The growing problem of registration spam in WordPress

WordPressNow, this is odd.

A few months back I wrote a plug-in for WordPress called RegisTrap. It’s beyond basic, and has one simple purpose: to block registration spam on my WordPress-based website.

Registration spam, for those of you who don’t know, is when a “bot” (a computer program written to seek out and exploit poorly-written web forms to send floods of spam email messages) signs up as a “user” on your site. These “users” can’t really do anything on the site, but they clutter up your database nonetheless.

I had a feeling that RegisTrap was really only going to work reliably if I kept it to myself. And I was right: after submitting it to the official WordPress plug-in repository, it eventually stopped working, as the bots adapted to avoid its “traps.” It might have happened eventually anyway, but I’m sure that the publicity it received from being in the repository, and the hundred or so people who downloaded it (many of whom, I suspect on reflection, were probably bot developers looking to dissect its workings), accelerated its demise.

As I announced here a few days ago, I turned RegisTrap off on my site, and I also turned off registration altogether. But that hasn’t stopped the flood of new bot registrations. There are 14 of them sitting there in my database right now (well, there were before I just deleted them), all added after I turned off the ability to register altogether.

I suppose, since the bots don’t actually visit the site and fill in the form, they just submit the right data directly to the right URL, whether it’s “browsable” or not, it doesn’t even really matter if your site is set up to reject registrations. Still, it’s a bit dismaying that WordPress is processing those registrations even with registration turned off. Apparently it stops at making the registration page inaccessible via links; it doesn’t actually turn off the code that processes registrations. Boo. Perhaps that should be my next plugin: “Stop All Registrations 4 Realz.”

But maybe I won’t call it that.

New WordPress plugin: RegisTrap

<em>Regis</em> Trap? Not quite.

Regis Trap? Not quite.

As I have trumpeted from the hilltops on many an occasion, I have happily been using WordPress to power this site going on two years now.

Mostly happily, anyway. There are a few things that don’t sit right with me, most prominently the persistence of spambot registrations, with little (good) help so far from the plugin development community.

What are spambot registrations, you ask? Well, blogs tend to have two doors that are open to spambots: comment forms and registration forms. Comment forms are certainly more common (since just about every blog accepts comments but most probably do not accept new user registrations), and much has been done to deal with the problem of comment spam. Most notably there is WordPress founder Matt Mullenweg’s own excellent comment spam blocking plugin, Akismet. But no comparable plugin exists for the WordPress registration form, and despite many requests from the community, Akismet has not yet been adapted for this purpose. Probably since registration spam is so far only a nuisance (albeit a potentially large one for the site administrator), it has not gotten the same kind of attention.

I did manage to find a few plugins to block registration spam, but most were half-baked, and the one I did end up using for a while, which clearly has been given a lot of attention by its developer, just seemed to be overkill to me. And while it did work to prevent spam registrations for the month or so that I used it, it also prevented my legitimate, registered users from logging in!

So a few days ago I turned it off, and within hours I was receiving spam registrations again. That’s when I decided to build my own spambot registration blocking plugin for WordPress: RegisTrap. The focus is on absolute simplicity: there are no visible changes to the registration form for users, and there’s no configuration for the site admin… just upload it, activate it, and you’re done.

I’ll admit mine is probably half-baked as well, but it’s only at version 0.3 so far. I may eventually need to add an administrative tool to allow the site owner to make changes if bots start to adapt to the default settings — I don’t really know how smart bots are. But I do know that I’ve had RegisTrap running on my own site for a couple of days now, definitely long enough to be able to determine whether or not it’s working, and since I installed it there has not been a single spambot registration on my site.

If you run a WordPress site, give RegisTrap a try!