Bot registrations

Hi @pldoolittle,

Our reCAPTCHA is designed for the default WordPress and WooCommerce login/registration screens so should work under those circumstances. If you are expecting users to register using the default page, also try disabling your other plugins and theme temporarily to see if it fixes the issue. The conflict may be between Wordfence and another plugin instead of Flatsome theme specifically, so you could try re-enabling everything one-by-one to see when the issue comes back.

Additionally, rogue users can try to come through XML-RPC, which can be disabled. “Disable XML-RPC authentication” appears in Wordfence > Login Security > Settings. You can also block this route entirely using .htaccess, provided you don’t use the WordPress app or a plugin that requires it such as Jetpack:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Let us know how you get on!
Peter.

What is their angle? Hundreds of unvalidated accountS every day. No password. Nada.

Hi @pldoolittle,

It’s hard to say for sure whether spam accounts are created via signup pages or XML-RPC just because they can. There could be vulnerabilities in older versions of certain plugins, or rare instances where site admins mistakenly give elevated permissions to regular users. If they don’t get the results they want, they’ll move on to trying the same thing on another domain. A huge amount of traffic we see daily is hit-and-hope without even knowing the platform or installed plugins on a site beforehand.

Thanks,
Peter.