Samuel Elh Blog

WordPress, PHP, Python and JavaScript tutorials and snippets

An effective way of preventing spam registration with JavaScript – WordPress

As I am writing this blog post about preventing spam registration on wordPress, many weblogs out there are getting tons of new accounts registered which belong to robots and are totally untolerated spam.

Preventing Spam Registration on WordPress

There are so many ways out there, free and paid, which would help you knock off spam registration on your WordPress blog or website. One of them is CleanTalk, I love this one as it has a great database of malware checks (blacklist) and many online ready tools to verify a user before it successfully signs up.

But for me, I always prefer not to add another plugin to the load, so if it was to coding a little snippet of script that would help then that would be super. So hopefully this could help out preventing spam registration somehow.

Preventing Spam Registration – JavaScript

As many of you know, or as if you don’t know, spam bots (robots) actually run microsystems that do not have JavaScript running. This means that no DOM JavaScript is available for bots, so we will use this point to add a required (but hidden) field into the user registration form that will work with WordPress nonces too (cool, right?) which will be verified with wp_verify_nonce() function..

Every time the registration screen is requested, the form field for spam check will be added on window load, and it will be required to process the registration.

Important notice – if you are on an environment where your users prefer not to enable JavaScript, then do not use this process OR, notify your users to enable JavaScript in order to register and then switch back to disabled JS mode.

Once the field was not added, the request will be killed with a simple error message:

WordPress are you spamming go back - preventing spam registration

Are you spamming?

Or possibly if you don’t want to kill the request but show a warning message notice instead, comment out wp_die function and remove the comments for $errors->add method usage in the script code; inside se_nospam_register_validate callback function, and this would appear:

bad guy spotted spam registration wordpress - preventing spam registration

Cool! now where can I get the plugin? (no plugin, just some small snippet of non commented code) ; read on.

Preventing Spam Registration on WordPress: The code

You can use the following code to be added to your child theme’s functions file, or download the plugin from Github gist:

  * Plugin Name: No Spam Registration with JavaScript
  * Plugin URI:
  * Description: Prevents spam registration on your WordPress blog/website by adding a necessary form field with JavaScript on document load
  * Author:      Samuel Elh
  * Author URI:
  * Version:     0.1

if ( ! defined ( 'ABSPATH' ) ) {
    exit ( 'Direct access not allowed!' . PHP_EOL );

function se_nospam_register_append_input() {
    echo '<script>', PHP_EOL
       , '  (function(){', PHP_EOL
       , '    document.write(\'<input id="process-register" type="hidden" name="process-register" value="', wp_create_nonce( 'se-nospam-register' ), '" />\');', PHP_EOL
       , '    document.currentScript.remove();', PHP_EOL
       , '  })();', PHP_EOL
       , '</script>', PHP_EOL;

add_action('register_form', 'se_nospam_register_append_input');

function se_nospam_register_validate( $login, $email, $errors ) {
    $die_message = apply_filters('se_nospam_register_error', 'Are you spamming?<p><a href="javascript: window.history.go(-1);">&laquo; Go back</a></p>');
    if ( ! isset($_POST['process-register']) ) {
        wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    } else if ( empty($_POST['process-register']) ) {
        wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    } else if ( ! wp_verify_nonce($_POST['process-register'], 'se-nospam-register') ) {
        wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    return $errors;

add_action('register_post', 'se_nospam_register_validate', 10, 3);

Cool! if preventing spam registration on WordPress with this custom trick has worked for you, then that’s what matters! Yay!! Personally it helped me a lot on my product support forums website where I have bbPress installed for the forums functionality.

Preventing Spam Registration on WordPress: After

Saying that it was helpful to preventing spam registration, there should be more to do after this, right? I mean like, capturing the prevented spam registration attempts and saving some count to the database so you can see a log of how many spam bots were blocked; something like adding this code:

update_option($name = 'se_how_many_spam', intval(get_option( $name )) + 1);

That to be added right before each wp_die in the code, And then calling

get_option( 'se_how_many_spam' );

to tell how much spam was denied. Also you might want to capture the user IP to block them or something, as long as possible, saying that spam can never be tolerated. (beware, bots will call you agressive then)

Note that this can also be effective on embedded forms like registration forms added with widgets or shortcodes, as the form field for spam check will be added with JavaScript there too.

That is it for this tutorial and I am hoping this helps you as it helped me and if there is any improvements or suggestions and ideas to implement, please feel free to discuss in below comments.

Thank you!

Digital Ocean

Cheap Cloud SSD Hosting

Get a VPS now starting at $5/m, fast and perfect for WordPress and PHP applications

Sign Up with $10 Credit


  1. It’s a pretty effective/efficient way I suppose. I would say these days maybe 1% would be bots running on CasperJS/PhantomJS/Selenium etc.

    • samuel

      July 11, 2016 at 9:32 am

      Yes, exactly!! You should always expect a small category of bots beating this up lol, considering that those web stacks are for JavaScript.

      Thanks Francis!

Leave a Reply

Your email address will not be published.


© 2018 Samuel Elh - Powered by WordPress, DigitalOcean & NameCheap

Theme by Anders NorenUp ↑

Subscribe to our mailing list

Sign up to receive updates about WordPress, free and premium plugins and themes in general and tips and tricks

* indicates required