Join Jeff Starr for an in-depth discussion in this video Disable user registration, part of WordPress: Developing Secure Sites .
- [Instructor] User registration is one of WordPress' coolest features. Out of the box, WordPress makes it easy for any visitor to register with your site. This open registration makes sense for some sites but, for others, not so much. In this video, we'll look at how to disable user registration from within the comfort of the WordPress admin area. Here on the general settings screen, we scroll down a bit to find the setting, Membership. When this setting is enabled, anyone can register with the site, even bots, spammers, and other bad actors.
To see how this works, let's go ahead and enable this option and then log out of the admin area. Here on the login page, visitors may now click the Register link to register with your site and, by visitors, I mean anyone or anything. And that's typically what happens when you allow open registration. You get tons of spam and other automated nonsense. So, if you do need to allow open registration, visit the plug-ins directory and check out some of the many plug-ins available for stopping registration spam.
There are lots of great option available. Beyond the spam nuisance, another reason to disable open registration is privilege escalation. Privilege escalation would give a subscriber admin-level access should a plug-in or theme become vulnerable. Granted, this is rare, but it's something to be aware of. Now, let's go ahead and log back into our demo site and disable open registration. Returning to the general settings, we can disable open registration again by simply un-checking this box and then saving our changes.
To verify that registration is disabled, let's quickly log back out. And, sure enough, the register link is no longer available. One more quick note, if your site does allow visitors to register, it's best to keep this setting, New User Default Role, set at Subscriber, just to be safe. These other settings may be fine, if you know what you're doing, but never, ever change this setting to Administrator under any circumstances. It shouldn't even be listed here, in my opinion.
Allowing anyone to register as an admin for your site would be a huge mistake. In this video, we add another layer of security by disabling open registration of users. Open registration should be disabled by default, but it's always a good idea to double-check and make sure the setting is correct, based on the needs of your site. By disabling open registration, we keep bots, spammers, and other bad actors away from the WordPress admin area.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security