A surge of fake user registrations can quickly become a serious security and performance issue for any WordPress site—especially those using WooCommerce or membership functionality. In this guide, we’ll walk through how a combination of misconfigured security settings and incomplete bot protection led to over 1,000 spam accounts—and the exact steps taken to stop it.
Issue Background
A WordPress site began experiencing a spike in fake account registrations over a period of several weeks. The issue appeared to originate from bots exploiting weaknesses in the site’s registration flow.
The volume of spam accounts suggested that automated scripts were successfully bypassing existing protections, raising concerns about broader vulnerabilities in the site’s security configuration.
Diagnosis
After a full review of the site’s setup, several key issues were identified:
- HTTP Strict Transport Security (HSTS) was disabled
This removed an important layer of protection against certain types of attacks and weakened overall site security. - Cloudflare Bot Fight Mode was not enabled
Without this, known malicious bot traffic was not being actively blocked at the edge. - Over 1,000 spam user accounts existed
This confirmed that bots had been successfully registering accounts for an extended period. - reCAPTCHA was inconsistently implemented
The WP reCAPTCHA for WooCommerce plugin was installed, but reCAPTCHA was not appearing on all registration forms—especially the primary front-end registration page. This created a gap bots could exploit.
Resolution Steps
1. Re-enable HSTS
HSTS was turned back on to enforce secure HTTPS connections and reduce exposure to man-in-the-middle attacks.
2. Enable Cloudflare Bot Fight Mode
Cloudflare’s Bot Fight Mode was activated to automatically challenge and block known bot traffic before it reaches the WordPress site.
3. Remove existing spam accounts
A manual cleanup was performed to delete over 1,000 fake user accounts. This step is critical to:
- Reduce database clutter
- Prevent potential abuse of existing accounts
- Restore system integrity
4. Properly configure reCAPTCHA for WooCommerce
The WP reCAPTCHA for WooCommerce plugin was reconfigured to ensure coverage across:
- Login forms
- Registration forms
- Password reset forms
Special attention was given to confirming that reCAPTCHA was visible and functional on all user-facing registration entry points, not just default WooCommerce forms.
5. Audit all registration pathways
Any additional or custom registration forms were reviewed to ensure they also included bot protection. In some cases, this may involve:
- Extending reCAPTCHA to custom forms
- Using tools like Advanced Custom Fields (ACF) to integrate protections into non-standard templates
6. Limit exposure of registration endpoints
As an added precaution, steps were considered to reduce unnecessary access to registration URLs, including:
- Removing or hiding registration links where not needed
- Preventing direct access to backend registration routes when possible
7. Ongoing monitoring
After implementing fixes, the site was monitored for:
- New user registration patterns
- Suspicious spikes in activity
- Any gaps in reCAPTCHA coverage
Final Outcome
With HSTS re-enabled, Cloudflare Bot Fight Mode active, and reCAPTCHA properly enforced across all forms, the site was successfully protected against automated spam registrations.
The result:
- No continued influx of fake accounts
- Improved overall site security posture
- A hardened registration system resistant to common bot attacks
If your WordPress site is experiencing fake user sign-ups or suspicious activity, Freshy can help diagnose and secure your setup quickly and effectively.
