Contact Us
Contact Us

How to Stop WordPress Auto-Creating Spam Users (Complete 2025 Guide)

Home > Blog > Support > How to Stop WordPress...
shape
shape
shape
shape
shape
shape
shape
shape
How to Stop WordPress Auto-Creating Spam Users (Complete Guide)
Support
By admin December 7, 2025 No Comments

If your WordPress site is suddenly creating random users on its own, you’re not alone. Thousands of site owners face a major issue where spam bots automatically register fake users—sometimes hundreds in a single day. These spam accounts clog your database, attempt brute-force attacks, inject harmful links, and even compromise your entire website.

The worst part?
Many website owners don’t know where these spam users are coming from. Is it your membership plugin? WooCommerce? XML-RPC? Theme loopholes? Hidden registrations allowed through WordPress settings?

In this ultimate guide, you’ll learn exactly how to stop WordPress from auto-creating spam users—permanently.

This step-by-step guide covers:

  • Why WordPress auto-creates spam users

  • How bots find hidden registration loopholes

  • How to disable user registration completely

  • How to secure default WordPress forms

  • How to protect WooCommerce registration

  • How to use honeypots, reCAPTCHA, anti-bot firewalls

  • How to block spam via code

  • How to secure XML-RPC

  • How to stop hidden spam user creation from themes & plugins

  • The best plugins to stop WordPress spam users

Let’s fix the problem once and for all.

What Causes WordPress to Auto-Create Spam Users?

There are several possible causes:

1. “Anyone Can Register” is enabled

If this box is checked, WordPress allows public user registration:

Settings → General → Membership → Anyone Can Register

Spam bots constantly scan for this setting.

2. WooCommerce enables customer registration

WooCommerce provides user registration by default during checkout and on My Account page. Bots exploit this.

3. Spam bots attacking wp-login.php

Bots submit automated POST requests to create accounts.

4. Bots using XML-RPC

XML-RPC allows remote actions; bots abuse:

/xmlrpc.php?rsd

5. Hidden registration endpoints from plugins

Plugins like LMS, forums, memberships, or newsletters often create registration endpoints bots discover.

6. Poorly coded themes or old plugins

Sometimes themes accidentally expose registration functions via REST API or AJAX.

7. Compromised site / malware

A hacked site may auto-create users through injected scripts.

Understanding the cause is the first step. Now let’s fix it.

Step 1: Disable WordPress User Registration (If You Don’t Need It)

If your website does not need public user accounts (membership, LMS, customers), simply disable registration.

Go to:

Settings → General → Membership

Uncheck:

[ ] Anyone can register

This instantly blocks all default WordPress spam registrations.

Step 2: Disable Registration via Code (Recommended)

Even if the membership setting is off, some bots POST directly to:

/wp-login.php?action=register

Add this code to your theme’s functions.php or a custom plugin:

// Disable all WordPress user registrations
add_filter('users_can_register', '__return_false');
add_action('register_form', function() {
wp_die('Registrations are disabled.');
});

This prevents registrations even if bots bypass settings.

Step 3: Protect WordPress & WooCommerce Registration Forms

Even if you allow user registration (for WooCommerce, membership sites, etc.), you must secure the forms.

Here are the layers you should apply.

1. Add Google reCAPTCHA (v3 or v2)

Bots hate CAPTCHAs. Users rarely notice them.

Best plugin options:

  • Wordfence Login Security

  • Google Captcha (reCAPTCHA) by BestWebSoft

  • Advanced Google reCAPTCHA

Add reCAPTCHA to:

  • WordPress Login

  • WordPress Registration

  • WooCommerce Login

  • WooCommerce Registration

  • Lost Password Form

This stops 95% of spam immediately.

2. Add a Honeypot Field (Invisible to Humans)

A honeypot is a hidden input field bots always fill out—humans never see it.

Add this to functions.php:

// Add honeypot to registration form
add_action('register_form', function() {
echo '<input type="text" name="hp_check" style="display:none !important" value="" />';
});// Validate honeypot
add_filter(‘registration_errors’, function($errors, $sanitized_user_login, $user_email) {
if (!empty($_POST[‘hp_check’])) {
$errors->add(‘spam_error’, ‘Error: Spam detection triggered.’);
}
return $errors;
}, 10, 3);

This instantly blocks bot submissions.

3. Add Login & Registration Rate Limiting

Bots attempt hundreds of submissions. If you prefer not to use a plugin, you can also limit login attempts manually by adding custom code. Follow this guide on how to limit WordPress login attempts without a plugin to tighten your security even further.

Use these plugins:

  • Wordfence Security

  • Limit Login Attempts Reloaded

Enable:

  • Throttle login attempts

  • Throttle registration attempts

  • Block IP after multiple failed attempts

4. Block Spam Usernames

Many spam users contain:

  • “test”

  • “admin123”

  • “user2025”

  • Random numbers

Block bad usernames:

add_filter('registration_errors', function($errors, $username) {
$blocked = ['admin', 'test', 'demo', 'user'];
foreach ($blocked as $bad) {
if (stripos($username, $bad) !== false) {
$errors->add('invalid_username', 'This username is not allowed.');
}
}
return $errors;
}, 10, 2);

Step 4: Secure WooCommerce Registration Forms

WooCommerce opens two public registration options:

WooCommerce → Settings → Accounts & Privacy

Disable these if not needed:

[ ] Allow customers to create an account on the "My account" page
[ ] Allow customers to create an account during checkout

If registration is required, add:

  • Email verification plugin

  • reCAPTCHA

  • Honeypot

  • Phone verification (optional)

Recommended plugin:

WooCommerce Anti-Fraud by WooCommerce.com

Step 5: Disable XML-RPC (Highly Recommended)

XML-RPC is a major spam entry point.

Disable via .htaccess

Add:

<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>

Disable using a plugin

  • Disable XML-RPC by Pantheon

  • Wordfence

Step 6: Disable REST API User Endpoints

Some bots create users via REST API.

Disable user endpoints:

add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
if (isset($endpoints['/wp/v2/users/(?P<id>[\d]+)'])) {
unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
}
return $endpoints;
});

Step 7: Install a Security Plugin (Mandatory)

Security plugins block 99% of automated spam attacks. For cases where you need to block access for one specific account without deleting it, you can follow our guide on how to disable login for a specific WordPress user. This lets you revoke access instantly while keeping the user’s data intact.

Best options:

1. Wordfence Security

Includes:

  • Firewall

  • reCAPTCHA

  • Login blocking

  • Malware scanner

2. iThemes Security (now Solid Security)

Includes:

  • Registration brute-force protection. If you want a complete guide dedicated to stopping bots from hammering your login page, check out my full tutorial on handling brute-force attacks here: Secure your WordPress login from brute-force attacks. It walks you through server-level, firewall-level, and plugin-free methods for maximum protection.

  • Passwordless login

  • 2FA

3. CleanTalk Anti-Spam

Best for stopping registration spam.

4. Jetpack Protect

Lightweight firewall.

Install at least one security plugin. If you’re unsure which security plugin is right for your website, we’ve listed the top options in our guide on the best WordPress security plugins to help you choose the strongest protection for your site.

Step 8: Check for Malware if Spam Does Not Stop

If spam users still appear, your site may be hacked.

Signs:

  • New admin accounts created

  • Unknown plugins installed

  • Suspicious cron jobs

  • Modified core files

  • Strange base64 code

Run a scan with:

  • Wordfence

  • Sucuri Scanner

  • MalCare

If malware is found, clean manually or use a service like Sucuri. If you discover any signs of infection, it’s important to clean your site properly without damaging your rankings. You can follow our full guide on how to clean a hacked WordPress site without losing SEO to remove malware safely and protect your search visibility.

Step 9: Hide wp-login.php

Bots always attack:

/wp-login.php
/wp-admin/

Use plugins:

  • WPS Hide Login

  • Hide My WP Ghost

Change login page to something like:

/secure-panel/

This dramatically reduces spam attempts.

Step 10: Block Countries (Optional)

If you only serve UK/US/EU, you can block other regions.

Use Cloudflare Firewall Rules:

Block registration-related threats by countries known for spam.

Troubleshooting Checklist

If spam users still appear, check:

  • Membership setting

  • WooCommerce account settings

  • XML-RPC

  • REST API

  • Hidden member plugins

  • BuddyPress/BuddyBoss/LMS registration

  • Gravity Forms / Contact Form 7 exposed endpoints

  • Malware injections

  • Weak hosting firewall

Follow the above steps and spam user creation will completely stop. If your site is also experiencing slow performance or unusual spikes in background activity, it’s possible that spam bots are overloading your admin-ajax.php file. You can follow this detailed guide on how to fix high admin-ajax usage in WordPress to reduce server load and improve overall security.

Conclusion

Auto-created spam users in WordPress are not just annoying—they’re a security threat. Whether bots are exploiting WooCommerce, XML-RPC, default registration, or hidden plugin endpoints, the solution is a combination of:

  • Hardening user registration

  • Adding reCAPTCHA

  • Using honeypots

  • Installing a firewall

  • Blocking bad bots

  • Closing all public endpoints

Once configured properly, your site will stay clean, secure, and spam-free permanently. If your site is currently flooded with spam accounts or hacked through fake user registrations, don’t wait for the problem to grow. I offer fast, expert fixes for any WordPress security issue. Get real help within minutes here: Emergency WordPress Support and secure your website before it’s too late.

Frequently Asked Questions (FAQs)

1. Why is WordPress creating users automatically?

Because public registration is enabled or bots are exploiting registration endpoints from WordPress, WooCommerce, or plugins.

2. How do I stop spam user registration in WordPress?

Disable user registration in Settings → General or secure forms with CAPTCHA, honeypots, and security plugins.

3. Why am I getting WooCommerce spam customers?

WooCommerce allows customers to register. Bots use the My Account page or checkout form to create fake users.

4. Is disabling XML-RPC safe?

Yes. Most sites do not need XML-RPC. Disable it unless you use Jetpack or remote publishing apps.

5. How do I block bots completely?

Use Wordfence, a CAPTCHA plugin, honeypots, Cloudflare firewall, and hide wp-login.php.

6. Can malware create WordPress spam users?

Yes. Infected sites often generate hidden admin accounts or fake subscribers.

Subscribe To Our Newsletter & Get Latest Updates.

WPThrill provides fast, reliable, and affordable WordPress support services. Our mission is to help website owners resolve technical issues quickly — without the stress, complexity, or high costs of traditional support.

Contact Us

Company

Trusted Worldwide

Copyright @ 2025 WPThrill.com. All Rights Reserved.