Recaptcha v2 not preventing spam registrations

Hi all,

I’ve not found an answer to this so apologies if it has been addressed elsewhere.

I have s2member Pro form configured on a registration page with recaptcha (v2) here:

The problem is I’m still getting two to five spam registrations daily in spite of the setup. The recaptcha keys are all set up correctly, and I have usage statistics in google to show it’s working.

My question is how can I retain the current form setup but deploy a more effective spam signup prevention mechanism?

Thanks in advance for reading and considering my question.
Matt

I have the same issue. I don’t know how the bots are getting past recaptcha.

What security plugin are you using on your site?

Also, it’s good to check where these bots and DDos are coming from and block their geolocation.

Cloudflare can also help you with this.

I wonder if spam registration bots have javascript or skip it… If yes, it’d be worth testing a field that is not visible to humans, but that a bot will trigger and cause the form’s action to change so it can’t be submitted properly…

If you’d like to try it, please create an s2 custom profile field, a checkbox, and add the style and javascript shown in the picture:

Screenshot%202022-08-07%20at%2020-14-56%20s2Member%20General%20Options%20%E2%80%B9%20s2Member%20Membership%20Plugin%20for%20WordPress%20%E2%80%94%20WordPress

Let me know if you notice a drop in spam signups with it.

:slight_smile:

I am getting the spam registrations here

www.musicwizardacademy.com/campus/registrar

They all have same first and last name and emails with a lot of DOTs lIke RA.ie.js.ff.gr.ie.ll@gmail.com

I have recaptcha there and don’t know how to stop it. This just started happening. I’ll try your suggestion tomorrow, though I don’t fully understand it.

I also have WORDFENCe, a security plugin and it has BRUTE FORCE PROTECTION. I don’t know if that conflicts with s2member or has any relation to this.\

The idea is that the field is not visible by a human, because the style makes it only 1px high and removes the border, so it should be left untouched. But a bot would touch it, and if it has javascript, then the code in that field will change the address to which the form gets submitted, spoiling the registration.

It relies on javascript, though, but I’m guessing some of these bots support javascript because many forms will need it to work. But I’ll see if I make one that doesn’t rely on js, and instead checks the field after the form gets submitted, and if the field was changed, then discard the registration.

Let me know if this hack reduces the spam signups on your site. I hope it helps.

:slight_smile:

It’s asking me to put in

Field Label/Desc: *

Unique Field ID: *

I don’t know what “allyourbase” means as it goes to a 404

The 404 is on purpose, that’s for a bot trying to register that triggers it, it wouldn’t happen to a human that doesn’t touch it. You could add any address you want, as long as it’s not the one that’ll register the bot.

For label you could just enter a dot, it won’t be visible to users. And for the field id anything unique will do.

:slight_smile:

So is the field OPTIONAL? It’s triggering a popup that must be filled.

Optional, otherwise the human can’t submit the form without touching it. Sorry I forgot to mention that setting.

:slight_smile:

Unfortunately, unless I did something wrong, it doesn’t work.

Thanks for the update!

It could be something wrong, but most likely is that the bot doesn’t support javascript.

When I have the more reliable implementation of the idea, I’ll post it here for you guys to try out.

:slight_smile:

I appreciate the timely responses. My page even has a required checkbox for terms of service agreement. So I don’t know how a bot can recognize that.

1 Like

That’s just HTML, not javascript, and is standard and required in lots of registrations, so bots will be able to handle them for the registration to go through. Bots either recognize the asterisk or “required” in the field’s name, or maybe recognize it’s right before the submit button. They will also fill out other fields sometimes (e.g. country, state), even if not required.

I believe we can defeat this is we can force first and last name to be different as all the spam has the same first and last name. Can’t seem to find a hack on that.

Cristián

Its interesting that Ultimate Member sees the same problem.

That hack doesnt’ work for s2member. Any ideas?

Thanks