How to Stop WordPress Registration Spam


· 05th August 2020·Wordpress, Wordpress Security


Are you aware that spambots constantly search the web for vulnerable websites? A way of attacking your site is through the use of spammy user accounts.

How to Stop WordPress Registration Spam

Are you aware that spambots constantly search the web for vulnerable websites? A way of attacking your site is through the use of spammy user accounts.

Designed by default, WP sites allow user to register inly from a specific link:

The spambots go looking for that link in order to register fake users.

For you to provide protection for your website and block spammer registration, here are a few simple tricks.

Set the default user role in WP

A way to protect your site is to make changes in the default settings when registering new accounts.

This can be done from Settings – General. Simply uncheck the membership box, this way no one can register in your site.

However, you still want real visitors to be able to make registrations. In this case, it’s best to use the subscriber role as the default one. It provides more security as it does not provide access to the WP admin dashboard.

This can be set up if you enable the Anyone can register checkbox. Then set the default role to subscriber.

default user role

User registration form

It you still want users to be able to register on your site, it’s wise to make a custom user registration form. This is very helpful when you wish to create a membership site with the help of a plugin.

To create a more secure form, you can use WPForms user registration addon and rely on its built-in form security features.

After installing WPForms, go to WPForms – Addons and locate the User registration addon. This is accessible only if you have the premium version.

Email activation

An optional security measure is user email activation, which is available within the WPForms user registration addon.

Spambots will not be able to get through this security step when you require users to click on a confirmation link.

Go to Settings – User Registration. Scroll down to User Activation Method and choose User email.

Save all changes and you are done!

Email activation

Admin Approval

For an even more secure method, choose Manual Approval.

This will give you the change to review all registration requests before any new users ca join you site. You get an email notification for each new request, as well as the option to deny or approve it.

For activating this method, go to Settings – User Registration. Scroll down to User Activation Method and choose Manual Approval.

Admin Approval


Another secure way for stopping spammy user registrations is to use a CAPTCHA field.

CAPTCHA is actually a test question which the user needs to answer so that they can submit the form. This can be a blurry text on an image, a question or just a checkbox.

To activate this option, you would need to activate the custom CAPTCHA addon. This will lead to adding a new field to the Form Builder. All you need to do is drag and drop this field in your form.


By default, you will see some random math questions. You can, however, make edits to the CAPTCHA form field, allowing you to choose the math option or the Question option. If you choose the latter, you can make up your own custom question.


Once all configurations are done, just save the changes.


While CAPTCHA can be a very useful anti-spammer tool, it can be very annoying for real users.

Instead of the original CAPTCHA tool, you can use reCAPTHCA – another Google created tool.

This advantage here is that there is just a simple checkbox you can use, which would significantly improve form conversions.


To activate it, go to WPForms – Addons and locate the reCAPTCHA addon.

Edit the form to your liking and click on Settings – General. Check the Enable reCAPTCHA option.


Honeypot Anti-Spam

Are thinking or removing the CAPTCHA field entirely? In this case, you can try out Honeypot option.

Honeypots can be awesome, as they are not annoying users like CAPTHCA. Actually, they are not visible to them at all.

Honeypots are hidden fields in the form, which are meant to be blanc. Spambots, however, will see the blanc space and automatically fill it out.

When the honeypot filed is filled in, then we can just reject the form as being spam.

Honeypot Anti-Spam

With WPForms you get a built-in honeypot feature, enabled by default. This option is located under Settings – General when making edits to your form.

At the bottom of the panel, you can see Enable anti-spam honeypot, which will be selected by default.


Stop Spammer Registrations

Another way to seize spammer registrations is by using the Stop Spammers Spam Prevention WP plugin.

With the help of this plugin, you will have a number of spam prevention techniques. The plugin also provides the option the block bad hosts which tolerate spam activity.

After activating the plugin, go to Stop Spammers – Protection options. The default settings are good for most sites. You can, however, uncheck some of them if real users are having problems logging in.

Stop Spammer Registrations

There is a chance that you might get locked out of your site’s admin panel. If this does happen, go to your site’s FTP and rename the plugin file from stop-spammer-registrations.php to stop-spammer-registrations.locked.

The plugin will be automatically deactivated and you will be able to access your admin area.

IP address blocking

After discovering the IP sending spam to your website, block its access entirely.

To find out what the address is, go to Settings – Notifications in the form editor.

Click on the Message field – Show Smart Tags – User IP Address.

IP address blocking

Upon receiving the nest email notification, you will see the IP of the user.

Would you like to block that IP address from having access to your site?

One way is through your hosting company, by asking for assistance from them. Another way it using a security plugin like Sucuri so that you can blacklist the IP.



Sucuri specializes in WordPress security, by protecting your site from hackers and malware, blacklists and DDoS. It’s one of the best WP plugin on the market.

Upon enabling Sucuri, your traffic will go through their CloudProxy firewall prior to coming to your hosting server. This will allow the plugin to block all attacks and send you only real visitors.


If wish to allow public registrations to your site, spammy users can be a frustrating issue. It can be reduced by using some of the tactics mentioned above.

What is your best solution for dealing with spam user registrations? Drop a comment bellow!

Nadejda Milanova

Get 10% off your order


Enter UYD-772-MK5 at the checkout to get 10% off one-time tasks or any maintenance plan.

Get started