Hacker's bypassing new registration function

Starting this morning, I have had about 20 New User Registrations from bogus ip addresses and with fake e-mails. I allow anyone to register in S2, but requires a captcha. I checked the form and the captcha is showing. I just added google recaptcha code, don’t know if it will stop the problem.

Is there a way to force a user to opt-in by clicking a link in the email to confirm registration in S2Member Pro?

Thanks.

Hi Robert
That is kind of scary for this type of product. I guess we are still waiting for a status on our support tickets.

Starting this morning, I have had about 20 New User Registrations from bogus ip addresses and with fake e-mails. I allow anyone to register in S2, but requires a captcha. I checked the form and the captcha is showing.

There are services for spammers that hire people to enter captcha codes, so these aren’t always the ultimate solution. You may want to try other plugins that add features to stop spam registrations.

We haven’t done testing on these, so I can’t say which will work fine with s2Member or not, but you can test and see what works for you. If you let us know what you found useful, it’d be great because it’ll help others interested in this same thing.

It’s most likely that other plugins will work if you’re using the default registration page (even if customized) rather than the s2Member free registration pro-form, but if the plugin adds its checks server-side instead of the form itself, it may help with it too.

Is there a way to force a user to opt-in by clicking a link in the email to confirm registration in S2Member Pro?

If you don’t allow custom passwords, the person will have to open his email to get the password to login with. It won’t stop the registration, but will prevent some bots from then logging in. [hilite path]Dashboard -› s2Member® -› General Options -› Registration/Profile Fields -> Custom Passwords[/hilite]

This is an added way to help fight spam registrations, but there may be bots that check the New User email sent by WordPress to gain this access and then spam.

What you can do is customize your New User email so that the password is not obvious to a bot, the simple fact of it not being the default WordPress email would help (especially the password line). [hilite path]Dashboard -› s2Member® -› General Options -› Email Configuration -> New User[/hilite]

That is kind of scary for this type of product.

This would not be a problem for paid registrations, the spammer is not going to bypass that if he didn’t pay, so you don’t need to worry about that. Robert is having this problem with free registrations, which would also be a problem without s2Member, unless he adds extra measures to prevent them.