Over the last 6 months or so, I’ve been getting a few new user registrations on my WordPress blog every day or so. When I got a few on the same day, I got suspicious. So, I checked them out and found they were all suspicious.
The username caught my attention as I thought, “Why would anyone add numbers to their name when they don’t need to”. It’s not like I have a lot of users and all names have gone. I figured that they must have been automated.
I remembered that the default account on my site is a Subscriber and you can’t do anything harmful with that so I just ignored the 20 or so that I had at that time. After a few months, I decided to do some housekeeping and
checked on the user names. I deleted all that had the same pattern. The pattern was the name part of the email address (the bit before the @ symbol) together with 4 random numbers.
I don’t run a membership site (where login can make extra features/content available) and I don’t have a newsletter for anyone to subscribe to. I mistakenly thought that I needed to keep it enabled as I accept comments on my site. I use a plug-in for comments and that doesn’t require a user account so recently I turned it off.
Easy to do under the WordPress Dashboard from “Settings” and “General”. You just uncheck “Membership – Anyone can register”.
The default registration page is the domain name followed by “/wp-login.php?action=register”.
Unless a site has a customised URL then you can visit that page on any WordPress site to see if registration has been disabled (as I have done with my site).
However, if you do need to have people register on your WordPress site there are plenty of plug-ins to do this safely without using the default functionality.
If you do allow comments without using a plug-in to manage them then you should probably require users to register and also you should probably moderate what they can do.
Those settings can be found in the WordPress Dashboard under “Settings” and “Discussion”.
I cannot think what malicious or fraudulent benefit this would give the perpetrator of this robot scripts, especially as the default setting on WordPress for registrations has the least permissions as Subscriber.
Obviously if I had set it to Editor, or Administrator as a default they could have done some damage or added some SPAM. I guess whoever has writing these robot “form fillers” are doing it until they find something useful.