WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 19 months ago

#43273 closed defect (bug) (invalid)

User registration can be abused

Reported by: kingannoy Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: administration Cc:

Description

People are abusing the new-user-registration form of wordpress to send (single) unwanted emails from a large amount of websites to someone they want to inconvenience.

For more info on this "trolling" technique have a look at this article:
https://www.wired.com/story/how-journalists-fought-back-against-crippling-email-bombs/

In my experience (support at a few different webhosting companies) the user registration feature is not used by the majority of users, however it causes a few negative effects when it is left on by default.

Negative effect 1: People get spammed, see the article from wired for more explanation.

Negative effect 2: The databases of the websites that are abused in this way are filled with (inactive) fake users. In my relatively small sampling this was between 1.000 and 6.000 fake users. This database pollution is unwanted.

Negative effect 3: The recipients of these emails mark them as spam, this gives the mailservers used for sending these emails a bad reputation, this in turn makes it more likely that other (wanted) emails are going to be rejected.

Setting the users_can_register value in the database to 0 by default seems like a really easy way to quickly solve this issue for practically all new WordPress sites from here on out.

Maybe a fix can also be proposed for fixing this for existing sites as well, for example switching it to 0 in a single update.

Change History (3)

#1 @SergeyBiryukov
2 years ago

  • Component changed from General to Users

Related: #12682

#2 @kingannoy
2 years ago

  • Summary changed from set users_can_register to 0 by default to User registration can be abused
  • Type changed from enhancement to defect (bug)

I just did a fresh install of Wordpress and it seems the default had been changed to:
users_can_register = 0

I guess that will fix the majority of the abuse.

For the cases where the registration option is wanted this abuse will keep happening, maybe a captcha or something like that will be able to solve the problem in those cases?

#3 @pento
19 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version trunk deleted

Registration has been disabled by default since [2141].

Note: See TracTickets for help on using tickets.