Changed e-mail token and math problem confirmation logic. Previously, everything happened all at once, and the user would get prompted mutliple times for the math problem.
Now, the user must answer the math problem first, before the e-mail token is sent. Once the math problem is correctly answered within the session, it isn’t asked again. The user must now enter the correct token, which results in successful registration.
SPECIAL THANKS TO OLEG M. FOR HELPING ME IDENTIFY, FIX, AND TEST THE ERROR!!
Added E-mail confirmation token. Prevents registration until user enters a token sent via e-mail.
- Prevent users from registering, if their IP or e-mail address is listed in the “Comments” blacklist (Settings..Discussion)
- E-mails user a 4-digit token, and requires the user to enter the token in order to register.
- Users must solve a simple math problem (Add two one-digit numbers).
- Places user IP address in “Website” field.
This is a super-simple user registration spam countermeasure. I searched for a plugin that was SIMPLE and EFFECTIVE. I looked at quite a few plugins that promised the desired effect, but were either cumbersome, or included too many unneeded or unwanted features. Likewise, there are some very simple plugins that are less-than-effective.
This plugin is VERY simple:
If the user’s IP or e-mail address is listed in the “Discussion” comments blacklist, it prevents the user from registering. This functionality should really be built in to WordPress, so, you’re welcome.
When the user registers, they are presented with a simple math problem – adding a 3-digit number to a 1-digit number. 99% of the “user reg spam” is based on bots being able to attack the basic WordPress registration form. By adding even a simple math problem, most bots will fail, removing your site as a target of opportunity. Criminals go after what’s easy – if you make it slightly more difficult for them, they will go after someone else.
Once the user solves the math problem, they are sent a 4 digit token via e-mail, and must enter that token to continue registration.
Finally, knowing the location from where your users register allows you to more effectively evaluate and block the source. This plugin adds the user’s IP address (at the time of registration) to the “Website” field.
Go to http://whois.arin.net to find out who they are. If you decide to block the IP, add the IP address, part of the IP address, or e-mail domain to the “Discussion” comments blacklist, and ANY user registrations from an IP address matching that pattern will be blocked.
To Configure the Plugin:
NOTE: NO CONFIGURATION IS REQUIRED. This plugin is fully-functional using the default values.
In the Plugins page, click “Settings” underneath the “JP User Registration Blacklist” plugin.
Seed: This value determines how the answer to the math problem is masked. Periodically change this, to keep the spammers and criminals at bay. The initial value is randomly-generated.
Failed Math Response: Error message displayed to the user, if they fail to correctly solve the math problem.
Rejected IP or E-mail: Error message displayed to the user, if their IP or e-mail is blocked. Keep this simple and generic, to keep them from knowing why they are being blocked.
Form field name for math problem: This field name contains the user’s answer to the math problem. Periodically change this, to keep the bots away. The initial value is randomly-generated.
To Block an IP address
- In the WordPress Dashboard, go to “Settings…Discuss”
- To block all or part of an IP address, add it on its own line to “Comments Blacklist”
- To block all or part of an e-mail address, add it on its own line to “Comments Blacklist”
- Click “Save”
(For more details, see Examples)
- Activate the plugin through the ‘Plugins’ menu in the WordPress Dashboard. Click “Activate” underneath “JP User Registration Blacklist”.
- Add full or partial IP addresses or e-mail addresses to the Settings..Discussion
Comments Blacklist, one per line.
- NOTE: This plugin works with the default settings. No configuration is required. Customize settings by clicking the “Settings” link underneath “JP User Registration Blacklist” plugin, on the Plugins page.
Adding 176.24. to the comments blacklist blocks:
Adding 176.24.10 (no trailing dot) to the comments blacklist blocks:
Go to the ARIN website to figure out what the correct IP range is.
Start by just blocking a single IP address. If you keep getting user registrations from other, similar IP addresses, block the whole range!
Adding .pl to the commets blacklist blocks:
Starting with 1.6.1, I will be providing regular updates for blacklisted IP addresses and networks that I’ve accumulated.
Copy the entries below to the Settings … Discussions … Comment Blacklist section, scroll down, and click Save
- How do I configure this plugin?
From the dashboard, select “Plugins”. Underneath “JP User Registration Blacklist”, click “Settings”.
- What does the user see?
Check out the screen shots.
* If they don’t answer the math problem correctly, the registration is denied, with a simple message.
* If their IP or e-mail address is blocked, they get a generic “try again” message. This is intentional, to avoid disclosing WHY they are being blocked, making it harder to bypass.
* If they fail the math problem AND their IP is blocked, they get both messages.
- Why does the user’s IP start with http:// ?
That’s a WordPress thing. Ignore the http://. I may decide to add a custom field later, but for now, simple is better.
There are no reviews for this plugin.
Contributors and Developers
“JP User Registration Blacklist” is open source software. The following people have contributed to this plugin.Contributors
Interested in development?
- 6/2015 – Fixed the sequencing so that the user must FIRST solve the math problem correclty, THEN gets e-mailed and prompted for the token.
- 5/2015 – Added E-mail registration token
- 8/29/2014 – Updated math problem to be slightly more complex – 3digit + 1digit (previously 1digit + 1digit). I have seen a slight uptick in registrations from hosted server locations, leading me to think that there are bots out there that look for, and solve the 1digit+1digit math problem.
- 6/12/2014 – Randomly-generated seed for the math problem (prevents hacking), Randomly-generated math problem field name (further prevents bots), Admin options panel, ability to customize error messages.
- 6/5/2014 – Math problem is now randomly generated (dynamic).
- 5/11/2014 – Added e-mail address patten matching.
- 5/2/2014 – Initial version.