4 Practical Measures to Combat Fake Sign-Ups

Old door


Intro

If you run a business with a website and a signup form, you may already be getting spam signups. From a custom SaaS application to a WordPress blog, almost everyone is affected in one way or another. Here are some of the ways bot signups hurt businesses:

No matter what your use case is or how it may negatively impact your business down the road, you need to have some sort of protection against fake signups from day one. In this post, we will go through some of the measures you can put in place to minimize the damage.

Using CDN (DNS level protection)

If you are using a CDN for your website, check if they have a bot protection feature. One of the most popular and free CDN is Cloudflare or a paid alternative KeyCDN. Cloudflare comes with Bot Fight Mode. The Bot Fight Mode will help you reduce bot traffic to your site and potentially reduce fake registrations. You also get DDoS protection and faster load times.

Bot Fight Mode in Cloudflare

Using client-side protection

Honeypot

Honeypot is the oldest trick in the book with 0 impact on your website performance, accessibility and privacy. It is considered client-side protection. It involves creating a hidden field in a form and hoping that bots won’t notice it and fill it in automatically. The hidden honeypot field will not be visible to humans, but bots will consider it a valid field. Bots scan web pages and fill in all fields, including the hidden field in your form. You can then reject any submission that contains an entry in a hidden field. We previously talked more about How the honeypot technique prevents bots from spamming your forms. Although it’s less effective now, it still works to some extent.

CAPTCHA

If you are not using Cloudflare or another CDN that comes with bot protection. You can use Cloudflare’s Turnstile on your sign-up forms. Another option is to add reCaptcha or hCaptcha to your forms.

Be aware of the complication with this approach, as all of them inject javascript into your website. This will negatively impact your site’s speed and may cause accessibility issues.

Implementing Turnstile, hCaptcha or reCaptcha on your website involves similar steps:

  1. Generate Site Key and Secret Key for your website
  2. Add javascript file to your website
  3. Server-side validation

Here is the detailed documentation for each of them:

hCaptcha

Which one to use: hCaptcha, reCaptcha or Turnstile?

Here is a simple table comparing these tools.

  reCaptcha hCaptcha Turnstile
Accessibility Partially Partially Partially
Slow website Worse Bad Better
Can be bypassed Yes Yes Yes
Privacy Worse Better Better
Made by Google Intuition Machines Cloudflare


They are partially accessible because they all come with an invisible mode that you can use. However, if your visitors are detected as suspicious, they will likely be stuck with endless loop puzzles to solve.

Anything you add to your site’s HTML will negatively impact your site’s performance, but Turnstile’s JS file seems to have the least impact compared to reCaptcha and hCaptcha.

Turnstile

Do you get fake signups despite reCaptcha, hCaptcha, Turnstile?

You are not alone. Captchas are effective against simple bots, but advanced bots can bypass reCaptcha. There are also “captcha farms” (e.g. 2Captcha) where people are paid to solve reCaptcha at low cost.

This is where we come in. Another way to protect your sign-up forms without using captcha solution is to use server-side solution OOPSpam. To put it simply, your registration form will have no challenge, no javascript or cookies, so no accessibility issues, no slow website.

We already have WordPress, Bubble, Make and Zapier applications, so no need to implement. But if you are building a custom site, use the OOPSpam API to reject or allow new users before confirming or sending a welcome email. For more implementation tips, see Building a complete contact form with PHP & HTML.

Complete protection: Cloudflare + OOPSpam + Honeypot

Best of both worlds, we can combine Cloudflare with OOPSpam and Honeypot to increase our chances against fake account creation and just get a clean sign-up form without all the errors and frustrated users.

OOPSpam: Process your submissions with OOPSpam on your server. This is your last line of defense against bots and manual spammers.

Cloudflare: We recommend using DNS level protection with Cloudflare. You get the same benefit as Turnstile without the website performance and accessibility issues. More about Turnstile check out: What No One Tells You About Cloudflare Turnstile.

Honeypot: This is easy to implement and free.

Final Notes

All websites get hit by spammers eventually. As a site grows and gets more traffic, it attracts more serious spammers with advanced bots. Both honeypot and captcha will protect your site to a certain extent, but they are not enough against targeted spam sign-up attacks, manual spam and sophisticated bots. Using a couple of tools will harden your forms.

I hope this article helps you find a solution to your bot signup problem.

Have a spam-free day!

A cocktail of unique measurements means cutting edge spam protection.

Since our launch in 2017 we’ve been perfecting our API to be the trusted option for small businesses to enterprise— and continue to stick to our values of being the accessibility and privacy-friendly option. Give us a shot!

Try OOPSpam for free → Try our WordPress plugin for free →

✓ No credit card required ✓ Cancel anytime

Enjoy Reading This Article?

Here are some more articles you might like to read next: