Fake registrations driving me nuts! Are they bypassing form?

You might want to track and have a look at their IP and User Agents. Try to find a common thing, that you might block in the future.

Also be aware, that bots might brute-force your login pages as well.

Captchas should be a good start point to block bot registration. Are you sure that those are not manually entered bulk registrations?

Thanks for the reply.

I’ve been looking for a common thread among all these fake registrations for ages and came up empty. No static IP or domain in common. ??

I’m pretty sure they are bypassing my Registration page, and wondering if there’s anything that can be done about it?

A good captcha should do the work. Maybe you did earlier try some poorly written captcha plugin or script, which bots could fill automatically. Try to find a reliable captcha script/service.

Artifex.

The best Captcha in the world is of no use against bots that bypass the Registration page.

I use the most popular “WP-reCAPTCHA” plugin that you see on most sites, plus a “math” challenge.

This isn’t an “inadequate captcha” issue.

Thx.

no Captcha is 100% “adequate”. Hackers can bypass Captcha’s with 90% accuracy.

Your best bet is to implement some sort of confirmation message that doesn’t create the user unless they have clicked on this confirmation email.

Gravity Forms does this out of the box. I’m not sure of other plugins.

Even, I’m quite certain this has nothing to do with Captcha’s. I’ve tried about a dozen different ones, even combining several.

I *do* use “confirmation emails”, but the accounts are still being created. I don’t if it is because the bots are responding to them or if WP just registers them whether they respond or not. Either way, I get a bunch of phantom “users” that never log in and never post (but are problematic in that I can’t get an accurate count of Registered Users.)

Unfortunately, “Gravity Forms” is Commercial Software and I’m a non-profit.

*Evan

and I was more so responding to Artifex stating to use a more adequate captcha.

And what happens if you find out that they’re not bots – Just a possibility to consider. Some spammers aren’t bots.

As noted in my originalpost, registrations follow a very specific pattern suggesting a bot: FirstnameLastname all on one line. Lastname field is always blank.

I tried rejecting registrations that don’t enter anything in the “Last Name” field and they still got through, suggesting they are by-passing the Registration form entirely.

For years, they always used webmail domains. First “Hotmail.com” and “Yahoo.com”. Later “Outlook.com” and “Yahoomail.com”. Now it is random sales domains like “buy-cheap-stuff.com” or “bobsnicknacks.com”.

No question these are “bots” and almost certain they are bypassing the Registration form entirely.

You have a link to the site that your having issues with?

MugsysRapSheet.com

hmmm I see. I was asking because I thought maybe you had a registration form on the front end of the site, but forgot about: https://mugsysrapsheet.com/wp-login.php?action=register

I can see you’ve implemented the captcha there as well. Very strange that spammers are able to bypass that. I’m not personally sure of anyway someone can bypass that screen as well.

Bots don’t access the visible site – once they find an “open” comments form url, they submit directly to the url. Confirmation emails probably don’t work because the email address has to be “registered” in the database before WP can send the email. What’s needed is a way to unregister the addresses if they don’t respond within a period of time – but that’s pretty complex.
If you must have comments, maybe look into a 3rd party app like disqus.

I suggest that you look at your website logs for the times these bogus users get registered. This will let you find how they are registering without using your forms.
Please let us know if you find anything interesting.

“webbrewers”: Fortunately, I’m not having a problem with spam comments, just fake registrations. A simple math “challenge” seems to be all I need there.

“Ross”: I just checked my logs and I noticed a few interesting things:

o All of the fake registrations (in the past week at least) took place just after midnight (between 12:02am & 12:20am).

o The time between hitting the Registration form (GET) and clicking Submit (POST) is less than 1 second.

o The bots rarely (but not always) pass through another page first, going straight for “wp-login.php?action=register”.

The browser used by the bot is sometimes reported as Mozilla and sometimes Opera, always a Windows based system, and the IP’s are not static, so I can’t block them that way.

If nothing else, I think I’ve confirmed these aren’t human “hired guns” registering by hand for some sleazy advertising agency.

Thx.