How to control user registration and prevent SPAM (with examples)

Registration is the first point of spam and preventing spam registration from new users will save your WordPress site further link and signature spamming.

It can happen that you get lots of new user registration. Most of them will be from fake users that simply submit the registration form on your site by using an invalid email address.

Shield's User Management module offers the email validation method for testing new user registration email address. It also allows you to choose how you want Shield to respond when someone tries to register on your site with an invalid email address.

To apply this method, you'll just need to go to the User Management module > User Registration and set the following options

  • Validate Email Addresses
  • Email Validation Checks

Validate Email Addresses option 

Is designed to help you validate email addresses when user attempts to register. You can decide how you want Shield to respond when an invalid email address is detected. You can choose to

  • Log Only

    Lets you see the activity of the user registration with an invalid email address on the activity log before applying any offense or blocks to this user.

  • Increment Offense Counter

    Puts another black mark against an IP. As always with the offense system, once the limit is reached for an IP address, it is blocked from registering and accessing the site.

  • Immediate Block and Kill

    Connection is killed and Shield immediately marks that IP as blocked.

You can also choose disable registration email verification method based on your need. 

Email Validation Checks option

Is used for selecting the properties that should be tested during email address validation. The properties available are as follows

  • Email Address Syntax

    This test will determine whether an email is structured correctly. The chances of this being a problem is slim, and WordPress already checks this.

  • Domain Name Resolves
  • This test will examine the domain name section of the email address. I.e. everything after the @ sign. This will check that the domain name exists and resolves to a valid IP address. There is no good reason that a normal user will register with your website using a domain name that doesn't exist.
    • Domain Is Registered - whether the domain is actually registered
    • Domain Resolve To IP - does domain have an IP
  • Domain MX

    This takes the domain name test a step further. Assuming the domain name exists from the previous test, we then check MX records. MX records are found in the DNS records for a domain and they indicate which email servers should be contacted when attempting to deliver to addresses/mailboxes on that domain. If a domain does not have MX records, then it never intends to actually receive any email. This might be valid in some circumstances, but it's not typical for a user registering normally on a WordPress site (unless they've broken their DNS configuration).

  • Disposable Email Service

    Temporarily email addresses which would indicate fake/spam user.

You may read more about this here and what improvements we made

There are 2 important points to note here:

  • Each test is carried out in succession and relies on the one before it completing. So when you select an entry, any entries above that entry in the list will also have to be selected.
  • The purpose of the detection service is to weed out domains that appear to be holding domains for spam email address.

    For example, if you go to: it doesn't work. There is no DNS A record for that. One of the most basic checks is for a DNS A record. So the email filter service is working exactly like that.

    There is no way to definitively test all email addresses. If your legitimate registered users are getting blocked, we recommend setting to "increment offense counter". This way if you have a bad actor that registers wish spam email repeatedly, along with other activities, eventually they'll get blocked, but you wont completely block legitimate users.

Now, we're going to show you how to use the email validation method in order to control user registration and prevent SPAM.

Example 1: Log Only

You have the following settings

  • Validate Email Address: Log Only
  • Email Validation Check: Disposable Email Service

User attempts to register with a disposable email address '':

User will get the message that their registration is completed:

This user will be registered but not trigger the Shield offense. However, you'll be aware of this activity. Your Activity Log will show this:

Example 2: Increment Offense Counter

You have the following settings

  • Validate Email Address: Increment Offense Counter
  • Email Validation Check: Domain Name Resolves

User attempts to login with this email address '': This isn't a known/registered domain. 

This user will manage to register. However, the offense counter will increment by 1 and their IP will be moved to the block list. 

The Activity Log will show this:

Once the limit is reached for their IP address, it is blocked from accessing the site. 

Example 3: Immediate Block and Kill

User will not manage to register with an invalid/SPAM email addresses at all. Their connection will be killed...

... and their IP will be blocked immediately

Example 4: Disabled

The all users will be able to register with an invalid/SPAM email addresses freely. There will be no restrictions whatsoever. You'll only see this activity in your activity log, and there is no way for you to know whether this is a legit user or a fake one. 

Important: You can disable registration email verification method. But, we highly recommend to keep it activated. This will considerably reduce the registration spam compared to providing immediate access.

To learn more about blocking WordPress SPAM user registrations, read the blog article here.

We also recommend you to read:

Note: ShieldPRO is required for SPAM User Registration feature. To find out what the extra ShieldPRO features are and how to purchase, please follow this link here.