Fighting Member Registration Spam in ExpressionEngine

Member registration spam has become an issue in running ExpressionEngine websites. I have been using EE since it was called pMachine and up until a few months ago, member spam was not really a widespread problem.

ExpressionEngine has grown in popularity over the last few years (especially since the release of the free core version) and now that enough people are using it, EE has become a target for spammers.

There have been many solutions to combat member registration spam posted in the EE forums and most recently in the ExpressionEngine blog.

These methods include changing the member profile trigger word, advanced captcha, etc…

First, changing the profile trigger word is not going to work for long, unless you change it every few days. All changing the trigger word is going to do is cause a failed registration in the automated spamming software which is run off a list of sites that is fed into it. As soon as the list of urls to spam is updated (usually via a Google search – see below), you will start getting spam registrations again.

While this may throw off the spammers temporarily, it is not a very good long term solution. Why?

It’s the footprint stupid

The best way to combat member registration spam is to remove the footprint. This means you need to remove any reference to ExpressionEngine in all your templates, especially in your forum and member registration templates.

Spammers target sites to spam by using searches to extract lists of sites to target. Take this simple search for example:

inurl:register “expressionengine” registration About 15,600 results at this time

Even if you changed the member profile trigger word, your site would still bear the telltale footprint “ExpressionEngine” and show up in searches similar to the above example.

The phrase ExpressionEngine itself is not the only footprint that can be targeted by spammers. There are many other advanced “footprint” searches that can turn up EE and other cms sites to add to spam targeting lists.

Most of these relate to the default text for registration fields, comment fields, footer, etc…

Footprints like:

  • “Password Confirm”
  • “Screen Name”
  • “notify me of follow-up comments” –>About 156,000,000 results
  • “Remember my personal information” –> About 1,640,000 results

Unfortunately removing these footprints is the only long term strategy for stopping or at least minimizing the impact of spam on your EE website.

Human spammers

There is no doubt that most of the spamming is done by bots or software, but there are several overseas outfits that employ actual humans to do this.

This means that advanced captcha and reCaptcha tricks are only going to maybe stop some of the automated spam. Human influence has been apparent from some of the EE member profile spam I have seen.

At the very least deny the benefit

You should stop your member list pages from being indexed by turning off the Guest Member Group’s ability to view Public Profiles. Plus, you can block search engine spiders from member profiles via robots.txt

User-agent: *
Disallow: /member/
Disallow: /forums/member/

This will make the spammers attempts at gaining backlinks fail, because the member profiles will not be indexed by search engines and will not count as backlinks for the spam websites.

While you’re at it, add the member registration forms to the robots.txt as well. This may keep your registration forms out of the search index and make them harder for spammers to find:

User-agent: *
Disallow: /member/register/
Disallow: /forums/member/register/

Member registration, comment and other spam is quite an annoyance, but by following the tips above, you may be able to reduce it’s impact on your ExpressionEngine website.

Good luck!


Fighting Member Registration Spam in ExpressionEngine — 6 Comments

  1. Great advice!

    Also, it would be neat to compile at least a starter list of where all the Expression Engine footprints are located and how to change them.

  2. A problem to bear in mind when using robots.txt to prevent search engines is that you are then publicly flagging up exactly where your vulnerable points are: robots.txt is public.

  3. Good point Marmalade, but we are really trying to avoid mass automated spam here, so keeping the vulnerable registration pages out of Google is the goal.

    It is highly unlikely that the spammers would check each robots.txt manually, unless your site is a high profile target, ie. worth the effort to spam for backlinks.

  4. You can also edit the profile themes to remove the URL etc fields so that the member cannot ever enter a url. The other thing worth pointing out is that you should change the words in the membership registration agreement to make it clear that the possibility doesn’t exist otherwise they’ll still sign up in the expectation of being able to place their spam in the database.

    Any idea what the lang: term is that should be searched for wrt the EE? It also seems to be well hidden wrt the home page title of the EE forums.

  5. Great post! Thank you for the information on ExpressionEngine. I have been looking for information on how to deal with spam!

  6. There’s some obvious ways EE could be made to tackle most spam but its creators are too focused on adding new features than making the existing system work nicely. For starters, why is there no option to automatically delete profiles with more than 1 link in them? That would sort out 99% of all the spam registrations I get. Secondly, a ban keyword list in member profiles so their account is deleted or at least disabled if any of those words are entered (like those as**holes constantly adding coachfactoryoutlet links). This is basic, basic stuff that Elislabs should have built in right from the beginning but couldn’t be bothered.

    Best way I’ve found to tackle registration spam so far is an extension which emails me when a member profile gets updated along with a link to delete it.