Fake user Accounts

  • My site has suddenly attracted 31 new users. (We normally have none, over the course of my year managing the site.)

    They default to Subscriber, so I don’t think they can do anything, but I’m concerned this is some new kind of security attack. You see, I don’t have a link anywhere to the wp-login file, so “they” must be doing this by hand-typing the login URL. Is this a known form of security attack?

    And thanks for all you do. You are a godsend to budget WordPress sites.

Viewing 7 replies - 1 through 7 (of 7 total)

  • I have the same problem. I continually get fake user registered accounts even with Google recaptcha. I Don’t dare to by a premium version of Wordfence because I don’t think this will help.

    • This reply was modified 8 years, 1 month ago by whoopysnoopy.
    Thread Starter rja1887

    (@rja1887)

    I’m up to 40. Two of them have auto-replied that their email accounts have been compromised. I have the added protection of requiring them to upgrade their passwords to secure forms, but I have no way of knowing if they did that. What would be handy would be a function that deletes a user who fails to do the update within, say, 24 hours.

    I see this as two problems:
    1. These fake accounts are cluttering up my user lists, and getting rid of them is a PIA.
    2. Worse, though, we are about to launch a BBPress forum, which means that all these fake accounts will be intermingled with attempts to create new, legitimate ones. Currently, I’m sending a personal email to each new user, asking them to confirm the account by mail. I don’t want to do that for legitimate users.

    Ultimately, I guess this is a WordPress problem, not a WordFence one. One thing I can do is manually delete any user who hasn’t updated their password. Another would be to create a new login page that instructs legitimate users to add some detail to their accounts to confirm their being “human.” Have to noodle….

    Two more while I was typing. Sigh.

    I am having the same problem. Help!

    Thread Starter rja1887

    (@rja1887)

    The only “solution” I can come up with is to delete any users who fail to return to harden their passwords. The WordFence password tool forces them to do this (unless by some accident they set the account up with a hardened password), and you get a second email when they do it. If they don’t, then it’s probably a bot.

    I can tell they are fake accounts and just deny them, but then have to delete them from my user page. Something has definitely change from the WordPress security end, this is a new problem.

    I noticed the same problem started on January 30, 2017. Most email addresses are valid. Hopefully, WP will resolve this soon.

    I have Ultimate Member installed on my site for a year now but I don’t think those fake registered accounts are to blame Ultimate Member. The problem is that Google Recaptcha only installs itself in the Ultimate Member register files. Ulitimate Member has a nice plugin for it but I found out that the file wp-admin/user-new.php has no Google Recaptcha. I renamed this file but that did not help.

    • This reply was modified 8 years, 1 month ago by whoopysnoopy.
    • This reply was modified 8 years, 1 month ago by whoopysnoopy.
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Fake user Accounts’ is closed to new replies.