Why Am I Getting Notifications of New User Registrations On My Site?

New User Registrations on WordPress Sites

A common question I get from new WordPress users (twice in the past week as a matter of fact), typically arriving in a panic-stricken email, is “Why am I getting notices of new user registrations on my site?” The follow-up questions are along the lines of “Have I been hacked??” “Is this spam?” “How do I make the madness stop?”

The answer is thankfully simple. There’s one little setting in your WordPress dashboard which is needlessly (at least in most cases) allowing people to register for your site. Unless you’ve deliberately customized it, the registration screen is at the same url on most WordPress sites:

http://www.yourdomain.com/wp-login.php?action=register

So it’s easy for spambots to find that page in an automated fashion. And those spambots love a good form to fill in whether that’s a comment form, a contact form or a registration form!

Turn it off by going to:

Settings > General
Look for the Membership field.You’ll see that the box where it says “Anyone can register” is checked. Simply uncheck it and hit Save Changes.

What are subscribers and do I need them?

The WordPress Subscriber role gives the user virtually no special privileges. Their view of the dashboard is extremely limited – they can only update their own profile. They cannot access any of your content in the backend or any of the settings. So they can do no damage. The only cases in which you need Subscribers are if for some reason you are requiring people  to be logged in to comment on your blog (find that setting under Settings > Discussion) or if you are running a membership site. Membership sites are where you require users to have an account on your site in order to view certain content that is not accessible to the public. In this case you would need to leave the registration option checked so people can sign up for an account. This process would usually by managed by a membership plugin. For the most comprehensive guide to membership plugins please check out my friend Chris Lema’s blog.

A common misconception is that WordPress subscribers are the same as email subscribers. They are not! So you do not need to enable this feature if all you want is people signing up for your email list. In that case, you can use a plugin or code provided by your email marketing provider – Aweber, MailChimp and the like – to provide an opt-in form. The WordPress Subscriber role by default provides no email notifications of new blog posts or anything like that.

Hope that clears things up! If you have questions, leave a comment!

Image credit 

Weekly WordPress Tips To Your Inbox

  • This field is for validation purposes and should be left unchanged.

This Post Has 20 Comments

  1. Lorna Fraser

    Thanks a million for your oh so simple explanation. I was really worried at first until I read this post, especially because of the news I’ve been getting about malicious takeovers of vulnerable sites.

  2. Joan Senio

    Thanks for this explanation. I’ve been deleting subscribers for months because I didn’t know how to turn this off!

  3. Alicia Soria

    Thank you for clarifying this for me :)

  4. Zahid Ali

    Thanks for explaining I was getting 5 – 7 registration from nowhere every day.

  5. Neal Umphred

    LUCY

    Thanks for an explanation in “real” English that non-techies can understand. I can now delete six years worth of useless “subscribers” via the “Anyone can register” option I have had checked all along.

    Keep on keepin’ on!

    NEAL

    1. Lucy

      Thanks so much for your lovely comment! Glad the post helped!

  6. Fadi

    Useful, thank you

    “Anyone can register” unchecked

    Do I remove these users?

    1. Lucy

      Yes, if they are just spam users, you can delete them :)

  7. Keeks

    What a fantastic simple explanation to a mind boggling question (to a non-techy) like me! Thanks a bunch! x

  8. Sarah

    Thank you so much for a simple quick fix. Fixes usually take me hours. I am so grateful.

  9. Ben

    But where are their emails stored, and is it possible to download these emails in csv or other format so I can add them to my database?

    1. Lucy

      You should not add them to your database because:
      1. they are probably spam
      2. they have not consented to be added to your database, so in that case, you would then be the spammer ;)

  10. Chirag

    How can I stop spam registrations if I want legit people to register?

    1. Lucy

      You can put a honeypot or simple captcha on the registration screen, to stop the bots.

      1. Rachel Tooman

        Hi Lucy, What is the difference between honey pot and captcha? And how do you get this?

        Much appreciated

        1. Lucy

          A captcha is something that the user actually sees and has to fill out. For example they will see an image with some numbers and letters and they have to type in the numbers and letters they see. A honey pot is not visible to the user at all.

  11. Sabina Sulovsky

    Thank you soooo much

  12. Andrew

    Great. Thanks for the article!

    Yesterday, I suddenly got several emails saying I had new registered users. Hadn’t happen for months even when I’ve failed to update plugins. Suddenly, I’ve had about a dozen in the last 24 hours.

    Case solved. I hope.

  13. Patrick @ SSDpress

    It's often spambots which sign up and clutter your database with extra user accounts. As you said, the only reason you should want to allow people to sign up is for registered commenters, but blog commenting plugins/codes such as that of Facebook and Disqus are pretty good at blocking out the spam bots. In my opinion, there's no real need for allowing account registrations, but this is a great explanation of what's possible and how to take precautions. Kudos!

  14. LE Johns

    Just out of curiosity, do real people ever register as subscribers on a blog via this registration portal? If so, why do they register and what do they get in response?

Leave a Reply to Lucy Cancel comment reply

Your email address will not be published. Required fields are marked *