How to discover the way a user registers without going through the form?

Hi @miguelappstudio

Sorry to hear you are having this inconvenience in your site.

The first step will be to run a malware scan using Defender Pro. Verify if any changes in the core, plugins or theme files are detected. Create a backup of the site and then make sure you take action to restore or delete any files infected elements with suspicious code or files that don’t belong in the site.

Once you make sure the site is clean, you can check some additional settings:

1. In Defender, enable the mask login and change the url of the login page. This can prevent the registration using the login form options. Find more information in our documentation below:
   https://wpmudev.com/docs/wpmu-dev-plugins/defender/#mask-login-area
2. Disable registration in the General Settings. Head over to the Settings ? General page in your WordPress admin area. Scroll down to the ‘Membership’ section and uncheck the box next to ‘Anyone can register’ option.
3. There is also an article in our blog that walk you through the steps you need to prevent unauthorized user registration. It will explain about some other tools you can use together with Defender to get the most out of the plugin.
   https://wpmudev.com/blog/preventing-spam-registrations-wordpress/

Check if these recommendations help, let us know if you have additional questions or concerns.

Kind regards

Luis

Hello
Thank you for your quick response, and for showing me your support.
Unfortunately, I already did everything you told me:
1 -In Defender, enable masked login and change the login page URL. This may prevent registration using the login form options. Find more information in our documentation below

I changed the URL but the intruder keeps putting the user in the user list of my WordPress without going through the registration form

2 – Disable logging in General Settings. Head over to the Settings ? General page in your WordPress admin area. Scroll down to the “Membership” section and uncheck the box next to “Anyone can sign up.”

I have disabled the registration, but it is necessary to also disable it in WooCommerce >> Settings >> Accounts and privacy.
If we don’t disable this, the user can register from the form

How are new users going to register on my website if I have this disabled?

Can you help me solve this?

Thank you

Hi @miguelappstudio

I hope you’re well today!

What you described suggests that those registrations are bypassing the standard registration “path” which makes things a bit more complex.

Defender can help protect the site but, like any other security plugin, it’s a plugin only – meaning it works “within” the environment which it protects and that creates some limitations of what can and cannot be monitored.

I would say that those registrations are most likely coming in one of the three ways:

a) there may be some custom registration from (added by theme or some other plugin) that doesn’t hook to WordPress core in “standard” ways; it’s rare but I’ve seen it a few times in the past (especially with some older plugins) where the registration was all custom coded in a way that “bypasses” WordPress core in which case it would also be able to bypass most of security plugins

b) there may be a vulnerability in theme or one of the plugin that makes it possible; if it’s already known or is due to some malware infection; Defender’s free malware scan could possibly detect malware infection by finding files that appear to be modified but the free version doesn’t check for vulnerabilities, I’m afraid.

c) another possible way (though if you are getting e-mail notifications, it doesn’t sound like it’s the case here) would be direct injection to the DB e.g. due to compromised DB access credentials

An alternative and quite likely way is that there is some compromised admin-role account on the site. In such case there wouldn’t really be any vulnerability or infection but simply an attacker (maybe a human or maybe just a bot) would use that account to login and, as admin, they’d be able to just add new users from back-end even if regular registration is fully protected and/or disabled – because admins are always able to do this.

——

So aside of what was suggested earlier, I would recommend following additional steps:

– triple-check all accounts on site that have admin roles and make sure that there are no “abandoned” or “unrecognizable” ones; for those that you are sure are legitimate – make sure that “Pwned Passwords” option is enabled in Defender and then force password reset (you can use Defender for that too on “Defender -> Tools” page)

– if possible, do change DB password in hosting and then update wp-config.php file accordingly

– review the plugins to make sure that a) there are no unnecessary plugins there (for example, plugins that you no longer use or are really not essential to the site) and b) that everything is fully up to date

– consider enabling 2FA for users or at least admins; there’s a chance that a compromised account user may not be able to configure it (especially if it’s a bot)

– enable login protection option in Defender’s firewall as it may help preventing any attacks that attempt to “guess” or “dictionary break” passwords to user accounts

Best regards,
Adam

Hello,
I beg your pardon for the delay in responding, I was testing with all the information you have given me
Thank you for your detailed answer,
I am now getting no logs from this intruder as I have completely removed and disabled WordPress and WooCommerce logging.
But this can only be a tactic of the intruder.
In this forum I can’t ask any kind of questions either, and I can’t contact you in any other way
The ideal would be to clean the site completely, but I don’t know what the infected files are and creating a site from scratch would be serious.
I don’t know how to do it, if you can contact me in another way, to be able to talk about the other accessories
Thank you

Hi @miguelappstudio,

The ideal would be to clean the site completely, but I don’t know what the infected files are and creating a site from scratch would be serious.

If the malware scan isn’t able to pick up any infected files, then as mentioned in our previous response the possibilities might be due to “three” ways as described.

An easy way to carry out a clean-up would be to download the latest zip of WordPress and re-upload a fresh new folder for /wp-admin, and /wp-includes and other WP core files except replacing the wp-config.php file and the /wp-content folder.

Once done, you could re-install all the plugins and themes and see whether that would help along with the other suggestions we have mentioned in the previous response.

You can download the zip copy from here:
https://www.ads-software.com/download/releases/

You can always use our contact form if you want to contact us, however, please do note that for the free version of Defender, we only offer support via this WordPress forum.

https://wpmudev.com/contact/#i-have-a-different-question

Kind Regards,

Nithin

Hi @miguelappstudio

I hope you are doing well and safe!

We haven’t heard from you in a while, I’ll mark this thread as resolved.

Feel free to let us know if you have any additional questions or problems.

Best Regards
Patrick Freitas

Hello

Thanks for letting me know @wpmudevsupport12 , You are free to do what you want.
If you think you should close this thread, please close it.
My problem has not been fixed yet.

I have disabled login by following these steps:
Settings => General in the WordPress admin area.
In the “Membership” section and uncheck the box next to “Anyone can sign up.”

I have disabled logging, but it needs to be disabled as well in WooCommerce >> Settings >> Accounts & Privacy.

Now no “STRANGE” users appear in the WordPress user list anymore.

But new users cannot be registered on the Web,
What can happen ? how can i correct this?
But I still have doubts if there is a back put on my site.
If you can help me with this, and you can write to my email and tell me what options we can handle with Defender Pro.

Thank you

Hi @miguelappstudio

We marked this topic resolved only because we didn’t have any feedback from you. In previous post by my colleague here

https://www.ads-software.com/support/topic/how-to-discover-the-way-a-user-registers-without-going-through-the-form/#post-16892593

there were some suggestions given and since we didn’t hear back from you we could safely assume that it simply worked for you. It’s very common that if suggested solution works, we just don’t receive any further communication.

Unfortunately, apparently I can’t “unmark” it (as “not resolved” again) but let me assure you that despite that we’ll keep assisting you for as long as needed to get the issue fixed.

That being said:

1. Aside from the things that you tried, did you also try suggestion from my colleague’s previous response (as linked above)? If not, could you give it a go, please?

2. You mentioned “no stragne users” now – so you mean that with registration completely disabled, no such unknown/weird accounts are created anymore, right?

If yes, then this would at least let us narrow down those registrations to actual registration forms (either default one or Woo). The questions are then:

– if you only enable default registration but not WooCommerce – is the issue still happening or no “strange” users too?
– are you using reCaptcha and/or Defender’s login masking features on site?

Kind regards,
Adam

Hello @wpmudev-support8 , I’m sorry for the delay in my response, I had some problems.
Well, I have followed several of the steps that you explain to me in the previous answer.
I have isolated the problem:
1 – Enabling WordPress registration, registered users do not appear without going through the form.
2 – Enabling WooCommerce registration only,
( WooCommerce => Settings => Accounts & Privacy => Account Creation => Allow customers to create an account on the “My Account” page)
In this way, these SPAN users appear again, users who do not go through the form to register

What I can do ? I cannot allow this to happen and SPA users register without going through the form.
As I said at the beginning of this discussion, when these “weird users” register, I don’t get the “New User Registration” notification in the admin mail

Can Defender Security help me to correct this and find out where the security flaw is ?
Thank you all for the support you are giving me, @wpmudevsupport12, @wpmudevsupport11, @wpmudev-support7
Again, I’m sorry for the delay in my response, it was due to personal reasons.

Hi @miguelappstudio,

Can Defender Security help me to correct this and find out where the security flaw is ?

As stated in our previous response, there could be many factors for such an issue to occur and Defender can only help protect a site.
https://www.ads-software.com/support/topic/how-to-discover-the-way-a-user-registers-without-going-through-the-form/#post-16885982

If you have configured all the Defender settings as mentioned in the documentation:
https://wpmudev.com/docs/wpmu-dev-plugins/defender/#tools

And also spam protection plugins like Akismet or similar and still you notice the same issue then I’m afraid the chances could be it might be more specific to the plugin.

Since you are able to identify it only specifically occurs within WooCommerce, would highly recommend checking with WooCommerce support to see if they are aware of any such behaviour and any known workaround in such use cases too.

Please do let us know how that goes.

Kind Regards,

Nithin

Thanks for your support again.
You can now contact the WooCommerce team to see if they know of other cases similar to mine.

Regarding your answer, I don’t quite understand what you mean.
Can we fix this with the Plugin ?
@wpmudevsupport11 I don’t understand what you mean by:
“then I’m afraid it’s probably more specific to the plugin.”

Thank you

Hi @miguelappstudio

Regarding your answer, I don’t quite understand what you mean.

Let me rephrase it a bit.

Previously I asked you to check some things and you did. As you wrote: ”

2 – Enabling WooCommerce registration only,
( WooCommerce => Settings => Accounts & Privacy => Account Creation => Allow customers to create an account on the “My Account” page)
In this way, these SPAN users appear again, users who do not go through the form to register

This clearly means that these users are coming in through this particular WP registration. This also means that issue is specifically related to WooCommerce then.

You can try following options of Defender:

– setting up a “Mask Login Area” option (Defender -> Tools -> mask Login Area)
– enabling reCaptcha (Defender -> Tools -> Google reCaptcha) and enabling “WooCommerce” option there on the same page

and if that’s not enough, you can also give this 3rd-party plugin a go as it is designed specifically to address spam issues (including registration spam) and may help:

https://www.ads-software.com/plugins/cleantalk-spam-protect/

Kind regards,
Adam

Thanks for the support.
I have a problem and need this discussion removed from the Forum.
Where should I write to request that this debate be deleted?

Of course I have everything that has been provided to me here written down and saved
I am very grateful and value the support you have given me, but it is important to eliminate this debate.
can you help me?

Thank you all @wpmudev-support8 , @wpmudevsupport11, @wpmudevsupport12, @wpmudev-support7

Moderator note: @miguelappstudio

I’m sorry but no. Unless it is an extreme case, posts and replies are not edited here.

Forum topics will only be edited or deleted if they represent a valid legal, security, or safety concern.

See https://www.ads-software.com/support/forum-user-guide/faq/#will-you-delete-my-post-once-the-problem-is-solved and https://www.ads-software.com/about/privacy/

Thanks for your understanding.
For me it is important, I understand that for you it is not.
I have had to change my company’s Gravatar since I have suffered several hacker attacks after posting my problems here.
Now my account is no longer secure
I understand and respect your rules.
I will look for another solution since I have suffered several attacks.

thanks for your understanding
Luck