Website DIY - tricks and solutions

WordPress Security: why you should NOT require commenters to register.

Last month there were reports that a cyber-criminal gang had infected 30,000 WordPress blogs to market “anti-virus” software. WordPress is a popular target; keep your version and plugins up to date; and don’t expose your site to unnecessary risks.

If you require users to register before posting comments, for no other purpose than as part of your spam prevention strategy, then think again:

1. It may not be effective

but more importantly

2. you are gifting the bad guys access to more potential vulnerabilities on your site, and your .htaccess security won’t always protect you.

This is not security paranoia; below is a real example that didn’t even require “hacking” skills.

Real World Example

An Ad site with no “contact us” had copied one of my articles. With no “contact us” and no response via WHOIS address my last resort was to post a comment on the site.
After registering I discovered that I was not only able to comment but also allowed to POST without moderation, so the site ended up with a post at the top of the front page highlighting its dubiousness.

This could have been a good site and I could have been the bad guy doing more than just posting text. This “feature” was fixed a few months back by WordPress 3.1.2.

By requiring registration (allowing strangers to “log in”) as a spam prevention measure you are opening up your site to additional current or future exploits.

Why email registration may not be effective in preventing spam

Wikipedia (it must be true :-)) states “Some spambots will pass this step by providing a valid email address and use it for validation”. Registration Spam is a growing problem.

Yes, there are plugins to combat registration spam; but comment spam scumware packages are updated to provide their own counter measures:
For example, I have just read the change log for one blog commenting tool that targets WordPress and other platforms. It has increased the length of delay until it responds to email verification requests to improve success rate – presumably to avoid a newish anti registration-spam measure.


Requiring registration before users can comment does little to protect you from spam, but increases risks to your site’s security.

You would be better served just using one of the better anti-spam plugins AND (ideally) setting WordPress to require all comments to be moderated, so that you can check for any the plugin may have missed.

For the past week I have been trialling an anti-spam plug-in on another site. The plugin is supposed to be 100% effective, low maintenance (no checking and emptying of spam box) and comment poster friendly. I will report back in a few weeks but first impressions are favourable.

If you do decide to revert to no new user registration, don’t forget to untick BOTH of the highlighted boxes below:

wordpress dashboard - anyone can register setting

wordpress: users must be registered to post


Author Andy W+

1 Comment

  1. Jannie

    That’s a great perception. Spambots are also upgrading so spam securities aren’t that effective anymore. So better not have a registration site. Just saying. Thanks anyway for sharing and posting!

    Edit by AW: link on name allowed (and kept). Advert removed.

Leave a Reply

Your comment will appear after its approved; usually within 12 hours but can be up to a week.
Email is optional and never published. It will only be used to contact you if clarification of your comment is needed.

Copyright © 2012-2024 Webstuff.Inblighty.Com
This site recommends and is hosted by: Kualo Web Hosting.    
Theme: hemingway

Blog home  |  ↑ Top of Page ↑