Spammers do anything to get into the Magento site, among which customer registration spam is the most used method.

And, what’s the end result?

These attacks can overwhelm your store and have a negative impact on search engine rankings.

At Bobcares, we help customers to secure their websites from spam attacks as part of our Server Support Services for web hosts.

Today, we’ll discuss the top 6 methods used by our Support Engineers to prevent customer registration spam in Magento.

Magento customer registration spam – How to kick out fake accounts?

Based on our experience with Magento websites, the target email domains for these spam mails are @mail.ru, @gmail.ru, @list.ru and more.

Let’s now see the different methods used by our Server Support Engineers to mitigate this attack.

1) Magento Captcha

Firstly, our Hosting Engineers setup Magento’s built in Captcha feature for the customer registration form.

This prevents bots from auto registering accounts, because it requires human interaction to create an account.

We usually enable captcha feature from Magento Admin > System > Configuration > Customers > Customer Configuration > CAPTCHA.

In addition to that, we recommend our customers to set captcha feature in pages like Login, Forgot password, etc.

2) Google reCaptcha

The Google reCpatcha is a new and user friendly version of Captcha.

Google reCaptcha

It uses different tests to identify human and bots.

This is easy for humans, but hard for bots, because it only requires customers to check a box “I am not robot” instead of typing wiggling characters.

3) Magento custom extensions

Similarly, there are many Magento extensions available in market to limit fake user registrations.

There are many extensions such as Honey Spam, Magento 2 Restrict Fake Registration, etc. which helps Magento store owners to identify and reject spam registrations.

For example, Honey Spam extension adds a hidden field to the account registration page, and normal users can’t see it.

So, if this fields get filled and form is sent, it considers as a bot and rejects that request. In addition to that, it checks the time taken to fill the form. If it’s too fast, then it considers it as bot and rejects it.

[Get tired of these massive spam registration emails? Our Support Experts can fix it for you in minutes.]

4) Rate limiting rules

Another important step that we take is to create custom rules to rate limit the connections based on country, URL, etc.

In this way, the volume of repeated requests can be limited.

5) Block IPs

Our Support Engineers analyze website access logs and check the IPs that create spam accounts constantly.

Once we get the list of suspicious IP addresses, we block it in the .htaccess file.

For instance, to block the IP address 102.15x.1xx.15x, we add the following deny rule in .htaccess file.

<Directory>
order deny,allow
deny from 102.15x.1xx.15x
</Directory>

Moreover, we block a range of IP addresses in the .htaccess file, if the access is from a specific network range.

Alternatively, in some situations, we block the entire country from accessing the website. Software firewalls like CSF allows country wide blocks.

But, this can sometimes block legitimate users too.  So, we first confirm with the customers before blocking the country.

Extreme care should be taken when modifying the .htaccess file, because improperly configured .htaccess rules can take down your website.

That’s why our Support Engineers always take a backup of the .htaccess file before making any changes.

6) Email blacklists

Another effective method that our Hosting Engineers use is to block registration from certain domains or domain zones.

For example, in cPanel servers, we use Spamassassin feature to blacklist a particular domain, so that server doesn’t accept emails from that domain.

Similarly, Magento offers various extensions such as Email Blacklist where users can block a particular domain or even use wildcard masks like *@*.ru.

[Do you need help in hardening your Magento website? Click here to get one of our Security Experts to assist you.]

Conclusion

In short, Magento customer registration spam is a common security problem faced by Magento website owners. Today, we’ve discussed the top 6 methods that our Server Support Engineers have implemented to prevent fake registrations in Magento website.