New Accounts Being Created by Bot Bypassing ALL Ultimate Member Security

  • Resolved colab1

    (@colab1)


    2 years, 9 months ago

    As of Thursday, May 12th our website has had several hundred new user accounts created, apparently by a bot, that have circumvented all of the Ultimate Member and out of the box registration forms and security. The accounts are created with our “Customer” role which has very limited access but even the Ultimate Member approval process where we have to manually approve new accounts is somehow being bypassed by these accounts that are created.

    I have tried preventing new sign ups by disabling all registration forms and accounts were still created during that time.

    This appears to be a significant vulnerability in either WordPress, Ultimate Member, or both.

    Please advise as to how to it’s possible new accounts are created without requiring approval when it is set to be required for the Customer role.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support Aswin Giri

    (@aswingiri)

    Hello @colab1

    Please have sure you have unchecked wp-admin > Settings > General > “Anyone can register” setting to disable registration from wp-login.php additionally we suggest you install Ultimate member – reCaptcha extension which can help control creation of spam accounts on your site.

    Thread Starter colab1

    (@colab1)

    Yes, “Anyone Can Register” is unchecked and I do have the reCaptcha extension, always have but when they have found way around using the registration form itself reCaptcha doesn’t come into play.

    Clearly there is another way someone has figured out to register new accounts.

    @colab1

    Some more recommendations:

    https://docs.ultimatemember.com/article/1551-how-to-block-bot-registrations

    Thread Starter colab1

    (@colab1)

    @missveronicatv

    Thanks for the link! The setting in Woocommerce to “Allow customer to create an account during checkout” was checked so I have unchecked that to see if it stops the bot account registrations.

    However, I also have the Woocommerce Subscriptions extension and that adds the option to “Allow subscription customers to create an account during checkout” which I’m leaving checked for the time being. If accounts continue to be created I will uncheck that as well and see what happens, but unchecking it would be disruptive to the process for legitimate customers who don’t create an account prior to making a purchase.

    @colab1

    This Math Captcha may help you too:

    https://docs.ultimatemember.com/article/1675-math-captcha-in-register-forms

    Thread Starter colab1

    (@colab1)

    It may be too soon to say with certainty, but it appears that the bot was bypassing the Ultimate Member workflow by taking advantage of the Woocommerce “Allow customer to create an account during checkout” option.

    After disabling that option in the Woocommerce settings, the bot account registration has seemingly stopped with no new registrations in the last 17 hours.

    Thanks All!

    Plugin Support Ultimate Member Support

    (@ultimatemembersupport)

    Hi @colab1

    Thanks for letting us know how you’ve resolved the issue.

    Hi @colab1

    We appreciate your time and effort in sharing how you have resolved the issue. We have updated our document on How to block bot registrations based on your experience so we can provide a solution to others that might encounter the same problem.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘New Accounts Being Created by Bot Bypassing ALL Ultimate Member Security’ is closed to new replies.