I run several community blogs that maintain an open registration process, meaning a new user can create a new account and begin adding content to the website. Two examples include www.thirdgoal.com and voices.crossandcrescent.com.
User-generated content is nothing new, for many sites permit strangers to comment. But in the WordPress world, there are many plugins and tools to protect the site from comment spam. There are no tools, however, to prevent a spammer from creating hundreds of new accounts and then submitting multiple blog entries.
To keep this from happening on the sites I maintain, I simply delete the bogus new user accounts hours after they are created. I know they are bogus because they have usernames like “alasdflwhw” or use temporary email addresses (for the required email confirmation).
Today, I submitted a feature request to the WordPress community to address this growing problem:
Problem: When “Membership: Anyone can register” is enabled (for multi-user community blogs), spammers are creating hundreds of new accounts using temporary email address services. So they’ll receive the “Your username and password” email confirmation; giving them access to post full entries on the community-blog website.
Proposed Solution: Provide an easy way for admins to maintain a block list of domains that WordPress cannot send emails to, pre-populating the list with the most common temporary email address services.
My Experience: While I do receive an email notification when a user creates a new account, I have to manually delete those users who are obviously using temporary account names and email addresses. While the free @hotmail.com and @gmail.com accounts are less obvious, I have a list of 20 temporary email domains that are frequently used.