Derrick.Blarg

Tag: user-registration

  • Stopping WordPress User Registration Spam

    Stopping WordPress User Registration Spam

    I’ve had a rash of user registration spam lately, and even though I’m sure the site is secure, it’s just very annoying. So I’ve whipped up a quick little hook that I’ve thrown in my mu-plugins to give me the ability to add email hostnames to a blocklist and disable user registration from them:

    /**
 * Hook into the user registration process to deny registration to a blocklist of hostnames.
 *
 * @param string   $sanitized_user_login The sanitized username.
 * @param string   $user_email The user's email address.
 * @param WP_Error $errors Contains any errors with the registration process.
 *
 * @return void
 */
function emrikol_blocklist_email_registration( string $sanitized_user_login, string $user_email, WP_Error $errors ): void {
	// Validate the email address.
	if ( filter_var( $user_email, FILTER_VALIDATE_EMAIL ) ) {
		// Extract the email hostname from the user's email address and normalize it.
		$email_parts  = explode( '@', $user_email );
		$email_hostname = strtolower( $email_parts[1] );

		$blocklist = array(
			'email.imailfree.cc',
			'mail.imailfree.cc',
			'mailbox.imailfree.cc',
		);

		// Check if the email hostname is in the blocklist.
		if ( in_array( $email_hostname, $blocklist ) ) {
			$errors->add( 'email_hostname_blocked', __( 'Sorry, registration using this email hostname is not allowed.', 'emrikol' ) );
		}
	}
}
add_action( 'register_post', 'emrikol_blocklist_email_registration', 10, 3 );
Code language: PHP (php)

    There’s lots of different ways you could extend this for yourself, like adding a hostname regex, a filter, or an admin screen to allow updates to the blocklist without having to make a code deploy.

  • Auto-Upgrading users in WordPress

    Auto-Upgrading users in WordPress

    I made a small site recently where I wanted all newly registered users from a specific email domain to automatically be administrators (this is a terrible idea, don’t do it).  The user registration was restricted by Single-Sign-On and 2-Factor Authentication, so I felt relatively safe doing this, especially since it was only a “for fun” project.

    The interesting bit of code that upgraded users to admins is as follows:

    add_action( 'user_register', 'upgrade_email_to_admin', 10, 1 );
function upgrade_email_to_admin( $user_id ) {
$user = get_user_by( 'ID', $user_id );
if ( false !== $user ) {
$email = $user->data->user_email;

   // Only example.com please.
    if ( false === strpos( $email, '@example.com' ) ) {
        return;
    }

    $roles = $user->roles;

    if ( ! in_array( 'administrator', $roles, true ) ) {
        $user_update = array();
        $user_update['ID'] = $user_id;
        $user_update['role'] = 'administrator';
        wp_update_user( $user_update );
    }
}
Code language: PHP (php)

    This is 100% insecure, please do not do this 🙂

Close

Ad-Blocker Not Detected 🛑

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security, conserve your expensive data plan, and cut your online carbon footprint. Learn more.