Fighting Member Registration Spam in ExpressionEngine

Member registration spam has become an issue in running ExpressionEngine websites. I have been using EE since it was called pMachine and up until a few months ago, member spam was not really a widespread problem.

ExpressionEngine has grown in popularity over the last few years (especially since the release of the free core version) and now that enough people are using it, EE has become a target for spammers.

There have been many solutions to combat member registration spam posted in the EE forums and most recently in the ExpressionEngine blog.

These methods include changing the member profile trigger word, advanced captcha, etc…

First, changing the profile trigger word is not going to work for long, unless you change it every few days. All changing the trigger word is going to do is cause a failed registration in the automated spamming software which is run off a list of sites that is fed into it. As soon as the list of urls to spam is updated (usually via a Google search – see below), you will start getting spam registrations again.

While this may throw off the spammers temporarily, it is not a very good long term solution. Why?

It’s the footprint stupid

The best way to combat member registration spam is to remove the footprint. This means you need to remove any reference to ExpressionEngine in all your templates, especially in your forum and member registration templates.

Spammers target sites to spam by using searches to extract lists of sites to target. Take this simple search for example:

inurl:register “expressionengine” registration About 15,600 results at this time

Even if you changed the member profile trigger word, your site would still bear the telltale footprint “ExpressionEngine” and show up in searches similar to the above example.

The phrase ExpressionEngine itself is not the only footprint that can be targeted by spammers. There are many other advanced “footprint” searches that can turn up EE and other cms sites to add to spam targeting lists.

Most of these relate to the default text for registration fields, comment fields, footer, etc…

Footprints like:

• “Password Confirm”
• “Screen Name”
• “notify me of follow-up comments” –>About 156,000,000 results
• “Remember my personal information” –> About 1,640,000 results

Unfortunately removing these footprints is the only long term strategy for stopping or at least minimizing the impact of spam on your EE website.

Human spammers

There is no doubt that most of the spamming is done by bots or software, but there are several overseas outfits that employ actual humans to do this.

This means that advanced captcha and reCaptcha tricks are only going to maybe stop some of the automated spam. Human influence has been apparent from some of the EE member profile spam I have seen.

At the very least deny the benefit

You should stop your member list pages from being indexed by turning off the Guest Member Group’s ability to view Public Profiles. Plus, you can block search engine spiders from member profiles via robots.txt

User-agent: *
Disallow: /member/
Disallow: /forums/member/

This will make the spammers attempts at gaining backlinks fail, because the member profiles will not be indexed by search engines and will not count as backlinks for the spam websites.

While you’re at it, add the member registration forms to the robots.txt as well. This may keep your registration forms out of the search index and make them harder for spammers to find:

User-agent: *
Disallow: /member/register/
Disallow: /forums/member/register/

Member registration, comment and other spam is quite an annoyance, but by following the tips above, you may be able to reduce it’s impact on your ExpressionEngine website.

Good luck!