SPAM User Registrations is major problem for many WordPress sites, particularly when running e-commerce services, like WooCommerce.
There are many moving parts to WordPress websites that allow for user registrations, and you’ll quickly realise you need a way to stop SPAM users!
While we can employ tools such as reCAPTCHA to filter out many of the bots and bad actors, they don’t always work 100% of the time. So we wanted to find a way to further filter out SPAM user registration when they slip past the first lines of defense.
The Problem With E-Commerce Checkouts and Bots
If you’ve setup an e-commerce site, you know that it isn’t a simple process. It’s complicated.
And perhaps one of the most complicated elements is the checkout page.
This is because you usually have the base e-commerce plugin, like WooCommerce, providing the core of the checkout, and then you have other plugins, themes, and what-nots all sticking their oars in.
It gets messy, very quickly.
Then you use Shield Security PRO to try and stop bots. And while it works most of the time, the more complicated a checkout page becomes, the more likely that things are going to break, somewhere along the way.
Shield is written to try and cover as many scenarios as possible, but it can’t literally cover them all.
So we need another tool in the defense against SPAM user registrations…
SPAM User Registration Blocking With Email Checking
This idea was given to us after a conversation on our Facebook group.
Somehow, spam users were still getting through the checkout page for a client, and he was looking for a way to stop them.
The new users, very often, were subscribed with “fake” email addresses. Not always, but often enough that we wanted to do something about it.
With Shield Pro 8.6 we released a brand new feature to detect, and even block, user registrations that contain fake email addresses.
How To Detect A Fake Email Address
A email address represent several different things all at once. Here’s an example:
This can be broken up into 2 main parts:
- The mailbox/user:
- The domain name:
Detecting whether or not a mailbox exists is a bit more difficult than it might appear. Shield Security doesn’t attempt (at least not yet) to detect the existence of a mailbox. We focus solely on the domain name.
Shield performs 3 separate tests on the domain name:
Test 1: Domain name resolves to an IP address
This is one of the most basic tests on a domain name that you can make. A domain will fail this test for 1 of 2 reason:
- The domain doesn’t exist (i.e. it’s no registered anywhere).
- An A (or AAAA) record has not been created for it, pointing it to an IP.
Why would you have an email address for a domain that doesn’t have an IP?
The truth is, this is quite possible. There’s nothing against having a domain name that doesn’t resolve anywhere, with email still running on the domain. It’s rare, but it’s possible. This is something to bear in mind.
Test 2: Domain name has MX records
MX records are DNS entries that point to email servers. A domain name only needs MX records if it is receiving email.
If the domain has no intention of receiving email, then why would you have a mailbox on that domain? You wouldn’t, unless you only intend to send email.
Test 3: Is the domain known for “disposable” email address?
There are 1000s of domains out there used to supply temporary, disposable email addresses.
Some people use these to sign-up for newsletters, or register anonymously on websites. If you think there’s no good reason for disposable email addresses to be used on your site, blocking their use might be good idea.
What Does Shield Do When A Fake Email Is Detected?
As always, this is entirely up to you. You can:
- Ignore it
- Log it (in the Audit Trail)
- Increment the offense counter against that IP (but allow the registration to go ahead)
- Prevent the user registration and immediately block the IP address
We highly recommend choosing to log the incident, at the very least. This way you keep an eye on how Shield is assessing the email address that turn up on your site. If you’re confident of how it’s working for you, you can choose to increase the severity of your response.
It’s important to also understand when Shield tries to detect fake email addresses. We chose to hook into the point right before WordPress inserts the new user into the database. This should mean it’s compatible with the vast majority of plugins that handle user registrations, since most of them will use WordPress’ own user insert code.
But if a plugin doesn’t use WordPress’ own code to do this, then Shield’s processing will be skipped entirely.
How can you enable this feature?
This new feature can be found under the User Management module, within the User Registration section.
Simply select the areas you’d like Shield to check and how you’d like Shield to respond in the event a fake email is discovered, and save.
Does this replace other spam user prevention tools?
You may be tempted to think that you don’t need to use reCAPTCHA, or SPAM Bot checkboxes etc., but this is not the case.
This new feature should be used in-addition to all your existing tools, particularly if you’re using Shield to do these.
If a fake/spam user uses a legitimate email address, such as @gmail.com or @outlook.com, then these tests will pass. Better to stop the SPAM user registration as early on as possible.
Potential Improvements To This Feature
As always, this is the first iteration in this new feature and we believe that there’s room to improve it.
We’d like to get to the stage where we can also test the existence of mailboxes, but this is quite a complex job and we’re not entirely confident we can automate it. But we’ll definitely investigate the option.
We are, of course, always open to suggestions for improvements and we’d love to hear your thoughts on the new feature as well as other areas you’d like to see similar features.
Amazingly Simple, but powerful
Although I’ve only had this installed for a few days, already it has “saved my bacon”, and my sanity. I have had my wp “limit login attempts” locked down to a pretty tight time frame and boot out before I installed it, but WP Simple Firewall does everything it says,…
Super protection. I'm very happy with this plug in.
No problem with compatibility. No slow page loads. Easy to install and configure. Does a great job protecting my site. The biggest plus is the support. I ran into a log in problem and sent a support ticket for help. Less than 24 hours later, Paul responded. His solution was…
Works great for us
I installed this plugin and a few other safeguards after my client’s site got hacked. This plugin was easy to set up and is working well for us. I periodically check the Audit Trail Viewer to see how hackers are trying to get in. The plugin gives you tools to…
A must have
A great fire wall, helped stopped and detected many attacks, very precise control of user permissions!
- The Problem With E-Commerce Checkouts and Bots
- SPAM User Registration Blocking With Email Checking
- How To Detect A Fake Email Address
- What Does Shield Do When A Fake Email Is Detected?
- How can you enable this feature?
- Does this replace other spam user prevention tools?
- Potential Improvements To This Feature