Required Custom field not enforced

I have been getting a lot of “bad” registrations that appear to be bypassing the S2Member registration page altogether as I have required fields that should be filled out as well as Capture installed. Any ideas?

My site is http://retrieverlife.com

Thanks,

Toni

Hi Toni.

Thanks for reporting that.

I managed to bypass the required custom fields by disabling JavaScript in my browser. This works because s2Member only checks for this browser site.

I hope that helps understand what happened with those users. They either bypassed them on purpose, or have a browser with no JavaScript support, or are accounts created by scripts/bots.

Jason is adding server side validation of the profile fields and it will be available in a few weeks. No exact date for it, though.

That makes sense. It’s weird that I am getting a flurry all of the sudden. I had this issue a while back and then it went away when I stopped allowing people to make up their own passwords during the registration process. I didn’t get a bad registration for months and now in the last few weeks I get at least three or four bad registrations a day.

Hopefully this gets fixed soon. Thanks for looking into this.

Thanks,

Toni

This is starting to be a major problem. I am getting 3-5 new invalid members a day right now. This concerns me as a security issue for the plug-in.

Anthony, are these real users registering like that? Like, do they leave real comments or do they seem like spammers?

I find it very odd that so many real users would be registering without JavaScript in their browsers…

Not sure how mobile browsers handle JavaScript, I don’t have a device to test it. If you do, could you try registering without filling out those required fields?

Can you find out from some of those users that didn’t fill out the fields, how they registered?

This concerns me as a security issue for the plug-in.

It’s not really a security issue, it doesn’t put anything at risk. It’s just a weakness the current s2Member has in the field requirement setting. We have this solved server-side in the new version being developed.

Ok cool! Thanks for the update.

No problem. :)

I am still getting 3-5 spam users per day going around the JavaScript. It seems I did not fully answer your question Cristian. These users appear to be auto generated spam users.

Ah, got it. Thanks for confirming it.

You can try other human verification techniques, maybe, SI Captcha seems to not be enough for you. There are several plugins for that, and it’s possible that many of them won’t conflict with s2Member. http://wordpress.org/extend/plugins/search.php?q=spam+registration

They won’t work in pro-forms, but the spammers wouldn’t look for those, they’d go for the default registration form. http://retrieverlife.com/wp-login.php?action=register

Having said that, one thing you could try is creating a custom registration page using the pro-forms and with htaccess redirect there anyone that loads the default registration. If it’s a bot, it won’t know how to work that form, since it’s not the default one.

I hope that helps. :)