rja1887

The only “solution” I can come up with is to delete any users who fail to return to harden their passwords. The WordFence password tool forces them to do this (unless by some accident they set the account up with a hardened password), and you get a second email when they do it. If they don’t, then it’s probably a bot.

I’m up to 40. Two of them have auto-replied that their email accounts have been compromised. I have the added protection of requiring them to upgrade their passwords to secure forms, but I have no way of knowing if they did that. What would be handy would be a function that deletes a user who fails to do the update within, say, 24 hours.

I see this as two problems:
1. These fake accounts are cluttering up my user lists, and getting rid of them is a PIA.
2. Worse, though, we are about to launch a BBPress forum, which means that all these fake accounts will be intermingled with attempts to create new, legitimate ones. Currently, I’m sending a personal email to each new user, asking them to confirm the account by mail. I don’t want to do that for legitimate users.

Ultimately, I guess this is a WordPress problem, not a WordFence one. One thing I can do is manually delete any user who hasn’t updated their password. Another would be to create a new login page that instructs legitimate users to add some detail to their accounts to confirm their being “human.” Have to noodle….

Two more while I was typing. Sigh.