How I permanently prevent spam registrations

I’ve often said the reason I build my own plugins is simple: to solve the problems I’ve personally faced. By that measure, New User Verify stands out as one of my biggest successes.

Fighting spam registrations (junk sign-ups) used to be a losing battle, forcing me to constantly go into the users admin interface to manually locate and delete them armed with nothing more than my intuition. The longer I left the task, the more work I had to do. I recall in one particular sitting manually examining and deleting over 150 spam accounts. It wasn’t pretty.

While some spam accounts are easy to spot (andrewmcalister735521eoe@casino-e-store.com doesn’t look legit), on occasion I have still accidentally deleted the account of a legitimate user, for no other reason than they had an email address that ‘looked spammy.’ I would only know when the affected customer eventually complained that they suddenly lost access to their downloads and licenses, which was another manual process for me to restore them. Unfun times.

There were a few plugins I’ve seen that claim to ‘solve’ this problem with the caveat that the occasional legit user account might get included in the clean-up operation. Not good enough, IMHO.

I decided it was time to take matters into my own hands. In January of 2025 I engineered a rough prototype with the main goal to prevent spam registrations before they can sign up.

How the heck is that possible, I hear you ask?

You would be forgiven for thinking that this problem could be easily solved with a CAPTCHA challenge, but these days they are easily defeated with machine learning, replay/session tricks, accessibility abuse and to a lesser extent, human-solving services.

CAPTCHA can offer some protection, but it’s best thought of as a speed bump, not a wall. For my plugin, I offer it as an option for the first line of defence. You can choose between reCAPTCHA v2, reCAPTCHA v3, hCaptcha and Turnstile.

The second line of defence is where the real magic happens. Using your choice of external email validation APIs, Abstract, ZeroBounce or Kickbox (all have free or paid tiers and you can grab a free API key), the registering email address is examined to determine its legitimacy.

They accomplish this in several ways:

Simple syntax & formatting checks

• Does the email address follow proper format?
• Are there any obvious typos or invalid characters?

Domain & DNS validation

• Does the domain exist?
• Does it have valid MX (mail server) records?
• Is it configured to receive email?

Catch-all detection

Some domains accept any address (e.g. anything@company.com).

• If true, they mark it as “risky” rather than valid.

SMTP handshake (without sending email)

They connect to the mail server and simulate sending an email:

• “Hey, do you accept mail for this address?”
• The server responds with success, failure, or “can’t tell.”

Disposable / temporary email detection

They maintain large, constantly updated lists of:

• Temp mail providers (Mailinator, Guerrilla Mail, etc.)
• Known throwaway domains

This thorough examination only takes a couple of seconds and is invisible to real humans when they register.

If anything slips past the first two checks, a verification email acts as the final safeguard, requiring the user to confirm their address by clicking an activation link.

If they don’t click the activation link within 14 days (configurable), the account is assumed spam and automatically deleted.

And finally, an option exists to automatically clean-up unverified accounts.

All this works flawlessly to prevent spam sign-ups and the consequent headache of dealing with them, while simultaneously reducing the burden on your database.

Since I started using the plugin, 436 spam accounts have been automatically prevented from registering, and the convenience of this cannot be overstated. When you consider this website only gets low to moderate traffic, you can just imagine how helpful the plugin will be on a busy website with lots of registrations.

New User Verify has matured well beyond that first rough prototype to be a battle-tested solution for everyone, and it’s now ready and willing to make your life easier.

More Articles