February 20, 2020 by Paul G. | Blog, Features, Shield Pro

How To Block WordPress SPAM User Registrations

Shield Image

SPAM User Registrations is major problem for many WordPress sites, particularly when running e-commerce services, like WooCommerce.

There are many moving parts to WordPress websites that allow for user registrations, and you’ll quickly realise you need a way to stop SPAM users!

While we can employ tools such as reCAPTCHA to filter out many of the bots and bad actors, they don’t always work 100% of the time. So we wanted to find a way to further filter out SPAM user registration when they slip past the first lines of defense.

The Problem With E-Commerce Checkouts and Bots

If you’ve setup an e-commerce site, you know that it isn’t a simple process. It’s complicated.

And perhaps one of the most complicated elements is the checkout page.

This is because you usually have the base e-commerce plugin, like WooCommerce, providing the core of the checkout, and then you have other plugins, themes, and what-nots all sticking their oars in.

It gets messy, very quickly.

Then you use Shield Security PRO to try and stop bots. And while it works most of the time, the more complicated a checkout page becomes, the more likely that things are going to break, somewhere along the way.

Shield is written to try and cover as many scenarios as possible, but it can’t literally cover them all.

So we need another tool in the defense against SPAM user registrations…

SPAM User Registration Blocking With Email Checking

This idea was given to us after a conversation on our Facebook group.

Somehow, spam users were still getting through the checkout page for a client, and he was looking for a way to stop them.

The new users, very often, were subscribed with “fake” email addresses. Not always, but often enough that we wanted to do something about it.

With Shield Pro 8.6 we released a brand new feature to detect, and even block, user registrations that contain fake email addresses.

How To Detect A Fake Email Address

A email address represent several different things all at once. Here’s an example:

[email protected]

This can be broken up into 2 main parts:

  1. The mailbox/user: support@
  2. The domain name: shieldsecurity.io

Detecting whether or not a mailbox exists is a bit more difficult than it might appear. Shield Security doesn’t attempt (at least not yet) to detect the existence of a mailbox. We focus solely on the domain name.

Shield performs 3 separate tests on the domain name:

Test 1: Domain name resolves to an IP address

This is one of the most basic tests on a domain name that you can make. A domain will fail this test for 1 of 2 reason:

  1. The domain doesn’t exist (i.e. it’s no registered anywhere).
  2. An A (or AAAA) record has not been created for it, pointing it to an IP.

Why would you have an email address for a domain that doesn’t have an IP?

The truth is, this is quite possible. There’s nothing against having a domain name that doesn’t resolve anywhere, with email still running on the domain. It’s rare, but it’s possible. This is something to bear in mind.

Test 2: Domain name has MX records

MX records are DNS entries that point to email servers. A domain name only needs MX records if it is receiving email.

If the domain has no intention of receiving email, then why would you have a mailbox on that domain? You wouldn’t, unless you only intend to send email.

Test 3: Is the domain known for “disposable” email address?

There are 1000s of domains out there used to supply temporary, disposable email addresses.

Some people use these to sign-up for newsletters, or register anonymously on websites. If you think there’s no good reason for disposable email addresses to be used on your site, blocking their use might be good idea.

What Does Shield Do When A Fake Email Is Detected?

As always, this is entirely up to you. You can:

  • Ignore it
  • Log it (in the Audit Trail)
  • Increment the offense counter against that IP (but allow the registration to go ahead)
  • Prevent the user registration and immediately block the IP address

We highly recommend choosing to log the incident, at the very least. This way you keep an eye on how Shield is assessing the email address that turn up on your site. If you’re confident of how it’s working for you, you can choose to increase the severity of your response.

It’s important to also understand when Shield tries to detect fake email addresses. We chose to hook into the point right before WordPress inserts the new user into the database. This should mean it’s compatible with the vast majority of plugins that handle user registrations, since most of them will use WordPress’ own user insert code.

But if a plugin doesn’t use WordPress’ own code to do this, then Shield’s processing will be skipped entirely.

How can you enable this feature?

This new feature can be found under the User Management module, within the User Registration section.

Simply select the areas you’d like Shield to check and how you’d like Shield to respond in the event a fake email is discovered, and save.

Does this replace other spam user prevention tools?

You may be tempted to think that you don’t need to use reCAPTCHA, or SPAM Bot checkboxes etc., but this is not the case.

This new feature should be used in-addition to all your existing tools, particularly if you’re using Shield to do these.

If a fake/spam user uses a legitimate email address, such as @gmail.com or @outlook.com, then these tests will pass. Better to stop the SPAM user registration as early on as possible.

Potential Improvements To This Feature

As always, this is the first iteration in this new feature and we believe that there’s room to improve it.

We’d like to get to the stage where we can also test the existence of mailboxes, but this is quite a complex job and we’re not entirely confident we can automate it. But we’ll definitely investigate the option.

We are, of course, always open to suggestions for improvements and we’d love to hear your thoughts on the new feature as well as other areas you’d like to see similar features.

Hey beautiful!

If you're curious about ShieldPRO and would like to explore the powerful features for protecting your WordPress sites, click here to get started today. (14-day satisfaction guarantee!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and so much more.

Try ShieldPRO Today →

ShieldPRO Testimonials
@graceys's Gravatar @graceys

Amazingly Simple, but powerful

Although I’ve only had this installed for a few days, already it has “saved my bacon”, and my sanity. I have had my wp “limit login attempts” locked down to a pretty tight time frame and boot out before I installed it, but WP Simple Firewall does everything it says,…

@grampamike's Gravatar @grampamike

Super protection. I'm very happy with this plug in.

No problem with compatibility. No slow page loads. Easy to install and configure. Does a great job protecting my site. The biggest plus is the support. I ran into a log in problem and sent a support ticket for help. Less than 24 hours later, Paul responded. His solution was…

@kittentaboo's Gravatar @kittentaboo

Works great for us

I installed this plugin and a few other safeguards after my client’s site got hacked. This plugin was easy to set up and is working well for us. I periodically check the Audit Trail Viewer to see how hackers are trying to get in. The plugin gives you tools to…

@espedine's Gravatar @espedine

A must have

A great fire wall, helped stopped and detected many attacks, very precise control of user permissions!

Comments (6)

    Sir, I want to purchase the premium version of the plugin for my site, but does the plugin work on wordpress PHP 7.3?

      Hi, yes, absolutely, this plugin currently supports all PHP version from 5.4 and above.


    Is @gmail.com considered a disposable email?

    Can I somehow block registrations from a particular domain?

      +1! We have a handful of clearly spammy domains that seem to keep getting through with pro. Would be fine for us to ban the domain entirely. Is the a way to do this currently with the plugin?

        Hi Adam,

        We are sorry but we don’t have such an option at the moment.
        But, thanks so much for your suggestion. It’s been noted and we’ll see what we can do about it.

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese