Why Am I Getting Notifications of New User Registrations On My Site?
A common question I get from new WordPress users (twice in the past week as a matter of fact), typically arriving in a panic-stricken email, is “Why am I getting notices of new user registrations on my site?” The follow-up questions are along the lines of “Have I been hacked??” “Is this spam?” “How do I make the madness stop?”
The answer is thankfully simple. There’s one little setting in your WordPress dashboard which is needlessly (at least in most cases) allowing people to register for your site. Unless you’ve deliberately customized it, the registration screen is at the same url on most WordPress sites:
http://www.yourdomain.com/wp-login.php?action=register
So it’s easy for spambots to find that page in an automated fashion. And those spambots love a good form to fill in whether that’s a comment form, a contact form or a registration form!
Turn it off by going to:
Settings > General
Look for the Membership field.You’ll see that the box where it says “Anyone can register” is checked. Simply uncheck it and hit Save Changes.
What are subscribers and do I need them?
The WordPress Subscriber role gives the user virtually no special privileges. Their view of the dashboard is extremely limited – they can only update their own profile. They cannot access any of your content in the backend or any of the settings. So they can do no damage. The only cases in which you need Subscribers are if for some reason you are requiring people to be logged in to comment on your blog (find that setting under Settings > Discussion) or if you are running a membership site. Membership sites are where you require users to have an account on your site in order to view certain content that is not accessible to the public. In this case you would need to leave the registration option checked so people can sign up for an account. This process would usually by managed by a membership plugin. For the most comprehensive guide to membership plugins please check out my friend Chris Lema’s blog.
A common misconception is that WordPress subscribers are the same as email subscribers. They are not! So you do not need to enable this feature if all you want is people signing up for your email list. In that case, you can use a plugin or code provided by your email marketing provider – Aweber, MailChimp and the like – to provide an opt-in form. The WordPress Subscriber role by default provides no email notifications of new blog posts or anything like that.
Hope that clears things up! If you have questions, leave a comment!
Thanks a million for your oh so simple explanation. I was really worried at first until I read this post, especially because of the news I’ve been getting about malicious takeovers of vulnerable sites.
Thanks for this explanation. I’ve been deleting subscribers for months because I didn’t know how to turn this off!
Thank you for clarifying this for me :)
Thanks for explaining I was getting 5 – 7 registration from nowhere every day.
LUCY
Thanks for an explanation in “real” English that non-techies can understand. I can now delete six years worth of useless “subscribers” via the “Anyone can register” option I have had checked all along.
Keep on keepin’ on!
NEAL
Thanks so much for your lovely comment! Glad the post helped!
Useful, thank you
“Anyone can register” unchecked
Do I remove these users?
Yes, if they are just spam users, you can delete them :)
What a fantastic simple explanation to a mind boggling question (to a non-techy) like me! Thanks a bunch! x
Thank you so much for a simple quick fix. Fixes usually take me hours. I am so grateful.
But where are their emails stored, and is it possible to download these emails in csv or other format so I can add them to my database?
You should not add them to your database because:
1. they are probably spam
2. they have not consented to be added to your database, so in that case, you would then be the spammer ;)
How can I stop spam registrations if I want legit people to register?
You can put a honeypot or simple captcha on the registration screen, to stop the bots.
Hi Lucy, What is the difference between honey pot and captcha? And how do you get this?
Much appreciated
A captcha is something that the user actually sees and has to fill out. For example they will see an image with some numbers and letters and they have to type in the numbers and letters they see. A honey pot is not visible to the user at all.
Thank you soooo much
Great. Thanks for the article!
Yesterday, I suddenly got several emails saying I had new registered users. Hadn’t happen for months even when I’ve failed to update plugins. Suddenly, I’ve had about a dozen in the last 24 hours.
Case solved. I hope.
It's often spambots which sign up and clutter your database with extra user accounts. As you said, the only reason you should want to allow people to sign up is for registered commenters, but blog commenting plugins/codes such as that of Facebook and Disqus are pretty good at blocking out the spam bots. In my opinion, there's no real need for allowing account registrations, but this is a great explanation of what's possible and how to take precautions. Kudos!
Just out of curiosity, do real people ever register as subscribers on a blog via this registration portal? If so, why do they register and what do they get in response?