Don’t create users for failed payments?

I am also seeing a lot of fake accounts.

Although one did manage to subscribe!

I have not yet even launched my page, so they are clearly just looking for the URL.

I have added a T&C page to see if that slows down the attempted spammers.

Maybe sending an email and getting them to confirm their email address before taking the payment and making them members? This would halt any with fake emails.

Hello @renemorozowich,

I’m sorry your site is having this problem. With the update to PMPro 2.10, WordPress users will now be created before payments are charged at checkout. This is to prevent the more serious issue of paid users not getting an account created.

To help avoid spam set up there are a few steps you can take.

@renemorozowich I will be presenting a full list of settings for the benefit of @isdoo; I understand you have reCapture enabled. @isdoo, your issue sounds different than the original ticket. If the below information is not helpful, please begin your own thread. Thank you.

The first two settings we recommend to help prevent spam are enabling reCAPTCHA and Spam Protection. Both of these settings can be found by navigating to?Memberships > Settings > Advanced?and scrolling to the Checkout Settings section. We have additional documentation available here as well:?https://www.paidmembershipspro.com/protect-membership-site-spam-abuse-using-recaptcha/. While we offer both options, we do recommend using reCAPTCHA 3.

We also offer the Akismet Integration for Spam Protection, which can be downloaded for free here:?https://www.paidmembershipspro.com/add-ons/pmpro-akismet/. This plugin integrates the Akismet Plugin with Paid Memberships Pro checkouts to protect your membership site’s checkout process from spam.

We have an article on our site that discusses preventing fraudulent activity on your site, specifically by comparing the current user’s IP address to the billing address of the card that they are trying to use:?https://www.paidmembershipspro.com/prevent-card-fraud-ip-address-billing-country/. If this is, in fact, fraudulent activity, adding that code to your site may help to prevent it from occurring or at least make it more difficult.?

I hope this information is helpful in preventing spam signups on your site.

Kim W

@kimwhite no I believe mine is the same.

I have V3 installed for captcha.

It is a shame that you allow spammers to register and then take them to payments.

If you even had an option to verify their email it would delete several – I am seeing clearly fake email addresses used. This would bounce on a simple email verification.

For genuine people it would also ensure that they did not enter an incorrect email address.

If your paid version has this, then I will upgrade.

If not then I have to question the use of the product, sadly.

Same problem here. Thousands of bot accounts being created to the point that it brought our entire server down and it had to be restored from backup.

I’ve never, ever had a problem where paid users don’t get an account created and if they did they’d simply contact us via the site and we’d sort it out manually.

What on earth is going on ?!?

Hi, everyone. I am very sorry for the issues this update has caused. In hindsight, we should have given more warning of the upcoming change, so folks had time to adjust to the change. We’re working hard now to release updates and documentation to help mitigate the downsides of this change.

There is no way to reverse this change. PMPro will always create users before payments now. There are many reasons for this. Kim White shared some above. We have many planned updates to the checkout experience and how we integrate with gateways, that will depend on the WP user being created before the payment step. I’m working on a blog post that goes into more detail, but the bottom line is that this change is here to stay and there’s no easy way to opt out with PMPro. (@isdoo I think most other WP membership plugins work this way already, but feel free to try them out and see if they are a better fit.)

RE the spam issue, Google Recaptcha v3 and our Spam Protection setting go a long way toward stopping this. If you have the Spam Protection on, you may notice up to 10 spam users from the same IP address and then it stops as the protection clamps down on that IP.

We are pretty conservative about how quickly we lock folks out, because this code doesn’t differentiate between someone who just entered the wrong number vs someone who is testing fake credit cards, but you can “tighten” the protection by setting a couple constants in your wp-config.

https://gist.github.com/ideadude/f64ce8aaa3b0a0579034082144cc2220

We are also fast tracking our Akismet integration to release it as soon as possible. Feel free to use the version Kim linked to on GitHub in the meantime. It won’t change much. The plugin basically integrates with the Akismet API and blocks checkout and user registration if Akismet thinks the email and other data indicates spam.

We are also working on a setting in PMPro which will delete users who never completed checkout after some time, say 24 hours or 7 days. It should be a setting. This is taking some time to develop and test. We want to make sure that this script does not delete valid users who fail PMPro checkout then do something else on your site (via a form or WooCommerce or BuddyPress) where you wouldn’t want their data deleted.

You also should be making sure that your site is set up so that users do not have the same access members do. These users who fail at checkout do not receive a membership level. Require a membership level to view content. Update your integrations to sync on level change instead of user creation.

Folks are encouraged to consider our Email Confirmation and Approvals Add Ons, which can be used to have further control over user access after checkout. ,

These add ons can be configured so that while users are still created and can login, they won’t have access to member content until they are approved or confirm their email. Also remember that even these premium add ons are available for free on GitHub from our official repositories.

Stay tuned to the updates RE pmpro-akismet and the abandoned user/cart cleanup script. And if you let me know about specific issues coming up from this change, we can figure out how to address those together.

Sorry again. Thanks for your understanding and patience.

• This reply was modified 1 year, 11 months ago by Jason Coleman.

Thanks for the reply.

It is a shame that the two additional security basics to verify and try and keep the site without spammers cost up to $397 a year!

Even the email confirmation costs $247 a year!

I believe that the Askimet is also another paid add on.

I have no idea about the repository you mentioned or how to use – so that isn’t any use.

Given the changes perhaps you should offer at least the email confirmation to us. This is included in another system that I tried and should be standard imho.

Bearing in mind that I have not even launched my membership yet, and therefore the page isn’t linked these are all bots searching for the software link.

Can we change the URL to join? That would certainly help massively.

Your software is not cheap, but to flood new sites with hundreds of potential spammers isn’t a good way to demonstrate that it is good.

I tried another popular product. I wasn’t keen on how it worked for my site, but at least it did email verification as standard without charging.

Whilst the system might be here to stay, please consider us your potential paid customers.

Update: The pmpro-akismet plugin is available now. It is free. It, along with our spam protection feature, goes a long way toward preventing spam users at checkout. You can find it on our site here: https://www.paidmembershipspro.com/add-ons/pmpro-akismet/

You can also find it and our other plugins for free on GitHub: https://github.com/orgs/strangerstudios/repositories

@isdoo Find the repositories there, look for “Releases” in the right sidebar, click on those and download the zip files from there.

We are working on the code to automatically delete abandoned checkout users after some time. The current plan is to include this in a v2.11 core PMPro release that may be out next month. We’re building and testing.

Hi – I appreciate the work you’re doing with this. Unfortunately Akismet requires a paid subscription for a commercial site. This is based on the number of API calls (max 40,000/month for their base plan). I’ll give it a try but obviously if we exceed the 40,000 bot accounts per month then we’ll need to re-visit. We had 22,000 over a few weeks.

I’m hoping Akismet would negate the need for Radar in Stripe if the API calls are limited at source. Especially since Stripe charge per event.

If you could also add something to allow us to tweak the Spam Protection settings that would be great.

E.g. Block IPs from checkout if there are more than X failures within Y minutes.

Thanks again for taking this seriously.

So… I’ve paid for an Akismet subscription and it hasn’t solved the problem. I’m still getting swamped with spam user account registrations. Checking the Akismet logs, the accounts are being marked as Ham (rather than Spam). So Akismet isn’t doing anything. Recaptcha isn’t doing anything. Really running out of options here! ??

I noticed in Google Search Console that my site was coming up in search results for checkout and membership pages: https://snap.renemzw.com/dqrDfm1M

I noindexed all of the membership pages two weeks ago and the spam has slowly started to decrease.

In case that’s helpful for anyone!

@strangerstudios thanks for the updates. It is good to hear that you are trying to res.

It seems that the ‘Approval Process for Membership’ might solve the problem?

I am not sure if this is freely available or if I need to purchase the plus version.

I am not sure if there is a good discount option that you can offer us, but if there is perhaps you can email us a code.

If that plug in works I am happy to support the software if a code were to be available.

It seems that the ‘Approval Process for Membership’ might solve the problem?

I am not sure if this is freely available or if I need to purchase the plus version.

I am not sure if there is a good discount option that you can offer us, but if there is perhaps you can email us a code.

If that plug in works I am happy to support the software if a code were to be available.

I guess not ??

@isdoo, sorry I missed your last post here. Every single plugin that we release is available for free on GitHub.

I’m quoting my earlier reply here:

You can also find it and our other plugins for free on GitHub: https://github.com/orgs/strangerstudios/repositories

@isdoo Find the repositories there, look for “Releases” in the right sidebar, click on those and download the zip files from there.

Last night I had 225 new spam users.

I have a captcha, Akismet integration, the spam protection turned on and I’ve noindexed the pages so that they can’t be found by search.

I don’t think the email confirmation will fix this if they’re only there to validate credit card numbers.

Is there no other solution?

We have recently released an update to tag potential spam users under the User’s table to make it easier to remove/delete these fake users.

Another option would be to run your site through a firewall like Sucuri, WordFence or a similar solution which should help.

@renemorozowich are you still experiencing spam signups through Paid Memberships Pro? Is it for card testing or just abandoned signups?