I’m currently in the process of finishing up an e-commerce website, which runs on WooCommerce. As soon as it went live, there were five new accounts registered in a couple of hours. Each of them with a suspicious email. Pretty sure none of them wanted to do any purchases.

After some digging, I was able to find out that these spammers visit the following url: https://www.example.com/wp-login.php?action=register. If there’s no captcha and if registrations are allowed, they register a new account. By default, these accounts are assigned the Customer role. So they probably can’t cause any damage but still. It’s really annoying to get emails that a new person registered to the site and it’s a spammer.

The solution? There are lots of plugins that take care of this, but I wanted to solve this problem without any additional plugins (I’m using too many already!). The domain DNS is pointed to Cloudflare, which takes care of a lot of useful things. In Firewall, I created a new rule and assigned a name to it. For the first field, I selected Uri Full. I did not touch the operator field, by default it was set to equals. On Value, I pasted the whole URL – https://www.example.com/wp-login.php?action=register. The most important part comes last – under Then, I selected Challenge(CAPTCHA). After saving the new rule, I tested it out. As soon as I visited the URL, I was presented with a nice CAPTCHA.

Ever since I set this rule, I had no new spam accounts!