Community Support Forums

[FrasSmith]

I'm using S2Member 3.5.8 on Wordpress 3.1.2 and I have been allowing free subscribers to my site.

In my registration page, I capture some custom fields, one of which is a drop down list so a value will always be supplied.

Late yesterday, I noticed a sudden spike in registration activity, I received ten new members in the space of an hour or so. My stats didn't seem to have recorded enough traffic to justify the new members.

On further investigation I found that none of the new members had any of my S2Member custom fields populated so they cannot have gone through the standard registration page.

I locked the site down overnight (password protected the directory). This morning, I opened it up again and within 5 minutes, I had another 2 registrations.

Clearly there's a bot working somewhere and bypassing the normal registration to create these new users.

It would also seem clear that there must be some vulnerability on the site that is allowing these automated registrations to take place.

I don't know if this is an S2Member issue or a Wordpress issue, but, I thought it best to report it to both parties, because it is an issue.

In the interim, I've disabled free user registration in S2Member and the problem has stopped.

best regards
Fraser

[drbyte]

This topic was discussed in Joomla Forums but I think WordPress do have the same issue

"I believe the the purpose of sending bogus registrations is to harvest the email address stored in Global Configuration -> Server, which many people use as the site admin address (a high value target).

Once the address is know it is spammed to try and harvest the admin's email address book and or proliferate other nasty stuff on the admin's machine. To try and defend against this I use a no-reply email address in Global Configuration -> Server for bogus registrations that get through form validation."

"Captcha can be defeated by a well written bot or more likely "liveware" (a person) that is trying to hack your site. To try and eliminate the bot's make sure the captcha is not too easily determined. Try switching image types. Stopping a person requires other measures - tracking IP, form validations to try and get has much validate info as possible."

"At the end of the day we ended up reworking our registration form to force JavaScript input validation, plus PHP input validation on the server and token check. After making these changes bogus registration stopped. We don't use any addition components - e.g. filters, CAPTHCA, etc.."

For WordPress this plugin might come handy but not sure how it will work with S2M
[url]TTC User Registration Bot Detector[/url]

Sam

[Jason Caldwell]

Hi Sam!

@FrasSmith:
s2Member Pro Forms come with a built-in Captchya Code,
which can be enabled with a Pro Form Shortcode attribute.

captcha="clean" When you set this Attribute, visitors must prove they're human by typing a captcha/security code. Possible values: 0 = do NOT require a captcha code on this Form; clean = DO require a captcha code on this Form; using the clean theme style. Possible theme styles include: red, white, clean, and blackglass. This service is powered by Google's reCaptcha system.

For the free version of s2Member, we have tested this plugin, which seems to cover all the areas that s2Member does not. In fact, we decided not to add Captchya boxes into the basics of WordPress, just so that site owners would have the flexibility to choose the security mechanism they prefer ( i.e. through a plugin ). http://wordpress.org/extend/plugins/si- ... wordpress/

[FrasSmith]

Thanks for the answers. I already had SI Captcha on my registration form, it wasn't doing any good. I switched to Google's reCaptcha, it didn't stop the spam registrations either. I've now switched to SABRE which combines captcha, dns lookup, form fill timing (i.e. if it's less than 10 seconds its a script). SABRE seems to be much more successful although a few still managed to get through.

I'm still not sure how my registration form is being bypassed, i.e. how compulsory S2 custom fields that always have a value, don't get saved with these spam registrations, but, at least I am now stopping more than 90% of them and can trace the others to manually deal with them.

[dapike]

I too have recently been experiencing bogus registrations that somehow have no data entered into the mandatory registration fields. After checking the html access logs for my site, it looks as though these are somehow happening when a URL ending as follows gets used:

/wp-login.php?checkemail=registered

I'm not yet sure how to close the loophole that these bogus registrants are exploiting, so I would welcome suggestions.

- David.

[dapike]

Hmmm... upon further investigation, it looks like the /wp-login.php?checkemail=registered URL might simply reflect the bogus registration being successfully processed. I remain baffled as to just how these registrations are being accepted without entering data into the mandatory fields on the registration form.

- David.