Block WordPress Users Registration

"Anyone can register" is already off but accounts are still appearing, it means bots are bypassing the standard WordPress settings.

This usually happens through hidden "backdoors" created by other plugins.

Here are the three most likely culprits and how to shut them down:

1. Check WooCommerce Settings (The #1 Culprit)

If you have WooCommerce installed, it has its own registration toggle that ignores the global WordPress setting.

  • Go to WooCommerce > Settings > Accounts & Privacy.

  • Look for Customer registration.

  • Uncheck: "Allow customers to create an account on the 'My Account' page."

  • Uncheck: "Allow customers to create an account during checkout" (unless you strictly need this).

2. Block the XML-RPC and REST API "Backdoors"

Bots often don't use your website's forms at all; they send registration data directly to your site's programming interface (API).

  • The Fix: Install a lightweight plugin like Disable REST API or Disable XML-RPC.

  • Alternatively, if you use Wordfence, go to Login Security > Settings and ensure "Disable XML-RPC authentication" is checked.

3. Change Your Registration "Slug"

Even with registration off, bots keep hitting the URL wp-login.php?action=register which can sometimes trigger bugs in poorly coded plugins.

  • Install WPS Hide Login.

  • Change your login URL to something unique (e.g., yoursite.com/hidden-entrance).

  • This makes the default "front door" return a 404 error, so the bots stop knocking entirely.


How to Clean Up the Existing Bot Accounts

Once you've closed the door, you can mass-delete the fake users:

  1. Go to Users > All Users.

  2. Click the Subscriber tab (99% of bots register as subscribers).

  3. Select all, then use Bulk Actions > Delete.

Pro-Tip: If you have thousands of bots, use a plugin like Bulk User Management to delete them in one click so your server doesn't crash from trying to process too many at once.