- \n
- Managing Firewall Rules in CF<\/a><\/li>\n<\/ul>\n<\/li>\n
- WAF Wisdom<\/a>\n
- \n
- The Best Hosts Have WAF(fles)<\/a><\/li>\n
- WAF Log<\/a><\/li>\n<\/ul>\n<\/li>\n
- Taking Control<\/a><\/li>\n<\/ul>\n
Let\u2019s take a look at how to put the squeeze on WordPress spam registrations.<\/p>\n
<\/a>Plugin Possibilities<\/h2>\n
![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/001-defender-plugin-banner-1050x351.png\")
Defender Plugin<\/figcaption><\/figure>\n Defender<\/a> is a deluxe\u2014and free\u2014WordPress security plugin that protects your site from a laundry list of malicious acts. Brute force attacks, SQL injections, cross-site scripting (XSS) and more don\u2019t stand a chance with this armory in place.<\/p>\n
It\u2019s also extremely effective at filtering out spam. In addition to using Google reCAPTCHA, Defender\u2019s Geolocation IP Lockout<\/strong><\/a> allows you to cut off registrations based on location and country\u2014very helpful if there is a known regional source of spambots.<\/p>\n
To use the IP Banning feature in Defender:<\/p>\n
- \n
- You\u2019ll first need to get an account with MaxMind <\/a>(it\u2019s free), to gain access to the GeoLite2 Database<\/em> (also free). Once your account is created and confirmed, generate a license key, then copy it for the next step.<\/li>\n
- From the WordPress Dashboard, navigate to Defender > Firewall > IP Banning<\/strong>, then scroll down to the Locations <\/strong>section.<\/li>\n
- Paste your key in the License key<\/strong> field, then click the Download <\/strong>button.(Wait 5-10 minutes for your license to fully activate, or you will likely get an invalid license key<\/em> error message.)<\/li>\n<\/ol>\n
Now you can click the field with the global icon, beneath Blocklist Banned countries<\/em> or Allowlist<\/em> Allowed countries,<\/em> and select those from the dropdowns that you want to ban or permit. (Your home country is added to the Allowlist <\/em>by default.)<\/p>\n
![\"IP](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/019-Defender-IP-banning-country-list-dropdown-1050x674.png\")
IP banning is a quick & effective method to block known spam sources.<\/figcaption><\/figure>\n There is yet another additional spam protection built into Defender: User Agent Banning<\/strong>. The User-Agent request header it is a string that is shared with a server when a request is made, to identify visitors browser application name and version, and the host operating system & language.<\/p>\n
To activate this feature from the WP Dashboard, head to Defender > Firewall > User Agent Banning<\/strong>, and click the blue Activate<\/strong> button. From here, you can add User Agents to the Blocklist<\/em> or Allowlist<\/em>, permanently preventing or permitting them access to your site. (By default, WPMU DEV includes several known bad user agents in the blocklist.)<\/p>\n
One last trick in Defender<\/strong>, for even more effective results. Scroll down to Empty Headers<\/strong>, and toggle the button on for Block IP addresses with empty Referrer and User-Agent headers<\/b> (it will go from gray to blue).\u00a0There are still a lot of bots that uses empty HTTP referrer, and these are almost always malicious, so it’s a good idea to enable it.<\/p>\n
![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/0001-defender-user-agent-banning-blocklist-1050x777.png\")
The User Agent allow & block lists in Defender are powerful allies in the fight against spam.<\/figcaption><\/figure>\n Your access logs are viewable at any time, here: Defender > Firewall > Logs.<\/strong> A point of clarification: If the same bot or user agent appears in both the allow and block lists, Allow<\/em> will always override Block<\/em>.<\/p>\n
There is also a Pro<\/a> version of this plugin, which adds more features, such as: white labeling 2FA, and best-in-class, real-time support.<\/p>\n
![\"Forminator](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/002-forminator-plugin-banner-1050x351.png\")
Forminator Plugin<\/figcaption><\/figure>\n Forminator<\/a> is a free, easy-to-use WordPress form builder plugin that protects your forms from spam at all times with your choice of Captcha (ReCAPTCHA or hCaptcha), plus<\/em> Honeypot, and Akismet integrations.<\/p>\n
Spammers know that the default WordPress registration page is \/register<\/em>, so it\u2019s an oft-used target. Forminator knows this, and puts smart tools in place to prevent spam from barreling through on registration pages.<\/p>\n
Enabling spam protections in Forminator is a breeze; check out this tutorial<\/a> for a complete walk-through.<\/p>\n
Forminator does much more<\/a> than put the kibosh on registration spam. It\u2019s a comprehensive form creator (contact forms, order forms, polls & quizzes, and payment options) that uses a smart drag and drop visual builder, making setup in WordPress a cinch.<\/p>\n
There is also a Pro<\/a> version, which adds an e-signature feature, along with premium, 24\/7 support.<\/p>\n
![\"Profile](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/003-profile-builder-plugin-banner-1050x354.png\")
Profile Builder Plugin<\/figcaption><\/figure>\n Profile Builder<\/a> is another free plugin which allows you to restrict content based on user role or logged in status.<\/p>\n
It uses invisible support for Google\u2019s reCAPTCHA for WordPress default forms, and content restrictions based on current user roles or logged in status.<\/p>\n
To customize registration form fields:<\/p>\n
- \n
- From the WP dashboard, navigate to Profile Builder<\/strong> > Form Fields<\/strong>.<\/li>\n
- From the uppermost Field <\/strong>row, click the dropdown for Select an option<\/em>; start typing reCAPTCHA <\/em>(it\u2019s under Advanced),<\/em> then select it.<\/li>\n<\/ol>\n
![\"Profile](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/004-profile-builder-settings-1-1050x536.png\")
Using search to access the reCAPTCHA settings in Profile Builder\u2019s form fields.<\/figcaption><\/figure>\n - \n
- Choose the reCAPTCHA<\/strong> you prefer from the dropdown menu.<\/li>\n
- Enter your API keys<\/strong> \u2013 Site <\/em>& Secret.<\/em><\/li>\n
- Check the desired options under Display on PB forms<\/strong> and Display on default WP forms<\/strong>.<\/li>\n
- Copy the shortcode <\/em>from the right sidebar menu that corresponds with your selection.<\/li>\n
- Paste the shortcode where you would like the custom form to be displayed on your site.<\/li>\n<\/ol>\n
![\"Profile](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/005-profile-builder-settings-2-1050x839.png\")
We\u2019ve chosen PB & Default WP Register here, so would use the shortcode [wppb-register]<\/em>.<\/figcaption><\/figure>There is a premium version as well, which offers extra user fields, custom redirects, advanced add-ons, as well as the ability to require admin approval for new registrations.<\/p>\n ![\"User](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/006-user-registration-plugin-banner-1050x353.png\")
User Registration Plugin<\/figcaption><\/figure>\n The User Registration<\/a> plugin is free, lightweight, and highly responsive. It offers spam protection with Google reCaptcha and <\/strong>Honeypot.<\/p>\n
When you install the User Registration <\/em>plugin, it will give you an option to automatically create a custom registration page, using this URL: yoursite.com\/registration<\/em>.<\/p>\n
You could also do one of the following:<\/p>\n
Require Admin Approval<\/p>\n
- \n
- Navigate to the General > General Options<\/em> tab on the plugin Dashboard.<\/li>\n
- From the User login<\/em> dropdown menu, select Admin approval after registration<\/em>.<\/li>\n<\/ol>\n
![\"Choosing](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/007-user-registration-settings-1-1050x523.png\")
Choosing the option for Admin approval after registration<\/em>.<\/figcaption><\/figure>\n Enable reCAPTCHA<\/p>\n
- \n
- Navigate to the Integration <\/em>tab on the plugin Dashboard.<\/li>\n
- Enter your API keys \u2013 Site Key<\/em> & Secret Key.<\/em><\/li>\n<\/ol>\n
![\"Site](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/008-user-registration-settings-2-1050x585.png\")
Site and secret key APIs are needed to use reCAPTCHA in the User Registration<\/em> plugin.<\/figcaption><\/figure>\n To enable reCAPTCHA on a specific registration form, you will need to edit that form and enable it from within.<\/p>\n
There is a premium version of User Registration<\/em> as well, which lets you integrate with WooCommerce, and adds the ability to import users.<\/p>\n
Next, we\u2019ll look at using Cloudflare in the fight against registration spam.<\/p>\n
<\/a>Cloudflare Capable<\/h2>\n
Cloudflare<\/a> is best known as a Content Delivery Network (CDN). Through its massive network of servers, Cloudflare helps speed up and protect websites from malicious attacks, while caching across 165+ data centers the world over to supercharge the performance of your website.<\/p>\n
By cutting off location\/country-based registrations from known bot sources, Cloudflare offers spam protection in two forms: IP Block<\/em>, and Firewall Rules<\/em>.<\/p>\n
Their IP Block<\/em> feature is only available under the Enterprise plan, which comes with an Enterprise-level ($$$) price.<\/p>\n
But worry not; Firewall Rules<\/em> can be used on any plan. Firewall Rules can block by location, IP address, user agent, and more. You\u2019re allowed up to five active Firewall Rules under the free plan, then progressively more as you go up in the paid tiers.<\/p>\n
Regardless of plan type, creating an account is required to partake in any of Cloudflare\u2019s features. You will also need to point your existing DNS servers<\/a> (aka, Nameservers) to the ones provided by Cloudflare. This provides a better browsing experience for your users, so there is additional value<\/a>.<\/p>\n
Once done, you can get to creating your Firewall rules, as follows.<\/p>\n
- \n
- Log in to your Cloudflare account.<\/li>\n
- Select one of your websites.<\/li>\n
- From the left sidebar menu, select Firewall Rules<\/strong>.<\/li>\n
- From the main page, click on the blue Create a Firewall rule<\/strong> button.<\/li>\n<\/ol>\n
![\"Cloudflare](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/009-CF-firewall-rules-01-1050x489.png\")
Cloudflare\u2019s free plan permits you to have up to five active Firewall rules.<\/figcaption><\/figure>\n - \n
- Enter a name in the Rule name<\/strong> text field.<\/li>\n
- Beneath When incoming requests match\u2026<\/strong>, select the desired options from the corresponding dropdown menus for Field<\/strong>, Operator<\/strong>, and Value<\/strong>.Optional<\/em>: add additional parameters to this rule by clicking the And \/<\/strong> Or <\/strong>buttons; then select the corresponding options in the resultant row.<\/li>\n
- The following row shows the Expression Preview,<\/strong> which is editable by clicking the Edit expression<\/strong> link above the open text field. (Action not required.)<\/li>\n
- From the dropdown menu under Then\u2026<\/strong>, choose an option.<\/li>\n
- Click on the Deploy <\/strong>button to save the rule.<\/li>\n<\/ol>\n
![\"Cloudflare](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/010-CF-firewall-rules-02-1050x903.png\")
Creating a rule in Cloudflare\u2019s Firewall settings.<\/figcaption><\/figure>\n IMPORTANT<\/strong>: Your rule isn\u2019t active yet. To make it so, you must return to your Firewall Rules<\/strong> list, and toggle the button ON (it goes from gray-with-an-X to green-with-a-check-mark).<\/p>\n
<\/a>Managing Firewall Rules in CF<\/h3>\n
At any time, you can Edit <\/em>a rule (click on the wrench button), Delete <\/em>it (click on the X button), or make it Inactive <\/em>(toggle the green-with-a-check-mark button, turning it to gray-with-an-X).<\/p>\n
You can also change the order of the rules by either clicking and dragging the up-down arrows at the far left of each rule row, or by clicking on the Ordering <\/strong>button.<\/p>\n
![\"Cloudflare](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/011-CF-firewall-rules-03-1050x420.png\")
Firewall Rules summary page in Cloudflare.<\/figcaption><\/figure>\n Curious what kind of activity any rule has had? Simply look at the Activity last 24 hr<\/strong> column on the Firewall rules<\/em> page.<\/p>\n
To add more Firewall rules, repeat the above process. Or, click here for more nitty gritty on Firewall rules in Cloudflare<\/a>.<\/p>\n
A quick sidebar on CDN\u2019s\u2026WPMU DEV also offers CDN in our managed hosting<\/a>, which integrates smoothly with Cloudflare (as well as our optimization plugins\u2014Smush<\/a> & Hummingbird<\/a>).<\/p>\n
It is important to note that it\u2019s best not to serve content from two different CDNs<\/a>, as it\u2019s sure to cause issues.<\/p>\n
With Cloudflare wrapped, that leaves us with one more solution in the war against spam registrations\u2026 the all-mighty WAF.<\/p>\n
<\/a>WAF Wisdom<\/h2>\n
A Web Application Firewall (WAF), is a security layer between end-users and applications. It inspects traffic coming from and returning to web applications, filtering all access between them.<\/p>\n
This differs from a standard firewall, which provides a barrier between external and internal network traffic. A network firewall protects a secured network from unauthorized access to prevent the risk of attacks and malicious bots. Its primary objective is to separate a secured zone from a less secure zone, and control communications between the two.<\/p>\n
In general, a firewall is deployed near the edge of a network, making it an effective barrier between known, trusted networks and unknown, possibly unsafe ones. Standard firewalls are designed to deny or permit access to networks, or deny access to specific areas (folders, websites, etc) without the proper credentials.<\/p>\n
WAFs complement standard network firewalls by protecting the application infrastructure and its users, focusing on HTTP\/HTTPS applications and servers to prevent threats like SQL Injection, DDOS attacks, and cross-site scripting attacks (XSS).<\/p>\n
WAFs not only passively monitor activity but also proactively shore up weaknesses in web applications. Because they constantly scan the vulnerabilities, WAFs often observe the weaknesses in the network and patch them, long before the user notices. The patch is a short term resolution that provides time to fix the issue and prevent potential breaches in the network.<\/p>\n
See this article for a deeper dive into WAFs<\/a>.<\/p>\n
Suffice it to say when it comes to filtering out spam registrations, WAFs shine.<\/p>\n
<\/a>The Best Hosts Have WAF(fles)<\/h3>\n
If you have a quality WordPress host, chances are good that they\u2019ve incorporated WAFs into their ecosystem.<\/p>\n
Here at WPMUDEV, WAFs are included in all of our hosting plans. Which means with a few clicks, you can put spam registration woes in your rear view mirror.<\/p>\n
One of our members had this to say about using our WAF to cut down on his spam registrations:<\/p>\n
\u201cAfter consulting with wpmudev support, I changed the page through which spam registrations were made on my site to be blocked by WAF, and to my surprise, the malicious bots have now taken to their heels! No more excitement seeing \u201c200 new visits\u201d, \u201c200 new leads\u201d only to discover they were spam sign ups.\u201d<\/p>\n
To show you how easy it is to get this feature locked and loaded, we\u2019ll do a quick walk-through of the WAF settings via our all-in-one dashboard, The Hub<\/a>.<\/p>\n
Navigate to The Hub<\/strong>, and click on the website you\u2019d like to manage.<\/p>\n
Click on the Security <\/strong>header tab, then under Firewall<\/strong>, click the gear icon for Hosted WAF<\/strong>.<\/p>\n
![\"Settings](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/012-hub-WAF-click-gear-icon-1050x380.png\")
Settings for WAF via The Hub\u2019s security tab.<\/figcaption><\/figure>\n Toggle the Protect Site<\/strong> button to ON <\/strong>(it will go from gray to blue).<\/p>\n
![\"One-click](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/013-waf-toggle-on.png\")
One-click switch protects your site with WAF.<\/figcaption><\/figure>\n This will bring up a selection of Allowlists <\/strong>and Blocklists<\/strong> for IPs<\/strong>, User Agents<\/strong>, URLs<\/strong>, and Disabled Rule IDs<\/strong>.<\/p>\n
![\"WAF](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/014-waf-manual-entries-1050x1275.png\")
You can customize rules to your heart’s content with the options in WAF.<\/figcaption><\/figure>\n You can set as many specific settings as you\u2019d like here, then click Save <\/strong>\u2013 or simply hit the gray Close <\/strong>button to apply our predefined rules.<\/p>\n
![\"WAF](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/015-waf-save-settings.png\")
Specify your settings before hitting Save, or apply the predefined rules with Close.<\/figcaption><\/figure>\n Once done, you can see in the summary view that the firewall is activated and protecting your site.<\/p>\n
![\"WAF](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/016-waf-summary-its-on-1050x557.png\")
WAF is active and on duty!<\/figcaption><\/figure>\n <\/a>WAF Log<\/h3>\n
We have a smart built-in feature in our WAF that records Rule ID\u2019s and errors, called (appropriately enough) \u2013 the WAF Log.<\/strong><\/p>\n
To view the log, select a site, then navigate to The Hub > Hosting > Logs > WAF Log<\/strong>.<\/p>\n
![\"WAF](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/017-WAF-log-1050x421.png\")
The WAF log reveals all to those who seek it.<\/figcaption><\/figure>\n Where attacks are coming from, what requests were blocked, and what rules those requests triggered, are all recorded here, readily providing the info needed to minimize false alarms.<\/p>\n
If you scroll to the bottom of the Allow & Block lists, you\u2019ll see Disable Rule IDs<\/strong>. Enter any Rule ID (from the log) that\u2019s causing problems, and boom\u2014it\u2019s immediately disabled.<\/p>\n
![\"Disabled](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/02\/018-disable-rule-ids.png\")
Put a stop to problematic attacks by putting them into the Disabled Rule Ids<\/em> field.<\/figcaption><\/figure>\n When active, the WPMU DEV WAF engages a forcefield (a custom set of rules) so attacks and malicious traffic are repelled before they can even hit.<\/p>\n
<\/a>Taking Control<\/h2>\n
Registration spam on your WordPress site can become an overwhelming annoyance. But you can lessen or even completely rid your site of it with a few simple maneuvers.<\/p>\n
One possibility is adding a dedicated WordPress registration plugin that requires additional steps (like CAPTCHA), or admin approval for new users. These can help, but aren\u2019t always the most efficient, as they seem to allow some creep through over time. If your traffic is light, it could suffice for you.<\/p>\n
Another choice is using Cloudflare, and creating Firewall rules specific to each spam registration type (IP or country of the source). The catch here will be if you have a paid plan, as free membership limits the number of these that you can have active at a time.<\/p>\n
Last but not least, is the option of using a strong and reliable WAF. If you Host with us, then you\u2019ve already got this powerhouse tool in your WordPress shed. (If you don\u2019t \u2013 signing up is quick and easy, and you can try us for free<\/a>, satisfaction unconditionally guaranteed!)<\/p>\n
A shout out to our member, Chris Chukwunyere from
- Beneath When incoming requests match\u2026<\/strong>, select the desired options from the corresponding dropdown menus for Field<\/strong>, Operator<\/strong>, and Value<\/strong>.Optional<\/em>: add additional parameters to this rule by clicking the And \/<\/strong> Or <\/strong>buttons; then select the corresponding options in the resultant row.<\/li>\n
- From the main page, click on the blue Create a Firewall rule<\/strong> button.<\/li>\n<\/ol>\n
- Enter your API keys \u2013 Site Key<\/em> & Secret Key.<\/em><\/li>\n<\/ol>\n
- From the User login<\/em> dropdown menu, select Admin approval after registration<\/em>.<\/li>\n<\/ol>\n
- Enter your API keys<\/strong> \u2013 Site <\/em>& Secret.<\/em><\/li>\n
- From the uppermost Field <\/strong>row, click the dropdown for Select an option<\/em>; start typing reCAPTCHA <\/em>(it\u2019s under Advanced),<\/em> then select it.<\/li>\n<\/ol>\n
- From the WordPress Dashboard, navigate to Defender > Firewall > IP Banning<\/strong>, then scroll down to the Locations <\/strong>section.<\/li>\n
- WAF Log<\/a><\/li>\n<\/ul>\n<\/li>\n
- WAF Wisdom<\/a>\n