Join Our Newsletter!

Keep up to date with our latest blog posts, new widgets and features, and the Common Ninja Developer Platform.

WordPress Spam Protection: 8 Guaranteed Hacks To Prevent Registration Spam on Your WordPress Site

Common Ninja,

Summary (TL;DR): In this article, we explain what WordPress registration and WordPress registration spam are and provide you with eight methods to prevent registration spam, including assigning roles to new users, requiring admin approval, email activation, ReCaptchas, and more!

WordPress Spam Protection: 8 Guaranteed Hacks To Prevent Registration Spam on Your WordPress Site

WordPress is one of the most popular content management systems on the market today. It’s a commonly used platform for businesses looking to build their websites without lots of external assistance. 

A cost-effective website removes a major barrier to entry into the world of business. WordPress is also embraced as a blogging platform and content management system, providing a robust back-end for content creation, publication, and local presence.

It’s economical while still providing an excellent set of resources for business owners and website builders, which is perhaps why WordPress is used so widely. But this popularity arguably comes at a cost. 

WordPress’ widespread usage makes it a prime target for spammers. One type of spam that’s particularly prevalent among business websites is something known as “WordPress registration spam”. 

What is WordPress Registration?

WordPress registration is simple and straightforward to understand. Essentially, businesses enable the user to create an account on their site so they can access additional perks, save products, and return to earlier browsing at a later date. 

There are definite benefits to letting users register with your WordPress site. Having them create a site account empowers you to deliver a more tailored experience. It’s also useful for allowing repeat customers to check out more easily on subsequent visits and for the saving and sharing of items. 

What Is WordPress Registration Spam?

The popularity of WordPress and the ease of its registration process make it a common target for spammers. There are no immediate, built-in steps to prevent this once you’ve enabled public registration. 

There are a number of reasons why spammers may target your site, but the most common include stealing customer or business data and slowing down its performance. They may also seek to insert ‘junk links’ into your web pages. These masquerade as normal links but redirect users to sites that might be selling counterfeit or illegal goods or services. 

Spammers will use special software to read particular parts of your website. However, to do this, they need a ‘door’ into your site. Registering an account with you is one way to gain entry. 

Having a large number of spam accounts on your WordPress site can disrupt your business procedures and make your database slower. It’s also more difficult to target your real customers and understand their behaviors if too many of your accounts are spam or bots. 

Eight Tips For WordPress Spam Protection

Luckily, there are ways to guard against this. These tips will help with WordPress spam protection and prevent false registrations from clogging up your database and leaving harmful or irrelevant comments on your content. You can adapt this advice as needed to fit your company’s needs and resources. 

These are the eight spam-busting tips we’ll cover: 

  1. Assigning roles to new users
  2. Requiring admin approval
  3. Email activation
  4. reCaptchas
  5. Using a spam plugin
  6. Removing spam IP addresses
  7. Changing your registration URL
  8. Disabling user registration

Let’s begin. 

1. Assigning Roles to New Users

This is a good way to allow users to register but prevent them from interacting with your site. While it won’t necessarily deter spammers from signing up, it is helpful to stop them from posting harmful comments or junk links. 

The best way to do this is to assign new users a subscriber role. Here is how to do this:

  • Open your dashboard and head to Settings > General
  • Scroll to the New User Default Role setting and select Subscriber from the drop-down menu
  • Don’t forget to Save Changes

After doing this, only editors or admins will be able to approve any new site interactions. 

2. Requiring Admin Approval for New Users

You can stop spam user registration by requiring manual admin approval for all new sign-ups. This isn’t a catch-all solution, but it is highly effective. Spammers that use automated software to register for your site tend to either have errors in their personal information or some of it missing. 

image source:

You can even set up a plugin that automatically approves existing users for each new interaction they have with your site while still requiring the manual approval of new users. 

3. Email Activation for New Registrations

A lot of spammers rely on fake email addresses to create a site account. Email verification sends a link to the email address provided. Clicking on this verifies that the email account exists and belongs to the assigned user.  

Requiring email verification of new accounts adds an extra layer of security. If the email account is fake, there can be no email verification. You can use a plugin to help with this, but you will need a premium WordPress account.

This can be useful for businesses that need to build long-term relationships with their customers, making email registration a necessity. For example, if your business offers hosted cheap VoIP services to companies, you’ll probably have pre, post, and during sales interactions with them. 

Verifying email addresses allows users to get the benefits of site registration without the downsides falling on your business. 

4. reCaptchas 

A built-in reCaptcha is another way to introduce an additional layer of security to your website registration page. The purpose of a reCaptcha is to differentiate between genuine accounts and bot accounts to reduce spam registrations. 

Google’s NoCaptcha is an effective and popular choice. To install and activate this:

  • Install the Advanced noCaptcha plugin 
  • Generate a free reCaptcha API key in ​​Google Search AMP
  • Go to the Google reCaptcha admin page and fill in the information
  • Enter the key into your plugin’s settings page and save

You can then collect analytics to see how many spam requests your site has received that have been blocked by your reCaptcha plugin. 

5. Using a Spam Plugin

Using a WordPress security plugin is a great way to detect and block spam accounts automatically. These may set up a firewall or install other preventative measures to stop bot logins. 

Security plugins work by tracking potentially spam-related IP addresses and checking them against their database. 

You can request regular security reports from your plugin that show you how many spam login attempts your site received and whether they came in clusters. This can help identify potential security issues that your automated security measures missed. 

There are a huge number of free and premium WordPress plugins that you can add to Elementor, including many security-focused options.

image source:

You’ll need to test your site to make sure any new plugins haven’t affected functionality as these can negatively impact admin access and site speed. 

6. Removing Spam IP Addresses

If you receive a large number of registration requests from one IP address, it’s a good idea to block this address to prevent further spam registrations.

You can do this manually using the following steps:

  • Open your dashboard and head to Settings > Discussion
  • Scroll down to Disallow Comment Keys section
  • Paste the IP addresses you want to block from interacting with your site 
  • Save your changes

This should help to block large volumes of spam registration requests.

7. Changing Your Registration URL

Each new WordPress site has the same generic registration URL. Many spam bots search the web for these as they’re an easier target than customized URLs. Unfortunately, a lot of businesses never get around to changing theirs, which is why spammers commonly search for them. 

You can change your URL using a simple plugin. There are lots to choose from in WordPress’ plugin library. 

After installing and activating the plugin, you’ll need to follow these steps:

  • Open your dashboard and head to Settings > General
  • Scroll down to the WPS Hide Login section
  • You will then be prompted to input a Login URL and Redirect URL
  • Login URL: enter the new login URL
  • Redirect URL: try entering an error code into this field that spam users will be redirected to

You might want to change your registration to a unique URL if you’ve registered a new domain name. For example, small business VoIP service providers are increasingly choosing to register ae domain names. An international domain can be incredibly useful for new businesses but may come with some security challenges of its own. 

Customizing registration URLs for each site you administer helps protect against spammers. 

8. Disabling WordPress Registration

This is, of course, the most effective way to stop spammers from registering bot accounts with your site. In some cases, when registration isn’t necessary for your business, it can be an ideal first step. 

image source:

In instances where you require site registration, however – for example, with e-commerce sites – you might need to plan around this. 

To disable WordPress registration, log in to your dashboard and: 

  • Go to Settings > General
  • In General Settings, scroll to the Memberships tab and disable Anyone Can Register by unticking the box

Anyone attempting to register for your site will see the message ‘user registration is not currently allowed’.


Protecting your WordPress site against spam registrations is a good way to begin securing it. To keep your business site safe, look into developing a holistic security strategy to avoid attacks from spammers in the future. 

Continue to update your registration security regularly to keep your site in working order and free of spam.