My site http://remotejobs.io currently uses a plugin to power the job board and user supplied resumes. The plugin creates users from it’s own interface, so there is not typical user creation method on the site.
However, lately I’ve had an overwhelming amount of new user creations from spam bots. I know the difference because I get a new user registration email from these users who I suppose are just hitting the http://remotejobs.io/wp-login.php?action=register page, whereas the interface used by users actually posting a resume or a job doesn’t generate this email notification.
Is there someway to block the ability for spam bots to create accounts this way without disabling user registration all together?
To be clear, no spam is actually ending up on the site because users can only post content through the plugin’s interface. But I’d like to prevent a user database filled with spam accounts.
EDIT: I’m using the wpjobboard plugin.
5 s
This is similar to Shawn H’s answer but is more effective for me.
I already had registrations disabled, but bots still show up constantly to try anyway. My goal was to completely kill all requests to the registration form to avoid the load on my server (and mess in my logs) caused by bots trying to register, so this solution sends a 403 denied error to anyone that tries to register. It may be overkill for you if you still want people to be able to register.
It goes in your .htaccess, near the top (obviously it will only work if you are using Apache as your server and have mod_rewrite enabled, which most people do) :
#BLOCK SPAM REGISTRATION REQUESTS (wp-login.php?action=register)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{THE_REQUEST} ^.*(wp-login.php\?action=register).* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
wp-login.php?action=register is the URL you end up at when you try to register, so this should stop all requests regardless of whether they go straight to wp-login.php (like the bots I’m fighting) or through wp-includes/wp-register.php or just /wp-register.php.