Joomla stop fake spam registrations

User system is one of many cool Joomla CMS features. Unfortunately it’s often exploited by spammers who will create fake accounts in order to advertise their websites or create very malicious scripts on your server. How to deal with that?

Add security to Joomla registration

joomla user managment

  1. First, check User registration settings : Go to Users -> Manage.
  2. On the right side click Options button
  3. New User Registration Group – change depending on your site. Read more about user groups
  4. Guest User Group – in usual cases this should be set to ‘Public’
  5. If you don’t expect many registrations, you can set  New User Account Activation to ‘Yes’, so you can manually filter who registers on your website.
  6. Captcha – this should prevent Spam bots from registering.
    There are various Captcha plugins, you can choose one which is both friendly to real users and prevent spam bots from registering.

Disable registration (if not needed)

Many people don’t know that even if you haven’t published login module bad guys can still access it. So first step is disable registration in Joomla Control panel.

  1. Go to Users -> Manage
  2. On the right side click Options button
  3. Allow User Registration – must be set to No. Obviously this disables registration. disable user registration

Update to Joomla 3.6.4 or newer

Even with registration disabled I had same obviously fake users like crmsystem@joomla.com and Joomla_support@joomla.org. After little search turned out that old Joomla versions have critical security hole. That allowed bot to bypass Joomla security. (Inadequate checks allows for users to register on a site when registration has been disabled. Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.)
But most important, you must update your Joomla site to version 3.6.4 or later.