This article addresses the problem of robot user registrations on all WordPress versions including WP 3.3.1. I would be very interested to hear, what is the purpose of registering all these users, what is the goal?
Did you notice that despite your best efforts to allow only human registrations, the ranks of your registered users keep growing? All these are dead records in your database. Each new user registration is one record in “wp_users” table and about 15 new records in “wp_usermeta” table. And none of them ever change their default password. Total waste.
You might even install a CAPTCHA plug-in to torture real human users with typing a four-digit code to confirm their humanity, but nothing helps. You monitor with dismay, and new users keep piling up in your database every day.
Finally, one day you decide to stop the madness. Here is a simple code change that will prevent robots from adding dead users to your WordPress database.
Problem:
Robots can bypass your registration form by sending a POST request and supply a random, but valid ‘user_login‘ and ‘user_email‘ fields, masquerading actual user activity.
Plan of Attack:
Change the name of one or both of your form fields, so that standard attacks will fail due to invalid field names. That doesn’t mean that you are protected forever, but future attacks would have to be customized to your specific requirements, they have to be customized to your site, and you can change those requirements at any time.
Step-by-Step Instructions:
(01) Save a copy of existing “wp-login.php” as “wp-loginOLD.php”. That is your fall back, if you screw up.
(02) Open “wp-login.php” in your favorite editor. If Notepad shows code with no line breaks, user WordPad instead.
(03) Search for a line of code
case 'register' :
This is where Register a New User form lives.
(04) Replace lines:
if ( $http_post ) {
$user_login = $_POST['user_login'];
$user_email = $_POST['user_email'];
with something like this:
if ( $http_post ) {
$user_login = $_POST['user_login_XYZ'];
$user_email = $_POST['user_email_XYZ'];
where XYZ is your custom distortion of a default field name to prevent default attacks.
(05) Modify lines:
<p>
<label for="user_login"><?php _e('Username') ?><br />
<input type="text" name="user_login" id="user_login"
class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>"
size="20" tabindex="10" /></label>
</p>
<p>
<label for="user_email"><?php _e('E-mail') ?><br />
<input type="email" name="user_email" id="user_email"
class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>"
size="25" tabindex="20" /></label>
</p>
with something like this:
<p>
<label for="user_login_XYZ"><?php _e('Username') ?><br />
<input type="text" name="user_login_XYZ" id="user_login_XYZ"
class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>"
size="20" tabindex="10" /></label>
</p>
<p>
<label for="user_email_XYZ"><?php _e('E-mail') ?><br />
<input type="email" name="user_email_XYZ" id="user_email_XYZ"
class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>"
size="25" tabindex="20" /></label>
</p>
Remember, you do not need to change names of both fields. One is good enough.
(06) Save and test. Go one complete registration cycle, and make sure records are still creating in your database. Make sure the notifications are sent and received, and default password can be changed with a saint choice.
If anyone knows, what is the reason to register all these users random users, you input would be appreciated.
Also on the subject:
How to run simple MySQL queries to identify WP users, who ever posted, commented or blogged; users who ever change their default password and more.
Be the first to comment