I am trying to: reduce/eliminate spam registrations
Link to a page where the issue can be seen: hidden link
I expected to see: not see spam registered users when having added Google reCaptcha
Instead, I got: have not found a solution
Hi, when you say there are tons of spam registration is that including all forms of registration? Like hidden link, for example? Or are you able to narrow that down to only Toolset Forms submissions that actually create complete User Profiles? I wasn't clear from your description of the problem.
Yes, I am referring to all registration forms including hidden link
1) You can tell from the Profiles section hidden link that there are thousands bogus user entries despite there being a recaptcha in the registration page.
2) Regarding this hidden link I know I can disable that by disabling it from Settings > General and unchecking "Anyone can register". Would that be ok to uncheck? I thought I needed it enabled for Toolset.
Thank you and looking forward to your response.
1) You can tell from the Profiles section hidden link that there are thousands bogus user entries despite there being a recaptcha in the registration page.
Okay the recaptcha in a Toolset Form can't help prevent spam registration in other areas, obviously. You would have to disable those other registration paths to see the full benefit of a recaptcha here. Even then, you can have spam registration from actual people. So it's not foolproof, but it should stop most of the bot registrations.
I know I can disable that by disabling it from Settings > General and unchecking "Anyone can register". Would that be ok to uncheck?
Guests can register with Toolset Forms even if you uncheck this checkbox, if that's what you are concerned about. The checkbox has no bearing on that process.
I understand there can still be spam registrations that are human but the captcha that's in the Toolset Form is not helping to fend off spam registrations. We get about 50 spam registrations per day. So two questions:
How do we ensure that the recaptcha is working because it looks like spammers are still getting through.
I'd like to make the first name and last name of the form required as for some reason they appear to be optional but I don't know to make them required. Even after looking at how registration code for hints I can't figure that out.
In the Profiles page within wp-admin I see there are many registered users where the author column is blank. Can it then be assumed that those entries are bogus and can be remove?
but the captcha that's in the Toolset Form is not helping to fend off spam registrations. We get about 50 spam registrations per day.
The spam registrations could be coming from a WooCommerce registration path, or the main registration form I already showed you. If you'd like, we can try to pinpoint the source of the spam registrations so we can see if the recaptcha is failing frequently. One way you could do that is to create a custom field on User profiles called "toolset-registration" and set the value of that field to be 1 if the User registers with the Toolset Form. You could set that value using the cred_submit_complete API you already have in your custom theme in the usertoprofileregistration function. You would add it like this:
update_user_meta($user_id, 'wpcf-toolset-registration', 1);
This way the custom field will only be set if the registration is coming from a Toolset Form. That could help determine the source of bogus User registrations in the future.
In the Profiles page within wp-admin I see there are many registered users where the author column is blank. Can it then be assumed that those entries are bogus and can be remove?
It's hard to say. Profile posts are created programmatically by more than one piece of custom code in your theme. For example, I can see your custom theme generates Profile posts during the user_register action (see zociety_registration_save). At first glance, it seems the author is set by querying Users based on the $_POST['billing_email'] value. Your Toolset Form to register Users doesn't include this information, so the billing_email value is blank. That would lead to a blank author for a Profile generated during a valid Toolset Forms registration. The user_register action is triggered any time a User registration happens, including a Toolset Forms registration. So I can't say for sure if this Profile would be bogus or a duplicate or what, it depends on whether or not a Profile was already created by some other custom code. That would require I debug your entire theme, and that's not really possible here. It's beyond the scope of support we provide.
