WordPress Security

Securing WordPress User Registration

Protect WordPress registration from spam bots and malicious users with CAPTCHA, email verification, and moderation.

Sarah Chen

October 23, 2025

7 min read

1,165 views

WordPress user registration security guide

Open registration attracts spam bots and potential attackers. Proper controls ensure only legitimate users can create accounts while preventing abuse.

Registration Security Risks

Common Attacks

Automated bot registrations
Spam account creation
Fake user enumeration
Registration form exploits
Privilege escalation attempts

CAPTCHA Implementation

Google reCAPTCHA v3

// Add reCAPTCHA to registration
add_action('register_form', 'wpfs_registration_captcha');
function wpfs_registration_captcha() {
    echo '';
    echo '';
    echo '';
}

// Verify CAPTCHA
add_filter('registration_errors', 'wpfs_verify_registration_captcha', 10, 3);
function wpfs_verify_registration_captcha($errors, $login, $email) {
    $token = $_POST['recaptcha_token'] ?? '';

    $response = wp_remote_post('https://www.google.com/recaptcha/api/siteverify', array(
        'body' => array(
            'secret' => 'SECRET_KEY',
            'response' => $token
        )
    ));

    $result = json_decode(wp_remote_retrieve_body($response), true);

    if (!$result['success'] || $result['score'] < 0.5) {
        $errors->add('captcha_error', 'CAPTCHA verification failed');
    }

    return $errors;
}

Email Verification

Require Email Confirmation

// Set new users as pending
add_action('user_register', 'wpfs_set_pending_user');
function wpfs_set_pending_user($user_id) {
    // Generate verification token
    $token = wp_generate_password(32, false);
    update_user_meta($user_id, 'email_verification_token', $token);
    update_user_meta($user_id, 'email_verified', false);

    // Send verification email
    $user = get_userdata($user_id);
    $verify_url = add_query_arg(array(
        'action' => 'verify_email',
        'token' => $token,
        'user' => $user_id
    ), home_url());

    wp_mail(
        $user->user_email,
        'Verify Your Email',
        'Click to verify: ' . $verify_url
    );
}

// Block unverified users
add_filter('authenticate', 'wpfs_check_email_verified', 30, 3);
function wpfs_check_email_verified($user, $username, $password) {
    if (is_wp_error($user)) return $user;

    if (!get_user_meta($user->ID, 'email_verified', true)) {
        return new WP_Error('unverified', 'Please verify your email first');
    }

    return $user;
}

Strong Password Requirements

Enforce Password Strength

// Client-side indicator
add_action('register_form', 'wpfs_password_strength_meter');
function wpfs_password_strength_meter() {
    wp_enqueue_script('password-strength-meter');
}

// Server-side validation
add_filter('registration_errors', 'wpfs_validate_password_strength', 10, 3);
function wpfs_validate_password_strength($errors, $login, $email) {
    $password = $_POST['user_pass'] ?? '';

    // Minimum length
    if (strlen($password) < 12) {
        $errors->add('weak_password', 'Password must be at least 12 characters');
    }

    // Complexity requirements
    if (!preg_match('/[A-Z]/', $password) ||
        !preg_match('/[a-z]/', $password) ||
        !preg_match('/[0-9]/', $password)) {
        $errors->add('weak_password', 'Password must include uppercase, lowercase, and numbers');
    }

    return $errors;
}

Rate Limiting

Limit Registration Attempts

add_action('register_post', 'wpfs_rate_limit_registration');
function wpfs_rate_limit_registration() {
    $ip = $_SERVER['REMOTE_ADDR'];
    $transient_key = 'reg_attempts_' . md5($ip);
    $attempts = get_transient($transient_key) ?: 0;

    if ($attempts >= 5) {
        wp_die('Too many registration attempts. Try again later.');
    }

    set_transient($transient_key, $attempts + 1, HOUR_IN_SECONDS);
}

Admin Approval

Manual User Approval

// Set new users to pending role
add_action('user_register', 'wpfs_set_pending_role');
function wpfs_set_pending_role($user_id) {
    $user = new WP_User($user_id);
    $user->set_role('pending');

    // Notify admin
    wp_mail(
        get_option('admin_email'),
        'New User Pending Approval',
        'A new user requires approval: ' . admin_url('users.php')
    );
}

// Block pending users
add_filter('authenticate', 'wpfs_block_pending_users', 30, 3);
function wpfs_block_pending_users($user, $username, $password) {
    if (is_wp_error($user)) return $user;

    if (in_array('pending', $user->roles)) {
        return new WP_Error('pending', 'Your account is pending approval');
    }

    return $user;
}

Honeypot Fields

Trap Bots

// Add hidden field
add_action('register_form', 'wpfs_honeypot_field');
function wpfs_honeypot_field() {
    echo 'Leave empty
          ';
}

// Check honeypot
add_filter('registration_errors', 'wpfs_check_honeypot', 10, 3);
function wpfs_check_honeypot($errors, $login, $email) {
    if (!empty($_POST['website_url'])) {
        $errors->add('honeypot', 'Registration failed');
    }
    return $errors;
}

Disable Registration

// If registration not needed
// Settings > General > uncheck "Anyone can register"

// Or via code
add_filter('option_users_can_register', '__return_false');

Conclusion

Secure registration combines CAPTCHA, email verification, strong passwords, and rate limiting. For sensitive sites, add admin approval. Disable registration entirely if not needed.

Written by Sarah Chen

WP Folder Shield Team