an-X to green-with-a-check-mark).

Managing Firewall Rules in CF

At any time, you can Edit a rule (click on the wrench button), Delete it (click on the X button), or make it Inactive (toggle the green-with-a-check-mark button, turning it to gray-with-an-X).

You can also change the order of the rules by either clicking and dragging the up-down arrows at the far left of each rule row, or by clicking on the Ordering button.

Cloudflare firewall rules 3 — Firewall Rules summary page in Cloudflare.

Curious what kind of activity any rule has had? Simply look at the Activity last 24 hr column on the Firewall rules page.

To add more Firewall rules, repeat the above process. Or, click here for more nitty gritty on Firewall rules in Cloudflare.

A quick sidebar on CDN’s…WPMU DEV also offers CDN in our managed hosting, which integrates smoothly with Cloudflare (as well as our optimization plugins—Smush & Hummingbird).

It is important to note that it’s best not to serve content from two different CDNs, as it’s sure to cause issues.

With Cloudflare wrapped, that leaves us with one more solution in the war against spam registrations… the all-mighty WAF.

WAF Wisdom

A Web Application Firewall (WAF), is a security layer between end-users and applications. It inspects traffic coming from and returning to web applications, filtering all access between them.

This differs from a standard firewall, which provides a barrier between external and internal network traffic. A network firewall protects a secured network from unauthorized access to prevent the risk of attacks and malicious bots. Its primary objective is to separate a secured zone from a less secure zone, and control communications between the two.

In general, a firewall is deployed near the edge of a network, making it an effective barrier between known, trusted networks and unknown, possibly unsafe ones. Standard firewalls are designed to deny or permit access to networks, or deny access to specific areas (folders, websites, etc) without the proper credentials.

WAFs complement standard network firewalls by protecting the application infrastructure and its users, focusing on HTTP/HTTPS applications and servers to prevent threats like SQL Injection, DDOS attacks, and cross-site scripting attacks (XSS).

WAFs not only passively monitor activity but also proactively shore up weaknesses in web applications. Because they constantly scan the vulnerabilities, WAFs often observe the weaknesses in the network and patch them, long before the user notices. The patch is a short term resolution that provides time to fix the issue and prevent potential breaches in the network.

See this article for a deeper dive into WAFs.

Suffice it to say when it comes to filtering out spam registrations, WAFs shine.

The Best Hosts Have WAF(fles)

If you have a quality WordPress host, chances are good that they’ve incorporated WAFs into their ecosystem.

Here at WPMUDEV, WAFs are included in all of our hosting plans. Which means with a few clicks, you can put spam registration woes in your rear view mirror.

One of our members had this to say about using our WAF to cut down on his spam registrations:

“After consulting with wpmudev support, I changed the page through which spam registrations were made on my site to be blocked by WAF, and to my surprise, the malicious bots have now taken to their heels! No more excitement seeing “200 new visits”, “200 new leads” only to discover they were spam sign ups.”

To show you how easy it is to get this feature locked and loaded, we’ll do a quick walk-through of the WAF settings via our all-in-one dashboard, The Hub.

Navigate to The Hub, and click on the website you’d like to manage.

Click on the Security header tab, then under Firewall, click the gear icon for Hosted WAF.

Settings for WAF via The Hub’s security tab.

Toggle the Protect Site button to ON (it will go from gray to blue).

One-click switch protects your site with WAF.

This will bring up a selection of Allowlists and Blocklists for IPs, User Agents, URLs, and Disabled Rule IDs.

WAF customize rules — You can customize rules to your heart’s content with the options in WAF.

You can set as many specific settings as you’d like here, then click Save – or simply hit the gray Close button to apply our predefined rules.

WAF save settings — Specify your settings before hitting Save, or apply the predefined rules with Close.

Once done, you can see in the summary view that the firewall is activated and protecting your site.

WAF summary -- on — WAF is active and on duty!

WAF Log

We have a smart built-in feature in our WAF that records Rule ID’s and errors, called (appropriately enough) – the WAF Log.

To view the log, select a site, then navigate to The Hub > Hosting > Logs > WAF Log.

The WAF log reveals all to those who seek it.

Where attacks are coming from, what requests were blocked, and what rules those requests triggered, are all recorded here, readily providing the info needed to minimize false alarms.

If you scroll to the bottom of the Allow & Block lists, you’ll see Disable Rule IDs. Enter any Rule ID (from the log) that’s causing problems, and boom—it’s immediately disabled.

Put a stop to problematic attacks by putting them into the *Disabled Rule Ids* field.

When active, the WPMU DEV WAF engages a forcefield (a custom set of rules) so attacks and malicious traffic are repelled before they can even hit.

Taking Control

Registration spam on your WordPress site can become an overwhelming annoyance. But you can lessen or even completely rid your site of it with a few simple maneuvers.

One possibility is adding a dedicated WordPress registration plugin that requires additional steps (like CAPTCHA), or admin approval for new users. These can help, but aren’t always the most efficient, as they seem to allow some creep through over time. If your traffic is light, it could suffice for you.

Another choice is using Cloudflare, and creating Firewall rules specific to each spam registration type (IP or country of the source). The catch here will be if you have a paid plan, as free membership limits the number of these that you can have active at a time.

Last but not least, is the option of using a strong and reliable WAF. If you Host with us, then you’ve already got this powerhouse tool in your WordPress shed. (If you don’t – signing up is quick and easy, and you can try us for 30 days, satisfaction unconditionally guaranteed!)

A shout out to our member, Chris Chukwunyere from Gzi, who contributed the seed that germinated into this article.

Note: We do not accept articles from external sources. WPMU DEV members, however, may contribute ideas and suggestions for tutorials and articles on our blog via the Blog XChange.

Has comment spam ever been a problem for you? If so, what method(s) work best to rid your sites of it? Let us know in the comments below.