SPAM User Registrations is major problem for many WordPress sites, particularly when running e-commerce services, like WooCommerce.

There are many moving parts to WordPress websites that allow for user registrations, and you’ll quickly realise you need a way to stop SPAM users!

While we can employ tools such as reCAPTCHA to filter out many of the bots and bad actors, they don’t always work 100% of the time. So we wanted to find a way to further filter out SPAM user registration when they slip past the first lines of defense.

The Problem With E-Commerce Checkouts and Bots

If you’ve setup an e-commerce site, you know that it isn’t a simple process. It’s complicated.

And perhaps one of the most complicated elements is the checkout page.

This is because you usually have the base e-commerce plugin, like WooCommerce, providing the core of the checkout, and then you have other plugins, themes, and what-nots all sticking their oars in.

It gets messy, very quickly.

Then you use Shield Security PRO to try and stop bots. And while it works most of the time, the more complicated a checkout page becomes, the more likely that things are going to break, somewhere along the way.

Shield is written to try and cover as many scenarios as possible, but it can’t literally cover them all.

So we need another tool in the defense against SPAM user registrations…

SPAM User Registration Blocking With Email Checking

This idea was given to us after a conversation on our Facebook group.

Somehow, spam users were still getting through the checkout page for a client, and he was looking for a way to stop them.

The new users, very often, were subscribed with “fake” email addresses. Not always, but often enough that we wanted to do something about it.

With Shield Pro 8.6 we released a brand new feature to detect, and even block, user registrations that contain fake email addresses.

How To Detect A Fake Email Address

A email address represent several different things all at once. Here’s an example:

[email protected]

This can be broken up into 2 main parts:

  1. The mailbox/user: support@
  2. The domain name: shieldsecurity.io

Detecting whether or not a mailbox exists is a bit more difficult than it might appear. Shield Security doesn’t attempt (at least not yet) to detect the existence of a mailbox. We focus solely on the domain name.

Shield performs 3 separate tests on the domain name:

Test 1: Domain name resolves to an IP address

This is one of the most basic tests on a domain name that you can make. A domain will fail this test for 1 of 2 reason:

  1. The domain doesn’t exist (i.e. it’s no registered anywhere).
  2. An A (or AAAA) record has not been created for it, pointing it to an IP.

Why would you have an email address for a domain that doesn’t have an IP?

The truth is, this is quite possible. There’s nothing against having a domain name that doesn’t resolve anywhere, with email still running on the domain. It’s rare, but it’s possible. This is something to bear in mind.

Test 2: Domain name has MX records

MX records are DNS entries that point to email servers. A domain name only needs MX records if it is receiving email.

If the domain has no intention of receiving email, then why would you have a mailbox on that domain? You wouldn’t, unless you only intend to send email.

Test 3: Is the domain known for “disposable” email address?

There are 1000s of domains out there used to supply temporary, disposable email addresses.

Some people use these to sign-up for newsletters, or register anonymously on websites. If you think there’s no good reason for disposable email addresses to be used on your site, blocking their use might be good idea.

What Does Shield Do When A Fake Email Is Detected?

As always, this is entirely up to you. You can:

  • Ignore it
  • Log it (in the Activity Log)
  • Increment the offense counter against that IP (but allow the registration to go ahead)
  • Prevent the user registration and immediately block the IP address

We highly recommend choosing to log the incident, at the very least. This way you keep an eye on how Shield is assessing the email address that turn up on your site. If you’re confident of how it’s working for you, you can choose to increase the severity of your response.

It’s important to also understand when Shield tries to detect fake email addresses. We chose to hook into the point right before WordPress inserts the new user into the database. This should mean it’s compatible with the vast majority of plugins that handle user registrations, since most of them will use WordPress’ own user insert code.

But if a plugin doesn’t use WordPress’ own code to do this, then Shield’s processing will be skipped entirely.

How can you enable this feature?

This new feature can be found under the main Security Zones menu > Users > User Registrations section.

Simply select the areas you’d like Shield to check and how you’d like Shield to respond in the event a fake email is discovered, and save.

Does this replace other spam user prevention tools?

You may be tempted to think that you don’t need to use silentCAPCHA but this is not the case.

This new feature should be used in-addition to all your existing tools, particularly if you’re using Shield to do these.

If a fake/spam user uses a legitimate email address, such as @gmail.com or @outlook.com, then these tests will pass. Better to stop the SPAM user registration as early on as possible.

Potential Improvements To This Feature

As always, this is the first iteration in this new feature and we believe that there’s room to improve it.

We’d like to get to the stage where we can also test the existence of mailboxes, but this is quite a complex job and we’re not entirely confident we can automate it. But we’ll definitely investigate the option.

We are, of course, always open to suggestions for improvements and we’d love to hear your thoughts on the new feature as well as other areas you’d like to see similar features.