10 Simple Tricks to Eliminate Spam User Registration

Are you getting hit with notifications of spammy accounts being created on your WordPress website? Take action now to stop spam in its tracks. In this article, we’ll show you 10 simple tricks to eliminate spam user registration.

Stop Spam Registrations in WordPress

Did you know that malicious computer programs called “spambots” search the internet looking for vulnerable websites? One method they have of forcing themselves into your site is by creating spammy user accounts.

By default, WordPress websites allow for user registrations from a specific link: yoursite.com/wp-login.php?action=register.

These spambots are programmed to go looking for that link to register fake users.

To protect your site and stop spammer registrations in WordPress, you can use the simple tricks below.

Note: You don’t need to do ALL of the methods listed here. Instead, just pick the ones that work for you and your site.

1. Set the Default User Role in WordPress

The first way you can protect your website is to change the default settings for new account registrations.

To do that, you can go to Settings » General.  Here you can uncheck the Membership box to make sure that no one can register on your site.

What if you want to allow real visitors to register, though? For example, you might want to require new readers to register for an account before they comment on your blog posts.

In that case, we recommend using the Subscriber role as the default role for new members. It’s more secure than other roles because it doesn’t allow access to the WordPress Admin Dashboard.

To set that up, you’ll need to enable the Anyone can register checkbox and set the default role to subscriber.

For more detailed info on your different options here, you can check out our guide on WordPress user roles and permissions.

2. User Registration Form

If you’re going to allow users to register on your site, it’s smart to create a custom user registration form.

You can use the WPForms User Registration Addon to create a more secure form than the default WordPress user registration form, thanks to WPForms’ built-in form security features.

The first thing you need to do is install and activate the WPForms plugin. Here’s a step by step guide on how to install a WordPress plugin.

Once you have installed WPForms, go to WPForms » Addons and find the User Registration Addon. To access this addon, you must have the Pro license plan.

Next, see our tutorial on How to Create a User Registration Form in WordPress to create a form.

3. Email Activation for User Registration

User Email Activation is an optional security measure is available within the WPForms User Registration addon.

When you require a user to click a confirmation link in their email, spambots are less likely to get through this security step.

Let’s go turn that on now.

Go to Settings »  User Registration.  On the right-hand preview panel, scroll down to the User Activation Method and select User Email.

That’s it! Don’t forget to save your changes.

4. Administrator Approval for New Users

If you’d like an even more secure method of user registration, you can opt for Manual Approval.

This approval method will require you to review each user registration request before the new user can join your website.  You’ll receive an email notice for each request, and the option to approve or deny the new member.

To activate this method, go to Settings »  User Registration. On the right-hand preview panel, scroll down to the User Activation Method and select Manual Approval.


Another way to stop spam user registrations is to use a CAPTCHA field.

CAPTCHA is a test question that the user must answer in order to submit the form. Sometimes this can be blurry text from an image that they must reenter, a checkbox, or a simple question.

We have created our CAPTCHA field to prompt users for a simple math problem, or to use custom questions.

To set this up on your forms, first you need to activate the Custom CAPTCHA addon. Then a new Fancy Field called “CAPTCHA” will be added to the Form Builder. Simply drag & drop this field in your form.


By default, it will show random math questions. However, when you click to edit the CAPTCHA form field it will allow you to choose between the math option or the Question and Answer option. If you select Question and Answer, you can enter your own custom question.

Once you’re done configuring the CAPTCHA field, simply save your form. Now users must answer your CAPTCHA question correctly in order for the form to submit.


CAPTCHA is an effective way to block spambots, but it can also be annoying for your real users.

Instead of using the custom CAPTCHA option we just mentioned, you can use the reCAPTCHA tool Google created.

The advantage of using reCAPTCHA is that users only need to click a checkbox, instead of having to solve math problems or answer questions. This can improve your form conversions by giving your users less work to do.

To activate reCAPTCHA on your form, you can go to WPForms » Addons and find the reCAPTCHA Addon.

Then edit your form and go to Settings » General. Take a look on the right-hand preview panel near the bottom of the screen and check Enable reCAPTCHA.

7. Honeypot Anti-Spam

Would you rather avoid giving users a CAPTCHA field entirely? In that case, you can use the Honeypot option.

Honeypots are great because they don’t bother users like a CAPTCHA. In fact, they’re completely invisible to your real users.

Basically, a honeypot is a hidden field in your form that’s meant to stay blank. But spambots will see it, and automatically fill it out.

When the honeypot field is filled in, we can reject the form as spam.

WPForms has an anti-spam honeypot feature built in, and it’s enabled on your forms by default. You can find the option under Settings » General when editing your form.

At the bottom of the the right-hand preview panel, you’ll see that Enable anti-spam honeypot is selected by default.

8. Stop Spammer Registrations

Another step you can take to stop spammer registrations is to use the Stop Spammers Spam Prevention WordPress plugin.

The plugin uses a number of spam prevention techniques, including checking Akismet for known spamming activity to proactively block spammers. The plugin also maintains a list of bad hosts known for tolerating spam activity and blocks them.

Once you’ve activated the plugin, you can go to Stop Spammers » Protection options.

The default settings on this page will work for most websites. However, you can uncheck a few of them if you find that your legitimate users are unable to login.

There is a small chance that this plugin could lock you out of your site’s admin area. If this happens, the simplest solution is to connect to your site through FTP and rename the plugin file from stop-spammer-registrations.php to stop-spammer-registrations.locked.

WordPress will automatically deactivate the plugin for you, and you can now access the admin area of your site.

9. IP Address Blocking

Did you know that each computer on the internet can be identified with a unique number known an IP Address?  When you discover which IP Address is sending spam to your site, you can block that address from accessing your site entirely.

To track the IP Addresses that are using your form, go to Settings » Notificationswithin the form editor.

Next to the Message field, click Show Smart Tags and click on User IP Address.

When you receive your next email notification, you’ll see what the user’s IP Address is.

Want to block that IP address from accessing your site?

One way to do this is to go to your web hosting company and ask for support in blocking them. Another way to block an address is to use a security plugin such as Sucuri to blacklist the IP Address.

10. Sucuri

Sucuri is a website security company that specializes in WordPress security. They protect your website from hackers, malware, DDoS and blacklists.

When you enable Sucuri, all your site traffic goes through their CloudProxy firewall before coming to your hosting server. This allows them to block all the attacks and only send you legitimate visitors.

On top of the increased security, the firewall also makes your website faster, and you may even be able to save money on your hosting bill because your server load will go down significantly.

Learn more about Sucuri’s benefits in our review: How Sucuri Helped Us Block 450,000 WordPress Attacks in 3 Months.

Good work! You now know how to stop spam registrations in WordPress.

Do you want some great tips on how to discover more information about your customers? You might also want to check out our guide on clever web form hacks to unlock hidden customer data.

What are you waiting for? Get started with the most powerful WordPress forms plugin today.

If you like this article, then please follow us on Facebook and Twitter for more free WordPress tutorials.

How to show ip for postfix smtp

The current connection over 25 port command:

watch ‘netstat -na | grep :25’

with this command, you can see the external ip that user the server to send emails.

while true
        lsof-i | grep smtp
        sleep 10
with this command you can find the username of the spammer software

How to unban ip with Failban

fail2ban-client set postfix unbanip

how to show jail list :
fail2ban-client status

how to view the status of a jail:
fail2ban-client status roundcube
show all the ipa for all jails
fail2ban-client status | grep “Jail list:” | sed “s/ //g” | awk ‘{split($2,a,”,”);for(i in a) system(“fail2ban-client status ” a[i])}’ | grep “Status\|IP list”
Esfor jail in $(fail2ban-client status | grep ‘Jail list:’ | sed ‘s/.*Jail list://’ | sed ‘s/,//g’); do fail2ban-client set $jail unbanip; done

List of banned or recidive ip

iptables -L -n

How to remove from Postfix queue only one mail address

execute this command :

vim postfix-delete.pl 

insert this code:


$REGEXP = shift || die “no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!”;

@data = qx</usr/sbin/postqueue -p>;

for (@data) {

  if (/^(\w+)(\*|\!)?\s/) {

     $queue_id = $1;


  if($queue_id) {

    if (/$REGEXP/i) {

      $Q{$queue_id} = 1;

      $queue_id = “”;




#open(POSTSUPER,”|cat”) || die “couldn’t open postsuper” ;

open(POSTSUPER,“|postsuper -d -“) || die “couldn’t open postsuper” ;

foreach (keys %Q) {

   print POSTSUPER $_\n;



execute this command:

chmod 755 postfix-delete.pl

run in this way:

./postfix-delete.pl  [email protected]