By default, WordPress allows any user to register with your website using no more than a unique username and an email address. The hurdles to register are quite limited, therefore making it a haven for SPAMmers and general nuisances on the internet.

SPAMmers or hackers will register with your website for a few reasons that are all equally as annoying as each other.

1. The most damaging are the ones who register with the hope of potentially gaining control of your website. If your registration permissions are set incorrectly, your website could be giving new registered users more control over your site than you want or they need.
2. Some will register hoping to access some parts of the website that could allow them to create issues with sections of the Dashboard that you left open to them.
3. Some will register for no other reason than to get your attention – Registration SPAM is quite prevalent for popular WordPress websites whereby they use their product name as the username in an effort to spread their name far and wide.

There are a few things that you need to do to make sure you protect your website from these potential hurdles which we will attempt to address in this article.

1. Ensure that all new registrations have minimal permissions to your website
2. Add a reCAPTCHA form to your WordPress registration page to make them validate their humanity

Restrict Permissions

WordPress users are given roles which are used to define what a user at your site has permission to perform. These actions are referred to as ‘capabilities’. e.g. capability to create/edit a post, capability to review comments, etc.

You need to make sure that new users have no capability to edit any content on your site OR review any personal information about your business or other users.

There are 5 WordPress user roles which are provided by default with the system – plugins can create additional roles with additional capabilities, however, the default user roles that ship with WordPress are:

1. Administrator – They have access and control to do everything
2. Editor – They can create, edit, delete, and publish pages and posts as well as moderate comments and manage categories and links
3. Author – They have less permissions than an editor – They can create edit, delete and publish page and posts BUT only their own content – they cannot modify other users content
4. Contributor – They have access to read all posts and delete and edit their own posts.
5. Subscriber – They have access only to modify their user profile

If User registrations are not required for your website then the easiest way to stop registration SPAM is to disable new registrations. This can be achieved by toggling off the setting in “Settings” > “General” > “Membership” > “Anyone can register” – By de-selecting this checkbox, no new users will be able to register with your website.

However, if user registrations are a requirement on your website and you need to leave this setting activated, then you need to ensure that it is done in a controlled manner. Firstly, make sure that all new user registrations are defaulted to a “Subscriber” using the dropdown selection: “Settings” > “General” > “New User Default Role” > “Subscriber”

Adding reCAPTCHA to your WordPress registration page

If you’re like me and like to try avoiding WordPress bloat by avoiding plugins for simple processes, then I have some simple code for you to use to put an extra hurdle in the way of SPAMmers trying to register with your website.

Adding a reCAPTCHA form is simple and easy and will take no more than 5 minutes to achieve. In this example, we are using the v2 Checkbox for our reCAPTCHA.

1. Firstly, you need to make sure you have a Site Key
   1. Go to the Google reCAPTCHA admin console and register a new site to gain a site key: https://www.google.com/recaptcha/admin/
   2. Save a copy of your new Site Key somewhere safe

1. Install the following code into your functions.php file located within your themes directory: /themes/your_theme/functions.php (if there is no functions.php just create one)  You can just paste this code directly into the bottom of your functions.php file and hit save.

NOTE: Make sure you replace ‘your_site_key_goes_here’ with your actual site_key from the Google console.

/*=Add ReCaptcha to registration form
/****************************************************/
function oley_add_recaptcha_field() {
    ?>
	<script src="https://www.google.com/recaptcha/api.js" async defer></script>
    <p>
        <label for="recaptcha"><br />
            <div class="g-recaptcha" data-sitekey="your_site_key_goes_here"></div>
        </label>
    </p>
    <?php
}
add_action( 'register_form', 'oley_add_recaptcha_field' );

function oley_validate_recaptcha_field( $errors, $sanitized_user_login, $user_email ) {

    if ( empty( $_POST['g-recaptcha-response'] ) ) {
        $errors->add( 'recaptcha_error', __( '<strong>ERROR</strong>: Please verify that you are not a robot.', 'oleymediagroup' ) );
    }

    return $errors;
}
add_filter( 'registration_errors', 'oley_validate_recaptcha_field', 10, 3 );

This script does 2 things:

1. Calling the hook:

   register_form

   – we are adding the Google reCAPTCHA field into the form to be displayed on the WordPress registration page.

2. Calling the hook:

   registration_errors

   – we are making sure that the registration does not proceed unless the reCAPTCHA has been ticked and the verification process has been completed.

Finally, for aesthethic purposes, I like to resize the reCAPTCHA slightly so that it does not exceed the width of the other fields, making it look a little messy. I do this by adding a little css to the class: ‘g-recaptcha’

<style>
.g-recaptcha {
    transform: scale(.9);
    -webkit-transform: scale(.9);
    transform-origin: 0 0;
    -webkit-transform-origin: 0 0;
}
</style>