Elegant Themes Blog

Stay up to date with our most recent news and updates

How to Defeat WordPress Spam Users: Identify, Delete, and Prevent Future Registrations

Posted on November 22, 2016 by in Tips & Tricks | 11 comments

How to Defeat WordPress Spam Users: Identify, Delete, and Prevent Future Registrations

Back when WordPress was just for blogs, spam users weren’t really a problem site owners had to combat. But as WordPress has expanded into membership, multi-user, BuddyPress, and all kinds of other sites with open registration, WordPress spam users have become an all-too-common problem for many site owners.

Spammers target WordPress registration forms to create bot accounts that spam links and/or try to inject malicious scripts. But guess what? With a little know-how, you can fight back against these nasty folks and rid your site of spam users once and for all.

In this post, I’ll take you through how to identify and delete existing spam users. Then, I’ll show you how to proactively prevent WordPress spam users once and for all.

Why WordPress Spam Users are a Problem

Spam users can hurt your site both internally and externally, which is why they’re such a nuisance.

On the internal side, spam users bloat up your database and just generally make it harder to manage your site. If you have to sift through hundreds of spam users to manage the real users, you’re going to waste a lot of time. Similarly, if your server has to store heaps of spam users in the database, it’s going to work less efficiently, too.

Spam users can hit you on the external side by posting spammy outbound links, which can hurt your site in the eyes of Google. If you’re running something like BuddyPress, spam users might even send private messages to legitimate users, which your real users certainly won’t appreciate.

So, end the spam user problem once and for all by learning how to identify, delete, and prevent WordPress spam users.

How to Identify and Delete Existing WordPress Spam Users

Once you implement prevention methods, you hopefully won’t need to do this very often. But if you’re just starting out, you’ll first need to identify (and then delete) any existing spam users.

If your spam problem isn’t too large, you might be able to do this manually by bulk deleting users who exhibit spam behavior. If you’ve got a real infestation, you’ll want to turn to a plugin that can automatically go through and detect spam users.

How to Bulk Delete WordPress Spam Users Manually

The simplest way to delete spam users is to just go through your Users tab and check the users you want to delete. Then, you can bulk delete them by choosing the Delete option from the Bulk Actions dropdown.

Bulk delete WordPress spam users

Of course, doing this with the default WordPress screen options is infuriating because it only shows 20 users per page. Thankfully, you can change this number by clicking on Screen Options in the top right corner of your WordPress dashboard:

screen options

Then, change the Number of items per page box to the number of user accounts you want to display on each page.

items per page

If clicking a couple hundred checkboxes doesn’t appeal to you, you can also automate some of this process by using a plugin called Bulk Delete.

Bulk Delete allows you to bulk delete users that meet criteria like:

  • Specific User Roles
  • Specific Meta fields
  • Last login date
  • Registration date

If spam users are thoroughly mixed in with real users, these criteria may not be especially helpful. But Bulk Delete is great for cleaning up a one-time attack where the spam accounts all registered on similar dates or eliminating old spam users who logged in once but haven’t been back since.

Identifying and Deleting Spam Users with a Plugin

If you have too many users to identify manually, you can turn to a plugin called SplogHunter (formerly known by the somewhat awkward name “WangGuard”) to automatically identify and remove spam users. I’ll also discuss the proactive prevention part of this plugin in the next section.

SplogHunter goes through your existing users and compares them against its database of sploggers/spam users. If there’s a match, SplogHunter will mark that user in a new “Splogger” column. You can then easily delete spam users after verifying they’re not real people:

bulk actions

SplogHunter also provides an easy Report as Splogger button that both deletes a user and adds them to SplogHunter’s centralized database (similar to how Akismet functions for comment spam).

Note – as you can see in the screenshot, there is still WangGuard branding in the most recent version of the plugin. Rest assured that SplogHunter and WangGuard are the same thing.

How to Prevent Spam User Registration on WordPress

Do you know the old saying “an ounce of prevention is worth a pound of cure”? That definitely applies to spam users on WordPress. If you stop them from registering in the first place, you won’t need to worry about identifying and removing them.

There are a number of ways you can block them:

  1. Fortify your sign up form with CAPTCHAs – this is my least favorite method because it requires real people to verify they’re not a robot, which isn’t good for user experience.
  2. Use a plugin that compares signups against a database of spam users – this is a better method because it doesn’t inconvenience real people. It just quietly blocks known spam users.
  3. Add access rules to prevent sploggers – if you notice that most spam users come from, say, .ru domains, you could create a rule that blocks anyone from using an .ru email to register.

Now, I’ll share some plugins that can help you implement one or more of these checks:

Captcha by BestWebSoft – Add CAPTCHAs to Registration Forms

BestWebSoft

If you want to require all your users to fill out a CAPTCHA before signing up, you can use Captcha by BestWebSoft to add a simple math equation to your forms. Again, I don’t think you should go straight to CAPTCHAs. But if you have a really bad spam problem, it’s a good way to knock out spam right away.

Key Features:

  • Works on login, registration, recover password, comments, and contact forms
  • Adds a simple math equation that fools spambots
  • Allows users to get a new question if it’s too difficult
  • Can configure the difficulty of the math questions
  • Includes letter and number CAPTCHAs as well

Price: Free | More Information

SplogHunter – Automatically Flag Spammers Without CAPTCHA

SplogHunter

In addition to filtering out existing spam users, SplogHunter can also protect your registration forms without requiring users to fill out a CAPTCHA. When users sign up, they will be automatically compared against SplogHunter’s crowd-sourced spam user database.

Key Features:

  • Blocks spam sign ups without CAPTCHA
  • Spammer database is constantly updated because it’s crowd-sourced like Akismet
  • Works with WordPress,WordPress Multi-user, BuddyPress, and bbPress 2.0
  • Can manually block specific domains from registering

Price: Free at the time of writing (there is talk of moving to a freemium model) | More Information

Note -you will need to obtain a free API key from WangGuard/SplogHunter to properly use the plugin.

WP-SpamShield Anti-Spam – Full-Service Anti-Spam

SpamShield

WP-SpamShield Anti-Spam is a highly-rated plugin that handles spam protection for every aspect of your site. Part of that includes your registration forms.

The plugin works in a very smart way. It protects you with both JavaScript/cookie protection AND and an anti-spam algorithm. It also doesn’t use CAPTCHA, which I’m a fan of.

Key Features:

  • Protects against registration spam as well as comment, pingback, and other forms of spam
  • Doesn’t utilize CAPTCHA – no front-end impediments to users
  • Works with BuddyPress, bbPress, WooCommerce, and a variety of other forms

Price: Free | More Information

Wrapping Up

WordPress spam users can be a real pain for anyone running a site with open registration. These bots can harass your real users, bloat your database, and damage your SEO with spammy outbound links.

But, if you implement the right protections, you can root out spam users and prevent them from even registering in the first place.

Before inconveniencing your human users with a CAPTCHA, you should try a plugin like SplogHunter or WP-SpamShield. If you still have a spam problem while using those plugins, then you might consider blocking specific domains that are spamming you or adding a CAPTCHA.

Has one of your sites had a problem with WordPress spam users? It would be awesome if you shared how you coped with the problem in the comments!

Article thumbnail image by dandoo / shutterstock.com 

download divi

11 Comments

  1. “Spam users can hit you on the external side by posting spammy outbound links, which can hurt your site in the eyes of Google.”

    … which is ironic, considering that Google is the root cause of the SEO spam problem.

  2. Is this WP SPAM users an issue for a website selling a paid service or paid membership? Or is this just relevant to free sites? Thanks!

  3. I use the plugin “Confirm User Registration”. The operation is very simple: admins have to confirm a user registration; then a notification will be send when the account gets activated.
    I use it since several years and it works fine.
    I must add that I want to keep my site for the teenagers group I manage. So it’s simpler to check and eliminate the users that I don’t want.

  4. This is really very helpful. I can still remember the first day that I launched my blog, I had like two comments that day and to me I thought everything was going well. Never did know that it was some Douche bag spammers that happened.

  5. I am using Akismet plugin for spam comments but never though about spam users .

    Now going to give a try to SplogHunter plugin . It seems to be a great wordpress plugin for spam users .

  6. what about those plugins that force registration via a social media account?

  7. How do you turn off new user registration?

  8. We were getting attacked by spammers on daily basis, and unfortunately none of these major solutions helped us in preventing the numbers to rise.

    However, we had to implement the QR scancode and 2FA to prevent spammers on signing up and actively using our services. I hope this can help others as well.

  9. Great post. Definitely worth noting that a honeypot technique works well without the inconvenience to your users.

    After implementing on our site, we cut down on 99% of our spam and no need for captcha or other annoying fields.

  10. We routinely rename wp-login.php on every WordPress site we build. That step alone helps quite a bit.

  11. When I co-authored the Hot For Words website, I would get many spammers that appeared to be normal users then a week or so later they would start spamming the site. I had a small team that would find spammers and report back. Then it was just an easy find and delete their spam.

    What wasn’t covered in this article was Trolls. Now that takes some hard and careful tactics to weed out. You can’t just delete their account for they would just make a new one and remain quiet for a few days and then start trolling again. So I would never delete their accounts but would suspend their account in a way that they needed admin approval to comment. That didn’t work for very long for they would just create an Alt account. Again I had to use my team to track down trolls and expose them. Once that was done they knew they were identified and would leave the website.

    We found a plugin that would allow the Troll to make comments that they would only see. No one else could read their comments. It was funny to watch them write ‘Is anyone reading my comments?’ and no one would respond. The troll would get bored and leave.

Join 385,236 Happy Customers And Get Access To Our Entire Collection Of 87 Beautiful Themes For The Price Of One

We offer a 30 Day Money Back Guarantee, so joining is risk-free!

Sign Up Today

Pin It on Pinterest

Share This