Registrations still appear when the option is switched off - Why and how?
I have a
WP 4.0 installation with ClassiPress 3.3.2 and the Classi Sky child theme.
In General > Settings I have Membership > Anyone can register unchecked (the option is off)
The registration page does not have the registration form on it.
"** User registration is currently disabled. Please contact the site administrator. **"
However, contributor registrations are still appearing in the database. I need to know how this is happening when the registration form is disabled.
I placed a hook on "user_register" to email me when a registration took place. I receive an email for each spam registration. This assures me that the registrations are happening through WordPress and not via SQL/cPanel or any other malicious script.
I checked the site logs and the spam registrations are posting through the registration page. Here's the HTTP requests (IP and Site URL redacted):
IP REDACTED - - [11/Nov/2014:13:32:54 +0000] "POST /register/ HTTP/1.1" 302 - "SITE REDACTED/register/" "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0"
IP REDACTED - - [11/Nov/2014:13:32:57 +0000] "GET / HTTP/1.1" 200 138849 "-" "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0"
The request clearly shows that the user registered through the /register/ page - but there is no form!
The site has been scanned with sucuri and there are fresh installations of WordPress 4.0 and ClassiPress 3.3.2.
Interestingly, if I switch to Twenty Twelve (or any other Twenty x themes) the spam registrations stop completely.
If I switch to the main ClassiPress theme (rather than the child Classi Sky) spam registrations start up again.
So, somehow users are able to still register on the /register/ page of ClassiPress even when Membership is disabled (General > Settings) and there is no registration form showing on the front end.
How are they doing this?
Thanks,
Wil.
Reply With Quote
You must be an AppThemes customer and logged in to view this response.