Wednesday, January 24, 2007

Blocking spam registrations in WordPress 2.1

WordPress 2.1 incorporates significant updates to the registration and login process, which means that the fix I outlined below no longer works. Here are revised instructions, if anybody is interested.

In wp-login.php at the root level:
Following:
$user_email = apply_filters( 'user_registration_email', $_POST['user_email'] );
add:
$user_verify = $_POST['user_verify'];

Following:
$errors['user_email'] = __('< strong > ERROR< /strong > : This email is already registered, please choose another one.');
add:
if ($user_verify == '') { // verification
$errors['user_verify'] = __('< strong > ERROR< /strong> : Only real users can register.');
$user_verify = ''; // obviously no effect as it stands at the moment, but deals with failed verification
}


Following:
< p >
< label > <?php _e('E-mail:') ... < /label >
< /p >

add:
< p >
< label > <?php _e('Are you real?') ?> < br />
< input type="text" name="user_verify" id="user_verify" class="input" value="" size="10" tabindex="25"> </label>
< /p>


I hope that makes some sense over the noise of Blogger formatting. As before, it adds a new input field to the registration screen which asks: "Are you real?" and which (as it stands) accepts any non-null response ("Yes", "y", "no", "What do you think?") to allow registration to continue.

I don't know whether the hooks exist to make this into a plugin, and I'm not promoting it on the wordpress.org site as if I were them, I'd take a dim view of somebody hacking around with their nice new code. However, this is effective. I got four more spam registrations in the 24 hours that I was running with 2.1 prior to modification, and they've stopped again now. And the domains from which they registered were new to me, so a blacklist wouldn't have helped.