Wordpress plugin to prevent bot registrations
**12/19/09 Two updates, 2.9 is a fix, 2.10 now redirect bots to your main page instead of an error page. This is so search engine bots do not pick up the error page.
While BadBehavior and WebProfessor do very good jobs at keeping bots from registering on your WordPress site I wanted the control WebProfessor gave me and the automation that BadBehavior gave me but neither did both.
So here is a plugin to help keep bots from registering on your website. It will log all registration attempts and tell you why it bounced any bots.
You can blacklist domains, emails, and ips.
It will automatically block anyone whose ip shows up more than once, who is listed in spamhaus, or who you’ve blacklisted. If you hosting company allows ‘file_get_contents’ calls you can uncomment the StopForumSpam and check their list as well.
Anyone pretending to be a browser but whose ‘accept’ line is wrong will also get bounced.
See also:
Part 2 of 3: WordPress Security Plugin to block scrapers, hackers and more
Part 3 of 3: WordPress plugin tells you which files have been altered recently
57 Responses to 'Wordpress plugin to prevent bot registrations'
Leave a Reply
You must be logged in to post a comment.
Hello.
Nice idea.
Problem : under “Manage” page / Registration logs : [Table 'db207329036.wp_ttc_user_registration_log' doesn't exist]
SELECT ip, email, problem, accept, agent, date_format( day, ‘%M %d %Y %H:%i:%s’) AS time_stamp FROM wp_ttc_user_registration_log ORDER BY time_stamp DESC LIMIT 25
Seems your plugin does not create the MySQL table during activation.
Gilles
2 Jun 08 at 4:18 pm
It should have created it the first time you ran it or any time the plugin couldn’t find it.
Let me play around a bit more what version of wp are you using?
ljmacphee
2 Jun 08 at 5:54 pm
I see the problem – minor fix I just have to swap the order of two lines.
One quick test run and will upload fix to here and WP in about 10 minutes.
OK fixed copies at WP and here – you should see version 1.1 if you download it.
Thanks for letting me know about the problem!
ljmacphee
2 Jun 08 at 6:03 pm
All perfect
Thank you.
Gilles
3 Jun 08 at 12:01 am
Just thought I’d let you know. I installed all three of your security plugins and activated them all at once. I got the problem same as above, re the db table. I deactivated the plugin, then reactivated it, and everything is now fine.
Oh, and I’m running WP 2.5.1, if it makes a difference.
Thanks for these plugins. I’ll be installing them on all client sites. You’ve also been blogged.
bj
25 Jun 08 at 3:09 pm
You are welcome. It has been a big help on my sites.
One person has reported her server has been blacklisting itself. I’ve added a check for that and am testing. No one else has reported that, but a fix will be uploaded Thur or Fri or sooner if I’m happy with this afternoon’s testing.
It will also delete log entries > 7 days to keep from filling up the table.
Will check the other problem it may be that the 3 activations tripped over each other.
Be sure to check the blacklisted bot and request lists. I’m posting new trouble makers as I find them in my log files.
ljmacphee
25 Jun 08 at 4:25 pm
Had to manually remove some coding from the email blacklist window, now it *seems* to work, but is blocking legitimate registrations which somehow appear to be bots.
Any chance of making a whitelist?
Caroline
25 Jun 08 at 11:42 pm
I’ve had no false positives on the email – can you tell me what it blocked and what you removed and what happened so I might fix it.
I ‘ve had a few that look suspicious get in, but had no problems w/ any of them so perhaps they are humans.
I can do a white list and comment out the code. However, If you just remove any emails from the blacklist that should fix your problem with out you ever having to go into the code. ( Unless of course you like go play in the code, I understand that. )
White listing will give far more false positives which is why I only use them in extreme circumstances.
Please send more information.
ljmacphee
26 Jun 08 at 7:01 am
Hi
just installed you plugins to try and keep the spam bots at bay – not a huge problem but annoying.
Wondered if you had considered a WhiteList IP table . When i try and test the plugins i get into all sorts of muddle with multiple registrations from same IP
and some of our user may come via a cache
thanks for the code
site
lithos
10 Jul 08 at 11:00 am
Each list requires a database call. So adding a white list will add another db call and slow things down ever so slightly. The trick is to keep things lean and still block bad guys.
To allow multiple registrations from the same ip remove the following code ( lines 199->214 )
// check for multiple registrations from same ip address
if ( $blacklisted == 0 ){
$registration_table = $wpdb->prefix . “ttc_user_registration_log”;
$sql = “SELECT ip FROM $registration_table”;
$already_registered = $wpdb->get_results( $sql );
foreach ( $already_registered as $duplicate_ip ){
$dup_ip = $duplicate_ip->ip;
if ( strcasecmp( $http_remote_addr, $dup_ip ) == 0 ){
$blacklisted = 17;
}
}
}
This will be one less thing to check and speed things up rather than add in something to slow it down.
So if all you want is to allow multiple registrations from same ip number that is the better choice.
Is there another reason you’d like a white list? I am trying to keep code lean and fast.
ljmacphee
10 Jul 08 at 12:06 pm
Hi, thanks for the reply, I saw that code and thought about commenting it but then thought a whitelist would be more flexible and not a huge overhead as its likely to be a very small table and only one call per visit to the registration page. We do have a tiny site though and I imagine a huge one with many may registrations per day might i guess suffer.
I am assuming (without looking!) that this code only gets called when someone tries to register rather than logging in or any other access/page in which case a small (must be tiny) extra check would be unnoticeable especially as people have to wait for a email to arrive before they can login!
I might just hard code my IP in for testing and then comment it/them out so i don’t disable the functionality for real spam bots
ps a clear log button on the admin page would be nice as the only way i can see to do it is to talk to the db ?
thanks for your time.
cheers
lithos
10 Jul 08 at 12:37 pm
This code does only get called during registrations.
The log auto-purges every 8 days.
$sql = “DELETE FROM $registration_log_table_name WHERE day < (CURRENT_DATE - INTERVAL 8 DAY )";
~line 369
You can set that down to a higher or lower number.
Add the ip check after spamhaus function
near line 266
something like this:
if ( $blacklisted > 0 ){
if ( $http_remote_addr == “127.0.0.1″ ){
$blacklisted = 0;
}
}
replace 127.0.0.1 with your current ip.
ljmacphee
10 Jul 08 at 2:00 pm
Hi really apprecaite your replies and patience
thinking about the whitelist idea it can be done using just one call to the database buy replacing the current
(lines 203 ish)
$sql = “SELECT ip FROM $registration_table”;
with
// sorry for poor formatting
$sql = “SELECT ip FROM $registration_table WHERE NOT EXISTS (SELECT wl_ip FROM $whitelist_table WHERE $registration_table.ip = $whitelist_table.wl_ip);”;
which wont take any longer in real terms
lithos
11 Jul 08 at 5:15 am
But if your white list is small and doesn’t change often just add it to the if statement above. No db call at all that way.
If it will grow and change then just create a new table – cut and paste code from another of the tables and change the name from black list to white list.
Then in same spot as if statement above – check only if blacklist > 0 that will save some calls and do an ip match just like the blacklist ip table.
You should be able to cut and paste most of the code.
ljmacphee
11 Jul 08 at 4:28 pm
This is great, but can we also use it for normal registration. (email-blacklist).
Because in Wordpress 2.6 the Plugin “registration_blacklist” dont´t work any more
http://web-professor.net/wp/2007/01/14/new-wordpress-plugin-ban-email-domains-from-user-registration/
Trelas
22 Sep 08 at 6:45 am
Yes, you can use it to blacklist emails and ip numbers from registering.
ljmacphee
22 Sep 08 at 9:05 am
But the Blacklist don´t work by me for normal registration. (only for Bots?)
Trelas
24 Sep 08 at 3:40 pm
I’m confused I’m not sure what you mean by it doesn’t work for normal registration.
If someone with a user name, ip or domain that you have blacklisted tries to register they won’t be able to do so.
Please give me specific information, I’m not understanding you.
ljmacphee
24 Sep 08 at 5:07 pm
Sorry, my english is not so good.
e.g i have @mailinator.net on the Blacklist.
An testet, this don´t work by me.
A User can register with this Mail Domain and will not be blocked.
Trelas
25 Sep 08 at 5:31 am
I just tried adding @mailinator.net to my blacklist and it did ban me.
1) Be sure you have added @mailinator.net to your email blacklist – not one of the security blacklists.
2) You can drop the @ and just use mailinator.net. But I used it with the @ and it worked for me.
3) You have a link to the WebProfessor’s email black list. Are you using his email blacklist or mine? If you are using the WebProfessor’s blacklist you’ll need to contact him for help. My plugin is the TimesToCome Stop Bot Registration plugin. ( but we all want to stop bots, so what ever one you use is fine with me, you’ll just need to contact him about support )
Or you have to help me with more information. If you are also using the security plugin and have your ip white listed, it might let you through but not other ip numbers that try to register.
ljmacphee
25 Sep 08 at 8:34 am
Thank you very much, the problem is resolved.
I must write the Mail Addy without @
This work:
bugmenot.com
== result ==
Banned: Blacklisted email extension
This work not:
@bugmenot.com
== result ==
Registered: No known problems
THX
Trelas
Trelas
25 Sep 08 at 9:25 am
Travis Hamera emailed a fix so that you can use curl to check the forumspam black list:
// check forumspam
if ( $blacklisted == 0 ){
//$check = file_get_contents ( “http://www.stopforumspam.com/api?email=$new_user” );
//Initialize the Curl session
$ch = curl_init();
$StopForumSpam = “http://www.stopforumspam.com/api?email=$new_user”;
//Set curl to return the data instead of printing it to the browser.
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
//Set the URL
curl_setopt($ch, CURLOPT_URL, $StopForumSpam);
//Execute the fetch
$check = curl_exec($ch);
//Close the connection
curl_close($ch);
$test = “yes “;
if ( strpos( $check, $test) > 0 ) {
$blacklisted = 13;
}
}
ljmacphee
3 Nov 08 at 9:02 am
Linda,
I upgraded to 2.7 and I can’t find how to manage the banned ips and emails any more. I occasionally need to unban people who register twice.
- Bruce Silver
brucesilver
12 Dec 08 at 1:45 pm
It’s under ‘Tools’ in the left hand sidebar on your dashboard page.
ljmacphee
12 Dec 08 at 2:20 pm
Hi, this is a great plugin. I did get a bug though:
New user registration fails – WordPress database error Data too long for column ‘accept’ at row 1 for query INSERT INTO wpofftopic_ttc_user_registration_log ( ip, email, problem, accept, agent, day ) VALUES ( ‘10.200.192.85′, ‘blah@example.com’, ‘0′, ‘image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-silverlight, */*’, ‘Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; MS-RTC LM 8)’, NOW() ) made by ttc_add_to_log
the fix i used is to alter the table column ‘accept’ into text.
will this bug be fixed any time soon?
thank you,
Barce
barce
23 Dec 08 at 8:11 pm
This is the first I’ve heard of that error, I haven’t seen it on any of my sites.
Are you getting lots of entries with more than 255 chars in the accept statement? I can probably just do a char count and truncate the accept statement which should take care of any such accepts in the future.
I’ll look into this tomorrow when I’m more awake. But it looks like a fairly simple fix to do. Will post back here as soon as I’ve tested it and uploaded a fix to WP and here.
ljmacphee
23 Dec 08 at 10:04 pm
Update pushed out, let me know if anything else comes up.
ljmacphee
24 Dec 08 at 11:39 am
Is this WP 2.7 compatible or not?
Thanks,
Tony
Shackbase
20 Jan 09 at 4:53 pm
Yes, I updated it so the logs are easier to read under 2.7. I’m using it on this blog.
ljmacphee
20 Jan 09 at 5:43 pm
I installed it on 2.7 and there were no errors so I assumed it was working but I cannot find the admin section.
The readme says it should be listed under manage. ?
Thank you for the quick reply,
–Tone
Shackbase
21 Jan 09 at 3:38 am
Sorry, I keep forgetting WP moved everything in 2.7.
Go into your Dashboard; down the left hand column is a section ‘Tools’. Open up Tools and you’ll see an entry for ‘Registration Logs’. Click on that to see your log files.
ljmacphee
21 Jan 09 at 6:35 am
Thank you kindly… there it was.
We are working on launching WP Views (www.wpviews.com) – I will write an article and link to this great plugin.
Shackbase
21 Jan 09 at 8:11 am
Thx. That’s a great beginning for your website, I love the layout.
ljmacphee
21 Jan 09 at 10:53 am
I put this in my php file (in place of the file get version there of) and it doesn’t seem to block.
// check forumspam
if ( $blacklisted == 0 ){
//Initialize the Curl session
$ch = curl_init();
$StopForumSpam = "http://www.stopforumspam.com/api?email=$new_user";
//Set curl to return the data instead of printing it to the browser.
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
//Set the URL
curl_setopt($ch, CURLOPT_URL, $StopForumSpam);
//Execute the fetch
$check = curl_exec($ch);
//Close the connection
curl_close($ch);
$test = "yes";
if ( strpos( $check, $test) > 0 ) {
$blacklisted = 13;
}
}
Ipstenu
12 Mar 09 at 12:53 pm
Actually it doesn’t look like works at all on wp 2.7.1
I blocked mail.ru and @mail.ru but I can still register as @mail.ru :/
Ipstenu
12 Mar 09 at 1:23 pm
It’s working on 2.7.1. I have it installed on 8 sites and there are logs showing banned bots for ip/email/and other reasons. I also know several people besides me who are running it successfully on 2.7.1.
Your forum spam code looks fine, I can’t see anything wrong, but I haven’t used curl in a very long time. No one I’ve been hosted with lately supports it.
Echo out the url $StopForumSpam, and $check and see if they look ok to you. My guess is something will appear off when you do.
If Forum Spam has changed and returns yes with out the appears tag you’ll have to stick a char in front of the string before checking. Null and string beginning at zero both return the same in PHP.
ljmacphee
12 Mar 09 at 3:32 pm
Tried that and it still won’t prevent ‘blocked’ email addresses from signing up. I even reverted back to the stock plugin. No errors on the screen, no errors in my raw error log on the server. It’s just … nothing.
Ipstenu
14 Mar 09 at 9:12 pm
What version of the plugin are you using? 2.7 was released at Christmas time with a typo, 2.8 was fixed about a week later.
2.8 does work, thousands of people are using on 2.7.1. Download and try a clean copy if you are using the current version and still having troubles.
ljmacphee
15 Mar 09 at 8:26 am
Oooy! I figured out the conflict.
I was using a customization of the login page that magically re-routed all the registrations AWAY from this. I’ve removed that and it’s working.
Ipstenu
15 Mar 09 at 4:50 pm
ETA: I told the other guy about the conflict. I suspect it’s his end, not yours, but it’s basically the custom login via the Theme Hybrid pages.
Ipstenu
15 Mar 09 at 4:51 pm
There is not an end in a conflict, it takes at least two. It is impossible for all the developers and theme writers to discuss every project. We’d never get any coding done.
Glad you have things working, I’m not familiar with his/her work but I suspect a work around won’t be difficult once you pin down the actual bit of code causing the conflict.
If you need any help hacking my plugin, let me know, I’ll be glad to help and strongly encourage improvements and hacks on all my plugins.
ljmacphee
15 Mar 09 at 6:40 pm
Hi, I just wanted to express my satisfaction with this tool. I had 5-10 users being created a week that I would go in and delete manually, and your tool has shown me what it has blocked. I am eternally grateful for this extremely useful plugin. Please visit my webpage, randombeats.com, as a small token of my appreciation. Hopefully you will find something you like. Thanks!
karld
16 Mar 09 at 9:31 pm
You’re welcome!
That’s a nice website, best wishes for success with it.
ljmacphee
17 Mar 09 at 5:18 am
True! (about ‘ends’). But as I couldn’t do all of what I wanted with the other tool, I’m going to use this one and find a better plugin to customize/brand my login pages
The curl usage for stopforumspam.com is working fine now
Ipstenu
19 Mar 09 at 11:46 am
Glad it’s all working for you now. Let’s just hope the bots remain dumb so it’ll continue to be easy to trap them.
ljmacphee
19 Mar 09 at 5:11 pm
In ttc_user_registration.php you should add the “IGNORE” keyword to your “INSERT INTO”s.
Example:
"INSERT IGNORE INTO " . $blacklist_table_name . " ( blacklisted ) VALUES ( '$email' )"
This prevents errors/warnings like:
WordPress database error Duplicate entry ‘NN.NN.NN.NN’ for key 1 for query INSERT INTO blog_ttc_ip_blacklist ( ip ) VALUES ( ‘NN.NN.NN.NN’ ) made by require, require_once, require_once, require_once, do_action, call_user_func_array, ttc_security, ttc_add_to_security_blacklist
Ciao!
docwhat
22 Mar 09 at 11:08 am
Linda:
What license are your scripts released under? I was thinking of making some changes and cleanups.
I would be happy to contribute it back to you, of course.
docwhat
22 Mar 09 at 11:12 am
All WP Plugins are GPL’d I think the About page here lists the MIT license which is less restrictive.
Absolutely. Please improve them, I wrote all the scripts on this site because I needed them and couldn’t find them already written.
I put them up in case other’s needed them to use, or just as a starting point for their own scripts.
Feel free to use them, just give credit where it’s due, keep the source open, and if you find a way to get rich on them you should buy me lunch.
ljmacphee
22 Mar 09 at 12:34 pm
So after a week I really dig this, but I have suggestions:
The Registration Logs page is going to get pretty long after a while. Would it be possible to make them as a tabbed view?
Tab 1 (default) for configuration
Tab 2 for successful sign ups
Tab 3 for unsuccessful ones
Tab 4 for all logs (for people who want to see it all)
Also it would be nice if it didn’t automatically add IP AND email to the blacklist. But I can’t sort out the funky logic you’d need for that to work. I’d want to say ‘Block the email, but if the same IP tries to register with a different email, block that too!’
Ipstenu
1 Apr 09 at 9:07 am
It already does block further registration attempts from a blacklisted ip number.
I’m not sure about making tabs work consistently inside of WP. However sorting and pulling only specific type requests isn’t difficult to do in mysql. The difficultly is making it work with WP. I think links that pull only a specific error number from the log files would be the easiest method.
Instead of pulling all of them
SELECT ip, email, problem, accept, agent, date_format( day, ‘%M %d %Y %H:%i:%s’) AS time_stamp FROM $registration_log_table_name ORDER BY day DESC LIMIT $log_count
you could just pull ones
where problem=’1′
or what ever particular problem you wish to pull.
Let me think about it, but I’ve a couple busy weeks scheduled here – you might also check with docwhat who is working on his own improved version of the plugin, perhaps he can add it in quicker than I can get to it?
ljmacphee
1 Apr 09 at 9:35 am
Hello!
This looks like the perfect plugin for my needs, but I do have a question.
After activating, the following text appeared in my user blacklist email box. Is this the dreaded “uncreated database” error? What should I do?
SELECT blacklisted FROM wp_ttc_user_registration_blacklist ORDER BY blacklistedWordPress database error: [Table 'NonProBlogs.wp_ttc_user_registration_blacklist' doesn't exist]
Thanks!
NonProBlogs
NonProductive
13 Apr 09 at 1:22 pm
That’s the first I’ve heard of that error.
I think it is the NonProBlogs. in front of the wp_… that is confusing it.
The database is there, that is where all your WP data is stored. The plugin is only creating tables in the database.
How technical are you? Tables can be created in phpMyAdmin see lines 81-125 for the information.
If you are not technical don’t do it.
Other option is to hard code the variable $wpdb in the code, but I need to look at and find the places where you need to change it.
Sorry it’s just a really busy couple of months here. Will try to look at it soon.
ljmacphee
13 Apr 09 at 4:54 pm
I’m afraid I’ve come to find that this plugin is TOO sensitive.
Example: Jane signs up to my blog but goofs her email (janedoe132@gmail.com instead of janedoe123@gmail.com). She realizes this and tries to sign up as janedoe123 BUT her IP is tagged as already being registered and WHAM she’s banned.
This is bad.
I have few spammers that get past Bad-Behavior, so really I just need a way to list emails and ips that are bad (like with comment moderation, only make it for registration). Or a way to flag a user as ‘banned’.
So … yeah. I like the plugin, but I need to find a less strict fix
Ipstenu
28 Apr 09 at 11:36 am
docwhat ( above ) said he wasn’t going to do a rewrite – see if he’ll help you.
ljmacphee
28 Apr 09 at 12:41 pm
I’ve actually started my own plugin (2/3rds done) which snags the emails from your comment blacklist and bans them from registering.
I’ve got to add in a check for Stop Forum Spam in there now, but you gave me great ideas
Thank you.
Ipstenu
30 Apr 09 at 11:52 am
Cool!
Be sure to come back here and post a link to it when your done.
Checking Stop Forum Spam is tricky since many WP users are on hosts that don’t allow curl and other such tools. If you figure out a one size fits all solution I’d love to see it.
ljmacphee
30 Apr 09 at 12:22 pm
I can’t get the new version – I’ve downloaded a couple of times, cleared cache, tried another browser etc, but I’m still getting v1.8 not 2.8
digitaltoast
7 Jun 09 at 3:15 am