Users (hackers) bypassing approval process

Hi @shewter,

That’s strange. Can you please let me know the URL of the registration page and the URL of the login page? I will do a test registration and see the issue.

Let me know and I will get back to you.
Regards!

I had similar issue when I was setting up my webpage. Make sure that you have correct setting in your registration form->form setting->user login option. Having it set just in the general options of the plugin is not enough. You can miss this very easily and all new users are auto-approved as a result.

I had the same problem.
And i actually want user to be auto-approved.
I found out the user registered using the default WordPress registration page instead, which ten seems to be auto-approved somehow.

Solution was to add a plugin called
Login No Captcha reCAPTCHA (Google)
it
Adds a Google CAPTCHA checkbox to the login, registration, and forgot password forms, thwarting automated hacking attempts

This, or “prevent core login” to let User Registration handle every login and integrate Google Captcha within User Registration settings.
You can then tweak what happens to newly registered user via setting in registration form – auto/manual approve, email, etc.

@sharmadpk03

what was the solution for @shewter?

I got the same attack by a hacker.
This afternoon I confimed a real member and the process worked as espected. But today 22:22pm I got the mail for User registration request. And when I checked him (because the required ID number was wrong), his status was already approved.

I checked both the general setting and the form setting. At both User Login Option is ‘Admin approval’.

I think this is a generally security issue.
It is very important, that only registered users have access to the site content.

Please priorize this as BLOCKER. The whole business in Germany is affected.

Thanks!