Thursday 30 October 2014

Wordpress spam users are clogging my site !

Share |

Wordpress spam users registering in huge numbers

You have your wordpress site launched, and all is going well. But browsing around one day, you realised that your user list has been growing exponentially. Moreover, the user names and email addresses look somewhat... not so right.

You may be a target of spam bots.

Such spam machines target public wordpress sites, registering themselves as fictitious users, some up to even 1000's of users a site per day. This creates a big headache and lots of tedious maintenance work for site administrators.

Why Spammers do this:

Spammers have more than a few reasons for doing this,
  • creating spam content on the web to deliver on their own motives
  • exploiting wordpress vulnerabilities
  • other malicious intent to demote, and otherwise negatively affect target sites

 

How you suffer:

Target sites of attack then suffer from a variety of consequences, some potentially very bad,
  • Unsolicited wordpress comments with possibly lots of unwanted hyperlinks
  • Negative effects on SEO
  • May even lead to blacklisting of your email server (because your site sends emails to these fictitious users who sign up, which then bounce)
  • slows down your database with useless data

 

What you can do: 

Basically its always easier to implement counter measures early at the start, before the spammers find your site. Otherwise you will be tasked with the tedious work of cleaning up fictitious users and their comments.

Non-Membership sites: 

For non-membership websites, the answer is simple. We can simply disable new user registrations via the wordpress admin.

uncheck anyone can register option
Uncheck "anyone can register" option!

Membership sites: 

For those with membership sites, it is a little more tricky. It is not the end though, as there are many tools out there to help. This is a constant evolving game between the spammers and site administrators though, because with every ingenious solution, comes new attack methods developed by spammers to counter your moves - and the cycle continues.

As a side note, I suggest never to give newly registered users a default role anything higher than "subscriber". 

An article by Cozmoslabs proposes several solutions.
  1. Install plugins to introduce CAPTCHA to your registration form:

    2. I personally do not really like this approach, as the solution only addresses the site administrators' issue. It does not add value to the user, and in fact makes his form harder to fill.

  2. Custom redirect to another registration form instead of Wordpress' default form:

    3. I think this is an interesting solution worth exploring. You can direct the user to your own customized form that is aligned with your site brand image. The different URL and form elements should make it more challenging for automated bots.

  3. Registration confirmation via Email:

    4. Meaning users will receive an email upon registering. They then need to activate their account to prove that they are a human and not a bot.

    I think this is quite a neat feature, as it is a common approach in many mainstream sites. Users know what to expect. They have an extra step of activating through their email though.
The final choice is yours, depending on your individual needs.

You can find their article here.


Posted by Brian.CJC at 08:23
Labels: , ,

No comments:

Post a Comment

Comments will be moderated.
You can always click 'Contact me' link to get in touch directly.

Subscribe to: Post Comments (Atom)