We recently experienced a high volume of new user registrations by SPAM BOTS within several of our client’s WordPress websites. These spam bots were targeting the “wp-login.php” file and registering hundreds of new users with real email addresses. The clients SPAM and BOUNCE reports indicated a high volume of erroneous registrations through the “wp-login.php?action=register” URL. We have found a simple solution that can be added to your child themes functions.php file to redirect any traffic hitting the “wp-login.php?action=register” page to a custom login page you have control over.
Insert the following code at the top of your theme’s functions.php page to redirect visitors to a custom login page. When this code is used in conjunction with Theme My Login Plugin and RECAPTCHA you can lock down unwanted registrations to only legitimate registrations.
add_action('init','custom_login'); function custom_login(){ global $pagenow; if( 'wp-login.php' == $pagenow ) { wp_redirect('http://yourdomain.com/login/'); exit(); } }
After updating the functions.php file, restart apache and try hitting “https://www.yourdomain.com/wp-login.php?action=register” and you should be redirected to whatever custom login page you created.