Back when WordPress was just for blogs, spam users weren’t really a problem site owners had to combat. But as WordPress has expanded into membership, multi-user, BuddyPress, and all kinds of other sites with open registration, WordPress spam users have become an all-too-common problem for many site owners.
Spammers target WordPress registration forms to create bot accounts that spam links and/or try to inject malicious scripts. But guess what? With a little know-how, you can fight back against these nasty folks and rid your site of spam users once and for all.
In this post, I’ll take you through how to identify and delete existing spam users. Then, I’ll show you how to proactively prevent WordPress spam users once and for all.
Why WordPress Spam Users are a Problem
Spam users can hurt your site both internally and externally, which is why they’re such a nuisance.
On the internal side, spam users bloat up your database and just generally make it harder to manage your site. If you have to sift through hundreds of spam users to manage the real users, you’re going to waste a lot of time. Similarly, if your server has to store heaps of spam users in the database, it’s going to work less efficiently, too.
Spam users can hit you on the external side by posting spammy outbound links, which can hurt your site in the eyes of Google. If you’re running something like BuddyPress, spam users might even send private messages to legitimate users, which your real users certainly won’t appreciate.
So, end the spam user problem once and for all by learning how to identify, delete, and prevent WordPress spam users.
How to Identify and Delete Existing WordPress Spam Users
Once you implement prevention methods, you hopefully won’t need to do this very often. But if you’re just starting out, you’ll first need to identify (and then delete) any existing spam users.
If your spam problem isn’t too large, you might be able to do this manually by bulk deleting users who exhibit spam behavior. If you’ve got a real infestation, you’ll want to turn to a plugin that can automatically go through and detect spam users.
How to Bulk Delete WordPress Spam Users Manually
The simplest way to delete spam users is to just go through your Users tab and check the users you want to delete. Then, you can bulk delete them by choosing the Deleteoption from the Bulk Actions dropdown.
Of course, doing this with the default WordPress screen options is infuriating because it only shows 20 users per page. Thankfully, you can change this number by clicking on Screen Options in the top right corner of your WordPress dashboard:
Then, change the Number of items per page box to the number of user accounts you want to display on each page.
If clicking a couple hundred checkboxes doesn’t appeal to you, you can also automate some of this process by using a plugin called Bulk Delete.
Bulk Delete allows you to bulk delete users that meet criteria like:
- Specific User Roles
- Specific Meta fields
- Last login date
- Registration date
If spam users are thoroughly mixed in with real users, these criteria may not be especially helpful. But Bulk Delete is great for cleaning up a one-time attack where the spam accounts all registered on similar dates or eliminating old spam users who logged in once but haven’t been back since.
Identifying and Deleting Spam Users with a Plugin
If you have too many users to identify manually, you can turn to a plugin called SplogHunter (formerly known by the somewhat awkward name “WangGuard”) to automatically identify and remove spam users. I’ll also discuss the proactive prevention part of this plugin in the next section.
SplogHunter goes through your existing users and compares them against its database of sploggers/spam users. If there’s a match, SplogHunter will mark that user in a new “Splogger” column. You can then easily delete spam users after verifying they’re not real people:
SplogHunter also provides an easy Report as Splogger button that both deletes a user and adds them to SplogHunter’s centralized database (similar to how Akismet functions for comment spam).
Note – as you can see in the screenshot, there is still WangGuard branding in the most recent version of the plugin. Rest assured that SplogHunter and WangGuard are the same thing.
How to Prevent Spam User Registration on WordPress
Do you know the old saying “an ounce of prevention is worth a pound of cure”? That definitely applies to spam users on WordPress. If you stop them from registering in the first place, you won’t need to worry about identifying and removing them.
There are a number of ways you can block them:
- Fortify your sign up form with CAPTCHAs – this is my least favorite method because it requires real people to verify they’re not a robot, which isn’t good for user experience.
- Use a plugin that compares signups against a database of spam users – this is a better method because it doesn’t inconvenience real people. It just quietly blocks known spam users.
- Add access rules to prevent sploggers – if you notice that most spam users come from, say, .ru domains, you could create a rule that blocks anyone from using an .ru email to register.
Now, I’ll share some plugins that can help you implement one or more of these checks:
Captcha by BestWebSoft – Add CAPTCHAs to Registration Forms
If you want to require all your users to fill out a CAPTCHA before signing up, you can use Captcha by BestWebSoft to add a simple math equation to your forms. Again, I don’t think you should go straight to CAPTCHAs. But if you have a really bad spam problem, it’s a good way to knock out spam right away.
- Works on login, registration, recover password, comments, and contact forms
- Adds a simple math equation that fools spambots
- Allows users to get a new question if it’s too difficult
- Can configure the difficulty of the math questions
- Includes letter and number CAPTCHAs as well
Price: Free | More Information
SplogHunter – Automatically Flag Spammers Without CAPTCHA
In addition to filtering out existing spam users, SplogHunter can also protect your registration forms without requiring users to fill out a CAPTCHA. When users sign up, they will be automatically compared against SplogHunter’s crowd-sourced spam user database.
- Blocks spam sign ups without CAPTCHA
- Spammer database is constantly updated because it’s crowd-sourced like Akismet
- Works with WordPress,WordPress Multi-user, BuddyPress, and bbPress 2.0
- Can manually block specific domains from registering
Price: Free at the time of writing (there is talk of moving to a freemium model) | More Information
Note -you will need to obtain a free API key from WangGuard/SplogHunter to properly use the plugin.
WP-SpamShield Anti-Spam – Full-Service Anti-Spam
WP-SpamShield Anti-Spam is a highly-rated plugin that handles spam protection for every aspect of your site. Part of that includes your registration forms.
- Protects against registration spam as well as comment, pingback, and other forms of spam
- Doesn’t utilize CAPTCHA – no front-end impediments to users
- Works with BuddyPress, bbPress, WooCommerce, and a variety of other forms
Price: Free | More Information
WordPress spam users can be a real pain for anyone running a site with open registration. These bots can harass your real users, bloat your database, and damage your SEO with spammy outbound links.
But, if you implement the right protections, you can root out spam users and prevent them from even registering in the first place.
Before inconveniencing your human users with a CAPTCHA, you should try a plugin like SplogHunter or WP-SpamShield. If you still have a spam problem while using those plugins, then you might consider blocking specific domains that are spamming you or adding a CAPTCHA.