Spam registrations are one of the most persistent headaches for any WordPress site that allows user signups. Bots scan the internet for the default registration URL and flood sites with fake accounts, sometimes hundreds overnight. Changing the register path with WP Ghost eliminates this attack surface in under a minute.
The registration path is the URL where new users sign up for an account on your WordPress website. It’s the page where visitors provide a username, email address, and sometimes a password to create their account.
By default, every WordPress site with registration enabled uses the exact same URL: https://yourdomain.com/wp-login.php?action=register
This path is part of the wp-login.php file, the same file that handles login, password recovery, and account activation. When a user completes the registration form, WordPress creates their account, assigns a default user role, and sends a confirmation email.
The problem? Bots don’t need to discover your registration page. They just append /wp-login.php?action=register to every WordPress domain they find and start creating fake accounts at scale. WordPress’s default registration system includes no built-in spam protection, making every site with open registration an easy target.
Here’s what’s at stake for your hack prevention strategy:
An unsecured registration page isn’t just annoying. It creates real security risks and operational problems that can damage your site, your users, and your reputation.
Spam bots flood your site with fake accounts. This is the most common issue. Bots target the predictable wp-login.php?action=register URL and create hundreds of fake accounts in a matter of hours. According to WPForms, sites that replace the default registration form can reduce spam signups by up to 95%. These fake accounts clutter your user database, mess up your analytics, and create administrative work that never should have existed. That’s not a rounding error. That’s a transformation.
Attackers use registration to enumerate usernames. When a bot attempts to register with a username that already exists, WordPress returns a different error message than when the username is available. This lets attackers build a confirmed list of valid usernames, which they then use for targeted brute force attacks on your login page. Changing the register path stops this reconnaissance before it starts.
Fake accounts can exploit plugin vulnerabilities. Once a bot registers a subscriber-level account, it has authenticated access to your site. If any plugin on your site has a privilege escalation vulnerability, that subscriber account can become an admin account. This isn’t hypothetical; it’s one of the most common WordPress attack patterns. Preventing the fake signup in the first place is far more effective than trying to manage the damage after.
Mass registration drains server resources. Each registration attempt triggers database writes, email sends, and user creation processes. When bots hit this endpoint thousands of times, your server resources get consumed, your email deliverability drops (from sending hundreds of confirmation emails to fake addresses), and your real users experience slower page loads.
Changing the registration path removes the default target entirely. When bots can’t find the signup form, they can’t create fake accounts. Combined with brute force protection (which includes reCAPTCHA for signup forms), you get a layered defense that stops spam registration from both directions.
WP Ghost replaces the default wp-login.php?action=register URL with a custom path that only you control. No code editing, no .htaccess changes. Everything is handled through rewrite rules, so your WordPress files stay untouched.
Before you can change any paths, one of WP Ghost’s security levels must be active.
Not sure which mode to choose? Check the Safe Mode vs Ghost Mode comparison.
Once a security mode is active, you can replace the default registration URL with a custom one.
Important: Avoid obvious names like “register”, “signup”, “join”, or “create-account” for your custom path. Bots try common registration-related variations. Use something unique and unrelated to registration.
Good to know: WP Ghost doesn’t physically move or rename any files. It uses rewrite rules to create virtual paths. Your WordPress installation stays completely untouched, and deactivating WP Ghost restores all defaults instantly.
After saving, run a security scan to confirm the registration path is properly changed and the default URL no longer works.
Run this scan after every path change and after plugin updates. For a full breakdown of everything the scanner checks, see the Security Check tutorial.
Once you save your new registration path, here’s what changes immediately:
The new registration URL is active right away. If you chose my-secure-signup as your custom path, the registration page is now at yourdomain.com/my-secure-signup. The old /wp-login.php?action=register URL stops working for non-logged-in users.
Registration links on your site update automatically. The “Register” link on your login page and any WordPress-generated registration links point to the new custom path. If you’ve also changed the login path, both are updated together.
Spam bot traffic drops significantly. Without the predictable default URL, bots have no target. WP Ghost users regularly see up to a 99% reduction in automated attacks once paths are properly configured.
The registration process itself works exactly the same. Legitimate users can still sign up. They just access the form through your custom URL instead of the default one. Usernames, emails, passwords, confirmation emails, and user role assignment all continue working normally.
Your front-end content is completely unaffected. This change only applies to the registration URL. Your public pages, posts, SEO rankings, and sitemaps stay exactly the same.
Changing the registration path is usually smooth, but here are the most common issues:
If users see a 404 error or can’t access the registration form after you changed the register path in WP Ghost, the custom path isn’t resolving correctly or cached pages still link to the old URL.
The login page is often cached with the old registration URL. Clear your WordPress cache plugin, CDN cache, and browser cache. Then visit the login page in an incognito window and check that the “Register” link points to your custom path, not the default ?action=register.
Go to WP Ghost > Change Paths and click the Frontend Test button. If the test fails for the registration path, your server’s rewrite rules aren’t handling it. Follow the configuration instructions shown for your server type.
Go to Settings > Permalinks and click Save Changes without modifying anything. This regenerates WordPress’s rewrite rules, which can fix registration path routing issues.
Go to WP Ghost > Change Paths > Login Security and review the custom register path for typos, spaces, or special characters. Test the path directly in your browser: yourdomain.com/your-custom-register-path. You should see the registration form, not a 404.
If the issue persists, go to WP Ghost > Change Paths > Login Security, clear the Custom Register Path field, and save. This restores the default ?action=register URL. If registration works again with the default path, the issue is server rewrite rules not handling the custom path.
Plugins that customize the registration process (membership plugins, custom registration form plugins, user management plugins) can override WP Ghost’s custom registration path. Temporarily deactivate registration-related plugins and test. See also Membership Plugins Not Functioning After Register Path Change for membership-specific conflicts.
If you’ve lost access to the admin dashboard, see the emergency disable guide.
Membership and registration plugins (BuddyPress, Ultimate Member, Paid Memberships Pro, WooCommerce registration, etc.) can break when WP Ghost changes the register path because they hardcode references to the default ?action=register URL structure.
Go to WP Ghost > Change Paths > Login Security and clear the custom register path to restore the default ?action=register. Save the settings. This restores compatibility with membership plugins while all other WP Ghost path changes (login, admin, wp-content, etc.) continue working.
If you want to keep the custom register path, add the membership plugin’s registration URL to WP Ghost > Change Paths > Whitelist Paths. This tells WP Ghost to skip path changes on that specific URL while keeping the custom path active for the default WordPress registration form.
If you need both the custom register path and the membership plugin, contact the plugin’s support. Well-maintained plugins use WordPress filters like register_url for the registration URL rather than hardcoding it. The author may provide an update that respects custom registration paths.
If you’ve lost access to the admin dashboard, see the emergency disable guide.
If you’ve lost access to your site, check the emergency disable guide to restore all default paths. You can also use rollback settings or add a constant in wp-config.php to disable WP Ghost temporarily.
It eliminates the vast majority of them. Most spam registrations come from bots that target the predictable default wp-login.php?action=register URL. When that URL doesn’t exist, bots can’t find the signup form. For the small percentage of sophisticated bots that might discover custom paths, add brute force protection with reCAPTCHA to the registration form as a second layer of defense.
No. WooCommerce handles customer registration through its own “My Account” page, which is separate from the WordPress wp-login.php?action=register path. Changing the WordPress registration path with WP Ghost does not interfere with WooCommerce signups. Both systems work independently. WP Ghost is fully compatible with WooCommerce.
Most membership plugins that hook into the standard WordPress registration process continue working with the new custom path. WP Ghost uses rewrite rules that properly redirect the registration function. If a specific membership plugin hardcodes the wp-login.php?action=register URL, you may need to update that reference in the plugin’s settings. Check the compatibility plugins list for known integrations.
If your site doesn’t need public registration (like a personal blog or business site), disabling registration entirely is the simplest option. Go to Settings > General and uncheck “Anyone can register.” But if you run a membership site, community forum, or e-commerce store where customers need accounts, you need registration enabled. In that case, changing the path with WP Ghost gives you the protection you need while keeping signups available for legitimate users.
When bots access the default registration form and try to register with an existing username, WordPress returns a specific error message confirming that username is taken. This lets attackers build a list of valid usernames. When the registration form is at a custom path that bots can’t find, this entire reconnaissance technique fails. For additional protection, WP Ghost also lets you change the author path and hide user IDs, which blocks another common enumeration method.
No. WP Ghost never touches, moves, or renames any WordPress file. All path changes are handled through URL rewrite rules and WordPress filters. Deactivating WP Ghost restores the default wp-login.php?action=register path instantly.
No. The registration page is an admin-side URL that search engines don’t crawl or index. Changing it has zero impact on your public pages, rankings, sitemaps, or front-end content.
Continue securing your WordPress registration and login system:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…