Plugin Support
Alba
(@ctdealba)
Hi @reneyoung
I’m sorry to hear you are dealing with this issue. Could you share the exact place on your website where the registration form is placed? I see one on the Post Vacancies page but you said that you have shut down registrations again so just want to make sure which one are you referring to.
Hi Alba. I have no other registration form than the one created by WP Job Manager, which is the one you mentioned. However, I expect that form registers users via the native WP user registration function (https://yoursite.com/wp-login.php?action=register). If so, I’m not sure whether these bogus user registrations are coming from the WPJM form, or if they are going directly to that URL. Maybe you can shed some light on that?
WP Job Manager does not have its own registration form; instead, it relies on WordPress’s built-in registration system.
However, we can’t know for sure where the entries of registration for these spam accounts come from. Your best bet would be to check your server access logs to see which addresses are being accessed when these accounts are created.
Thanks. I’ll look into using WPForms instead of the built-in WordPress system.
@dericleeyy Follow up: if I create an alternate user registration form with WP Forms, is there something I can/should do in Job Manager to get it to use that form for new users wanting to post jobs instead of the native WordPress one?
Hi @reneyoung You’d need to redirect the default WordPress register page to your alternate register page. WPForms support should be familiar with that if you need help.
In general, I’d suggest reviewing this guide: https://www.wpbeginner.com/plugins/how-to-stop-spam-registrations-on-your-wordpress-membership-site/
I’m still struggling with this. Every time I check “Anyone can register” in the WP settings, I start getting tons of user registration email notifications again. Here’s what WPForms said:
Unfortunately, WP Job Manager is designed to use its built-in registration form, and directly replacing it with a WPForms form isn’t straightforward due to the way the plugin is coded. However, you can consider a workaround:
- Redirect to WPForms Registration Form: You can create a custom page with your WPForms registration form and redirect users to this page when they attempt to register. This can be done by modifying the redirection settings in WP Job Manager, if available, or by using a plugin like WPCode to add custom redirection logic.
- Disable Default Registration: Since you’ve already disabled “anyone can register,” ensure that your WPForms registration form is the only method for new user registrations. This will help in managing spam registrations effectively.
- Custom Development: If you’re comfortable with PHP, you might explore customizing the WP Job Manager plugin to integrate your WPForms registration form. However, this requires technical expertise and is not recommended unless you’re familiar with WordPress development.
I recommend reaching out to the WP Job Manager support team to check if they provide a way—such as a filter, hook, or setting—that would allow you to redirect the default registration link to your custom WPForms registration form instead. If they offer such a method, you should be able to point users to your custom form page and take advantage of the anti-spam protections WPForms provides.
Hello @reneyoung , i dont have a dog in this fight. But having read this I thought I’d give some feedback.
I don’t think this is a issue with this plugin as it is about other ways you’re being targeted.
- If you have Wordfence (My Preference) or Jetpack Protect or some other security plugin it might show where your vulnerability might be coming in. They will also have brute force login protections that you need.
- One of your other plugins might have a cross-script vulnerability which is allowing users to be created in a bid to make your site something they can hack. Make sure all of your plugins are up to date even if it doesn’t seem to be related to this issue. You can use something like Patchstack to see if there’s a patch for a vulnerable plugin (cheap annual cost) or google search “Plugin name + CVE Vulnerability” and check if any current vulnerabilities exist for your other plugins.
- Consider using additional plugins to protect your forms from bots. Cleantalk (plugin) free but has a cheap add on, and WP Armor Honeypot (plugin) free, are two we use along with Wordfence Premium and Cloudflare’s “Super bot fight mode” and other hardening to avert bots being able to get to our site and block them if they do get there.
I’m not a secuirty expert, but having handled thousands of attacks on our sites and quelled them to a whisper in the past few months, these strategies have worked for us.
Wish you the best
Thanks @pineapplepalm – I agree that additional security measures are a good first step to preventing spam registrations.
If you do want to redirect to a custom login form, you can find information on how to do that here:
https://wpjobmanager.com/document/developer-reference/code-snippets/changing-login-redirects/
If I disable “account creation during submission,” but keep “Require an account to submit listings” enabled, and use a WPForms user registration form instead, will that work?
Hi Rene @reneyoung
For people to get an account, you still need to let your site be open to allow anyone to register.
This is all a lot of theater when you should be working to prevent bots getting to your site in the first place, then misleading them (with WP Armor & Cleantalk) from filling in your forms. Please see my earlier message and put those things in place. Otherwise you will constantly have problems with bots hammering ANY FORM on your site.
The issue is not the Form, it’s that bots are reaching your site in the first place.
Good luck. I’ll tap out from here.
@reneyoung – @pineapplepalm is right. Disabling account creation during job submission may help prevent some spam registrations, but as long as there is a way for users to register on your site, you will need to take measures to prevent bots from registering.
I had to change the status of this to “not resolved” to see the new comments…or any of them for that matter. I’ll change it back after posting this update:
I installed Shield Security and reactivated “anyone can register”. I’ve only received a couple of spam registrations since. I have also disabled account creation during job submission and instead added a button to register, which sends users to a user registration form created with WP Forms. So far, so good.
Thanks for all the tips, folks. Much appreciated.
Thanks for the update @reneyoung
