Serious Registration Spam despite captcha

Hello there, I started my site a few weeks ago. It's called however I am getting some serious registration spamming. I get 10 fake registrations per day (I have not really told anyone about this site, so they are definitely fake). I installed quintagroup captcha on the registration form, but I STILL get spammed.

I don't know what else to do. I am two steps away from switching CMS, but I already put so much time into setting this up. You can visit and see for yourself... there must be a flaw somewhere that allows you to register bypassing captcha, and I don't know where! It seems like a security issue.

Does anyone else have trouble with this? Can someone recommend a course of action?

Thank you!

This is not an issue of Plone but of the kind of captcha you are using. Bots are able to pass capcha protection like this (or the one given by collective.recaptcha).

Think about integrate a protection like the one given by collective.norobots or provide a simple custom captcha protection done by yourself (it's quite simple)

Hey there, thanks for your reply.

Is there a plone plugin I can use in buildout that will give me a more advanced registration form captcha? I am currently using quintagroup.plonecaptcha because it easily plugs into the registration screen.
Does collective.norobots have a registration form plugin like quintagroup.plonecaptcha?

If you get spammed 10 minutes after installing plone, I feel like there should be a quick solution to this that can be done with a fresh install, and that I wouldn't have to make the captcha myself. Over the years plone has gotten very difficult to edit things like the registration form. I used to be a web application developer (although python is something I never completely mastered), and I look around for the HTML for the registration form, and I am completely lost.

Thanks again!

No, I fear that norobots is not giving this OOTB.

It's unfortunate that there is no built-in way to protect the registration page without hard-coding the page specifically (which doesn't look that straight forward, but maybe my python skills could use some work). I tried setting up another out-of-box site under a different server + domain, and also got registration spammed.

Unfortunately this will continue to be a huge barrier to the widespread use of this CMS as it gets defenselessly spammed whenever you try setting it up.. looks like we will have to migrate to a different CMS.

Thank you for your help, I really hope there is a way to protect the registration page in the future.

If you are still looking at this, today I saw this new add-on: collective.registrationcaptcha

ftr and hint: collective.registrationcaptcha needs a = 2.0.3 in your buildouts [versions] section in order to work with Plone 4.3.x.

This is an issue for Plone 5 because none of the P4 products I know about (norobots and the quintagroup captcha) work in P5

What are P5 users doing for captcha in P5. My simple test site got a dozen spam registrations in a day. Seems the only option is to turn off self registration, not much of an option.


We looked more deeply into his problem and it ended up being related to Acquisition. It's been fixed since then.

I haven't tried it, but I imagine works with Plone 5 as well.

Hi, good suggestions as this would really help.
I installed the product and all went well (control portlet showed in the site setup section, etc)

When I tried to register, got the box to enter email for verification and got a generic "there was an error submitting the form"

I'll submit the error on github

I have a P5 site that is swamped with bot registration.

I allow self-registrations; however, I have unchecked the "Let users select their own passwords" thus an email is sent to person for confirmation. However, I still get bot registrations.

I know there has been discussion about this already; however, I haven't seen a solution. I can't be the only site. I did see the confirm request product above and I remember testing it (see above) , I can't remember if it solved the problem. However, this doesn't work with a custom login form I had created so this would require me to go back to the standard registration page, not ideal.

For any site that allows self-registration, this must be a problem. How are people handling it?

Take a look at:

A post was merged into an existing topic: Severe Registration Spam is Back in 5.1 despite Recaptcha2 and Email Confirmation for Registration