Age of Article Warning:
This article was originally published 45 months ago. The tips and techniques explained may be outdated, or information may longer be applicable. Please consider this when viewing the below content.

stop spam registration in wordpressAn annoying aspect of allowing free registration on your blog or WordPress website, is the number of “fake” or “spam” registrations.

There are various ways to try to reduce the number of these unwanted registered users, and there are different security plugins that can be used to combat this. Sometimes, depending on the severity of your situation, you may need to apply a combination of more than one tactic.

For other posts that talk about security techniques for WordPress, be sure to view the related links at the end of this post.

Here are 4 top ways to block spam registrations on WordPress:

Tweet this

1. Block spam registrations by email address
2. Block spam registrations by IP
3. Block spam registrations by using a User Registrations plugin
4. Block spam registrations by using Cloudflare

[highlight class=”highlight_yellow” style=””]1. Block spam registrations by email address[/highlight]

Technique 1.
The quickest way and simplest way without having to delve into the code in WordPress is to use a combination of a plugin and your Discussion Settings Comment Blacklist.

Install Ban Hammer Plugin and activate. Now go to your Settings > Discussion and scroll down to you Comment Blacklist. Now simply add all email domains that you want to block.

For example if you are getting a lot of spam registrations such as go5yq88@12345.com, uyu797@12345.com and bob@fakemail.com, then simply add 12345.com on one line, then fakemail.com on the next line.

Now the next time someone goes to sign up to your website and tries to use those email domains, they get an error message saying “ERROR: Your email has been banned from registration.”

Technique 2.
If you would prefer to keep your comment blacklist separate from your registration blocklist, then you can add an email check to your childtheme’s functions.php file, and add an extra email validation check to your wp-login.php file.

The below code snippets are an adaptation of the idea of blocking disposable email addresses, based on an article by Mohammad at ArticleVoid.

Add the following function to your functions.php file to list the blocked emails and to detect when one is used in the Registration page.

function dtwd_blocked_emails($user_email) {
	$dtwd_blocked_list = array(
	"0815.ru0clickemail.com", "0wnd.net", "0wnd.org", "10minutemail.com", "20minutemail.com", "2prong.com", "3d-painting.com", "4warding.com", "4warding.net", "4warding.org", "9ox.net", "a-bc.net", "amilegit.com", "anonbox.net", "anonymbox.com", "antichef.com", "antichef.net", "antispam.de", "baxomale.ht.cx", "beefmilk.com", "binkmail.com", "bio-muesli.net", "bobmail.info", "bodhi.lawlita.com", "bofthew.com", "brefmail.com", "bsnow.net", "bugmenot.com", "bumpymail.com", "casualdx.com", "chogmail.com", "cool.fr.nf", "correo.blogos.net", "cosmorph.com", "courriel.fr.nf", "courrieltemporaire.com", "curryworld.de", "cust.in", "dacoolest.com", "dandikmail.com", "deadaddress.com", "despam.it", "devnullmail.com", "dfgh.net", "digitalsanctuary.com", "discardmail.com", "discardmail.de", "disposableaddress.com", "disposemail.com", "dispostable.com", "dm.w3internet.co.uk example.com", "dodgeit.com", "dodgit.com", "dodgit.org", "dontreg.com", "dontsendmespam.de", "dump-email.info", "dumpyemail.com", "e4ward.com", "email60.com", "emailias.com", "emailinfive.com", "emailmiser.com", "emailtemporario.com.br", "emailwarden.com", "ephemail.net", "example.com", "explodemail.com", "fakeinbox.com", "fakeinformation.com", "fastacura.com", "filzmail.com", "fizmail.com", "frapmail.com", "garliclife.com", "get1mail.com", "getonemail.com", "getonemail.net", "girlsundertheinfluence.com", "gishpuppy.com", "great-host.in", "gsrv.co.uk", "guerillamail.biz", "guerillamail.com", "guerillamail.net", "guerillamail.org", "guerrillamail.com", "guerrillamailblock.com", "haltospam.com", "hotpop.com", "ieatspam.eu", "ieatspam.info", "ihateyoualot.info", "imails.info", "inboxclean.com", "inboxclean.org", "incognitomail.com", "incognitomail.net", "ipoo.org", "irish2me.com", "jetable.com", "jetable.fr.nf", "jetable.net", "jetable.org", "junk1e.com", "kaspop.com", "kulturbetrieb.info", "kurzepost.de", "lifebyfood.com", "link2mail.net", "litedrop.com", "lookugly.com", "lopl.co.cc", "lr78.com", "maboard.com", "mail.by", "mail.mezimages.net", "mail4trash.com", "mailbidon.com", "mailcatch.com", "maileater.com", "mailexpire.com", "mailin8r.com", "mailinator.com", "mailinator.net", "mailinator2.com", "mailincubator.com", "mailme.lv", "mailnator.com", "mailnull.com", "mailzilla.org", "mbx.cc", "mega.zik.dj", "meltmail.com", "mierdamail.com", "mintemail.com", "moncourrier.fr.nf", "monemail.fr.nf", "monmail.fr.nf", "mt2009.com", "mx0.wwwnew.eu", "mycleaninbox.net", "mytrashmail.com", "neverbox.com", "nobulk.com", "noclickemail.com", "nogmailspam.info", "nomail.xl.cx", "nomail2me.com", "no-spam.ws", "nospam.ze.tc", "nospam4.us", "nospamfor.us", "nowmymail.com", "objectmail.com", "obobbo.com", "onewaymail.com", "ordinaryamerican.net", "owlpic.com", "pookmail.com", "proxymail.eu", "punkass.com", "putthisinyourspamdatabase.com", "quickinbox.com", "rcpt.at", "recode.me", "recursor.net", "regbypass.comsafe-mail.net", "safetymail.info", "sandelf.de", "saynotospams.com", "selfdestructingmail.com", "sendspamhere.com", "shiftmail.com", "****mail.me", "skeefmail.com", "slopsbox.com", "smellfear.com", "snakemail.com", "sneakemail.com", "sofort-mail.de", "sogetthis.com", "soodonims.com", "spam.la", "spamavert.com", "spambob.net", "spambob.org", "spambog.com", "spambog.de", "spambog.ru", "spambox.info", "spambox.us", "spamcannon.com", "spamcannon.net", "spamcero.com", "spamcorptastic.com", "spamcowboy.com", "spamcowboy.net", "spamcowboy.org", "spamday.com", "spamex.com", "spamfree24.com", "spamfree24.de", "spamfree24.eu", "spamfree24.info", "spamfree24.net", "spamfree24.org", "spamgourmet.com", "spamgourmet.net", "spamgourmet.org", "spamherelots.com", "spamhereplease.com", "spamhole.com", "spamify.com", "spaminator.de", "spamkill.info", "spaml.com", "spaml.de", "spammotel.com", "spamobox.com", "spamspot.com", "spamthis.co.uk", "spamthisplease.com", "speed.1s.fr", "suremail.info", "tempalias.com", "tempemail.biz", "tempemail.com", "tempe-mail.com", "tempemail.net", "tempinbox.co.uk", "tempinbox.com", "tempomail.fr", "temporaryemail.net", "temporaryinbox.com", "thankyou2010.com", "thisisnotmyrealemail.com", "throwawayemailaddress.com", "tilien.com", "tmailinator.com", "tradermail.info", "trash2009.com", "trash-amil.com", "trashmail.at", "trash-mail.at", "trashmail.com", "trash-mail.com", "trash-mail.de", "trashmail.me", "trashmail.net", "trashymail.com", "trashymail.net", "tyldd.com", "uggsrock.com", "wegwerfmail.de", "wegwerfmail.net", "wegwerfmail.org", "wh4f.org", "whyspam.me", "willselfdestruct.com", "winemaven.info", "wronghead.com", "wuzupmail.net", "xoxy.net", "yogamaven.com", "yopmail.com", "yopmail.fr", "yopmail.net", "yuurok.com", "zippymail.info", "jnxjn.com", "trashmailer.com", "klzlk.com", );
	$user_email_split = explode('@', $user_email); $user_email_domain = $user_email_split[1];
	if (in_array($user_email_domain, $dtwd_blocked_list)) {
	//Return 1, for detection
	 return 1; } else {
	 //Return 0 for no detection
	 return 0; } }

Note that if the email address that is causing you grief, doesn’t appear here, then simply include it in.

After this you need to modify your wp-login.php file. First locate the following, look around line 321, for where it says:

 // Check the e-mail address
	if ( $user_email == '' ) {
		$errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please type your e-mail address.' ) );
	} elseif ( ! is_email( $user_email ) ) {
		$errors->add( 'invalid_email', __( '<strong>ERROR</strong>: The email address isn’t correct.' ) );
		$user_email = '';
	} elseif ( email_exists( $user_email ) ) {
		$errors->add( 'email_exists', __( '<strong>ERROR</strong>: This email is already registered, please choose another one.' ) );
	}

and add exactly after this code, the following:

 elseif ( dtwd_blocked_emails( $user_email ) == 1) {
		$errors->add( 'blocked_email', __( '<strong>ERROR</strong>: This email is not allowed.' ) );
    }

Now WordPress will check your user registration emails against your blocked emails.

[highlight class=”highlight_yellow” style=””]2. Block spam registrations by IP[/highlight]

If you know that all your spam registrations are coming from a particular IP, then you can simply add some quick and easy code to your htaccess file:

 Order allow,deny
Deny from 123.123.123.123
Deny from 156.156.156.*
Deny from 111.111.*.*
Allow from all

This blocks actions on your website such as commenting and registering, for anyone with an IP 123.123.123.123; any IP that starts with 156.156.156. and any IP that starts with 111.111.

Just be aware that this can also end up blocking out innocent users, so use with caution.

[highlight class=”highlight_yellow” style=””]3. Block spam registrations by using a User Registrations plugin[/highlight]

There are a few user registration plugins available, I’ve tried SABRE before, and have mixed success with it, as I have found that it can quite quickly block new registrations that are genuine. Also the developer doesn’t seem to be responding at the moment to support questions.

Another plugin that appears to be effective is Stop Spammer Registrations, as it is rated well. Be sure to read this article by WPBeginner which details this plugin and has some cautionary advice.

Recently I also came across this one: WangGuard, which also seems highly rated.

I haven’t had the chance to test the last 2 plugins at all, so cannot advise either way as to their ease of use or effectiveness in reducing spam registrations. I prefer to use less plugins when I can, however you may find that you need to try one of these options.

If you have used these or any other registration plugins with great success, please share in the comments for our readers.

[highlight class=”highlight_yellow” style=””]4. Block spam registrations by using Cloudflare[/highlight]

I am a fan of Cloudflare, both for speed boosts in website performance, and also for added security. It’s a service that works like a CDN and it stands between your website viewers, including good visitors, crawlers, bots and malicious attackers, and your actual server files.

According to Cloudflare they use “threat data from a variety of sources to build a reputation for every visitor online. You set the desired security setting for your site and then CloudFlare’s network stops the threats before it reaches your website. Reputation-based security provides a first line of defense for your website.”

For more detailed information about the Cloudflare service see their security page.

Like any online service, however they are not without their faults, so be sure to research your options well before deciding on using Cloudflare or any other CDNs.

If you have used these ideas, or have other ideas, please comment below. And here is some more related reading:

Block spam registrations on WordPress was last modified: September 6th, 2016 by David Tiong
Block spam registrations on WordPress