Magento 2.2.6 How to Prevent Spam Account Registration

Question

I tried to use the solution 6 from here, but not exactly sure how to do it.

Prevent Spam Account Registration Solution 6: Update fields limitation rules from database : directly in the customer_eav_attribute table, update rows with attribute_id=5 [firstname] and attribute_id=7 [lastname] and replace 255 by 25 :

In my magento 2.2.6 version, the attribute_id=5 and 7 has

validate_rules="{"max_text_length":225,"min_text_length":1}"

and also

input_filter="trim"

I tried to change them to

validate_rules ="{"max_text_length":25,"min_text_length":1}"

and

input_filter =""

but i'm still getting a lot of Russian spam account registration.

spam registration is coming from unprotected API access. see my answer below. you can generate accounts registration all day long with customized data — MagenX, Jun 09 '19 at 11:54

score 2 · Accepted Answer · edited Mar 19 '19 at 17:32

2

Magento 2 extension for blocking spam creating new customer accounts

https://github.com/mageplaza/magento-2-google-recaptcha

https://github.com/samsteele/spam-registration-blocker

https://github.com/arcmedia/mage2-customer-honeypot

Magento 2 extension for blocking (RUSSIAN) spam bots creating new customer accounts

https://github.com/Kreativsoehne/magento-2-simple-antispam

edited Mar 19 '19 at 17:32

Amit Bera

77,456
20
123
237

answered Mar 19 '19 at 17:03

Softec

2,065
2
11
31

1

i installed the mageplaza google recaptcha extension yesterday, have not get any new russian spam signup for a day now, i'll pick this one as an answer. thanks. – Mage Explorer Mar 20 '19 at 16:11
glad to help you. – Softec Mar 20 '19 at 16:19

score 1 · Answer 2 · edited May 23 '21 at 09:30

in magento 2.3.1 you can simply create user with direct API access, using POSTMAN request with Content-Type:application/json and this raw body:

{
    "customer": {
        "email": "jdoe@example.com",
        "firstname": "Jane",
        "lastname": "Doe",
        "addresses": [
            {
                "defaultShipping": true,
                "defaultBilling": true,
                "firstname": "Jane",
                "lastname": "Doe",
                "region": {
                    "regionCode": "NY",
                    "region": "New York",
                    "regionId": 43
                },
                "postcode": "10755",
                "street": [
                    "123 Oak Ave"
                ],
                "city": "Purchase",
                "telephone": "512-555-1111",
                "countryId": "US"
            }
        ]
    },
    "password": "Password1"
}

response:

{
    "id": 22,
    "group_id": 1,
    "default_billing": "16",
    "default_shipping": "16",
    "created_at": "2019-06-09 11:48:19",
    "updated_at": "2019-06-09 11:48:19",
    "created_in": "Default Store View",
    "email": "jdoe@example.com",
    "firstname": "Jane",
    "lastname": "Doe",
    "store_id": 1,
    "website_id": 1,
    "addresses": [
        {
            "id": 16,
            "customer_id": 22,
            "region": {
                "region_code": "NY",
                "region": "New York",
                "region_id": 43
            },
            "region_id": 43,
            "country_id": "US",
            "street": [
                "123 Oak Ave"
            ],
            "telephone": "512-555-1111",
            "postcode": "10755",
            "city": "Purchase",
            "firstname": "Jane",
            "lastname": "Doe",
            "default_shipping": true,
            "default_billing": true
        }
    ],
    "disable_auto_group_change": 0,
    "extension_attributes": {
        "is_subscribed": false
    }
}

To block Api user creation add below line at robots.txt

## web Api block if no need
Disallow:rest/default/V1/customers
Disallow:rest/*

Is API access on by default? Do you not need an API user and / or role configured? Or is this on by default too? — Dominic Pixie, Jun 09 '19 at 14:09
magento 2 api is always open, some parts required access token, but mostly not. — MagenX, Jun 09 '19 at 16:22
I'm checking for creating a customer in the docs. Found this https://devdocs.magento.com/guides/v2.3/rest/tutorials/orders/order-create-customer.html but that says you need token. Can you create customer without token? I'm trying to figure out whether we need to start locking down api. Also found this. https://devdocs.magento.com/guides/v2.3/rest/anonymous-api-security.html. that would suggest yes it is open. But as you say a lot of stuff is open. That has surprised me. — Dominic Pixie, Jun 09 '19 at 18:53
wow. how do i lock down the create account api in this case? — Mage Explorer, Jun 10 '19 at 16:22
you can deny access by IP or create some security rule, to check access with some logic — MagenX, Jun 10 '19 at 17:48
@MagenX any update on how to exactly accomplish the blocking without breaking magento functionality? Magento documentation says "The following APIs remain accessible to anonymous users. Most of these must remain accessible to support the checkout and add-to-cart Ajax functionalities." https://devdocs.magento.com/guides/v2.4/rest/anonymous-api-security.html — teamcrisis, Mar 23 '21 at 09:29

score 0 · Answer 3 · answered Mar 19 '19 at 16:57

0

Enable Captcha From

Admin -> Store -> Configuration - > Customer -> Customer Configuration - > Captcha , Choose Create User

option

answered Mar 19 '19 at 16:57

magento2new

613
10
27

1

I already enable the magento reCAPTCHA but they're bypassing it. thanks – Mage Explorer Mar 19 '19 at 16:59
Have you tried setting up more strict rules for captcha from admin, or try with third party google recaptcha – magento2new Mar 19 '19 at 17:14

Magento 2.2.6 How to Prevent Spam Account Registration

3 Answers3

Linked