Yes, WP Ghost protects against spam signups with a two-layer defense. First, it changes the default registration path (/wp-login.php?action=register) to a custom URL that bots cannot guess, eliminating up to 95% of automated spam registrations because the bots never find the form. Second, it adds reCAPTCHA protection (Math, Google V2, V3, or Enterprise) to whatever registration form remains, blocking the small percentage of bots that do discover the custom path. Both features are free. For content spam in posts and comments, pair WP Ghost with Akismet or another dedicated anti-spam plugin.
Why Spam Signups Happen in the First Place
WordPress’s default registration page lives at a predictable URL: /wp-login.php?action=register. Bots do not need to discover it, they just append that query string to every WordPress domain they find and start firing signup attempts. The default WordPress registration system includes zero spam protection: no attempt limits, no CAPTCHA, no rate limiting. A single bot can create hundreds of fake accounts in an hour, and a botnet can create thousands across thousands of sites per day. Sites that leave open registration at the default URL are easy targets.
Fake accounts cause real problems: they clutter your user database, pollute your analytics, drain server resources with registration writes and confirmation emails, enable username enumeration for follow-on brute force attacks, and can be used as a stepping stone for privilege escalation if any plugin has an auth vulnerability.
How WP Ghost Stops Spam Signups
| Layer | What It Does | Effect |
|---|---|---|
| 1. Change Register Path | Replaces /wp-login.php?action=register with a custom URL | Up to 95% fewer spam signups |
| 2. Brute Force Protection on Sign Up Form | Adds reCAPTCHA and attempt limits | Blocks remaining bots that find the custom URL |
| 3. IP Blacklist / Automation | Bans IPs that repeatedly hit signup forms | Zero future requests from known attackers |
How to Set Up Signup Protection
Step 1. Change the Register Path
First activate Safe Mode or Ghost Mode at WP Ghost > Change Paths > Level of Security. Then go to WP Ghost > Change Paths > Login Security, find the Custom Register Path field, and enter a unique name that bots cannot guess. Avoid obvious terms like “register”, “signup”, “join”, or “create-account”, pick something unrelated to registration. Click Save.
For the full walkthrough see Change the Register Path with WP Ghost.
Step 2. Enable Brute Force Protection
Go to WP Ghost > Brute Force > Settings and switch on Use Brute Force Protection. Choose a reCAPTCHA type:
Math reCAPTCHA, a simple math problem, no API keys needed, easiest to set up. Google reCAPTCHA V2, the classic “I’m not a robot” checkbox. Google reCAPTCHA V3, invisible scoring based on user behavior. Google reCAPTCHA Enterprise, the most advanced option with detailed risk scoring.
Click Save. For reCAPTCHA V2 and above you will need Site Key and Secret Key from the Google reCAPTCHA admin.
Step 3. Enable Sign Up Form Protection
Still in WP Ghost > Brute Force > Settings, find Sign Up Form Protection and switch it on. This adds reCAPTCHA and attempt limits specifically to the registration form, so even if a bot finds your custom register path, it cannot mass-submit signups.
Step 4. Verify with a Security Check
Go to WP Ghost > Security Check and click Start Scan. The scan confirms that the register path is changed, the default URL returns 404, and brute force protection is active on the signup form.
Signup Spam vs Content Spam, Different Problems
It helps to separate two related but distinct problems:
Signup spam means bots creating fake user accounts. WP Ghost handles this directly through register path changes and signup form protection, as covered above.
Content spam means spam text submitted through comment forms, contact forms, or spam links inside posts. WP Ghost blocks comment spam through its comment form protection and path change, but does not filter the text content of submissions. For AI-based content spam filtering, pair WP Ghost with a dedicated anti-spam tool:
Akismet, the default WordPress anti-spam plugin, uses machine learning to identify spam in comments, contact forms, and signup descriptions. Runs well alongside WP Ghost.
Antispam Bee, a free, GDPR-friendly alternative to Akismet that works without external API calls.
CleanTalk, a cloud-based anti-spam service that filters signups, comments, and contact forms.
WP Ghost stops the spam at the form access level (bots never reach the form). Anti-spam plugins filter the content that does get submitted. Together they cover the full spam problem.
Other WP Ghost Features That Help
WP Ghost’s broader protection adds depth to signup security:
Geo Security (Premium), block entire countries from accessing the registration form. If most of your spam signups come from specific regions, Country Blocking at the path level stops them at the firewall.
IP Automation (Premium), when the same IP keeps attempting signups or triggering security rules, WP Ghost’s automation engine permanently bans that IP from your site.
Wrong Username Protection, blocks bots that attempt login with non-existent usernames (a common precursor to signup spam through enumeration). Note: not recommended for membership sites where real users may forget their credentials.
All told, WP Ghost’s 115+ free features and 150+ premium features include everything you need to lock down signup forms at both the access level and the submission level.
Frequently Asked Questions
Will changing the register path stop all spam signups?
It eliminates the vast majority of them, up to 95% based on typical results. Most spam signups come from bots that target the predictable default URL. When that URL returns 404, bots cannot find the signup form. The remaining sophisticated bots are blocked by the reCAPTCHA layer on the Sign Up Form.
Does WP Ghost affect WooCommerce customer registration?
No. WooCommerce handles customer registration through its own My Account page, which is a separate endpoint from WordPress core registration. WP Ghost’s register path change does not interfere with WooCommerce signups, and brute force protection can also be enabled on the WooCommerce login form at WP Ghost > Brute Force > WooCommerce Support.
Will membership plugins still work after changing the register path?
Most membership plugins that use the standard WordPress registration process continue to work with the new custom path because WP Ghost uses rewrite rules that redirect registration function properly. If a specific plugin hardcodes the URL and breaks, either revert to the default path, contact the plugin author for a fix, or consider an alternative plugin. See the compatibility list.
Do I need Akismet if I use WP Ghost?
For signup spam, WP Ghost alone handles it well through path change and reCAPTCHA. For comment spam or contact form spam where real-looking submissions come from the right path, Akismet or a similar anti-spam plugin is a useful addition because it filters the content of submissions, not just access to the form. The two plugins do different jobs and work well together.
Which reCAPTCHA type should I use for signup forms?
Math reCAPTCHA is the easiest to set up and works for most sites, no API keys required. Google reCAPTCHA V3 is the most user-friendly (invisible, no user action required) but needs Google API keys. V2’s checkbox is familiar to most users. Pick based on whether you want zero-setup (Math), invisible (V3), or visible user action (V2).
Is signup protection a free feature?
Yes. Register path change, brute force protection, all four reCAPTCHA types, and Sign Up Form Protection are included in the free version of WP Ghost. Country Blocking and IP Automation are Premium features.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses URL rewrite rules and WordPress hooks to change paths and add brute force protection. No WordPress core files are touched, moved, or renamed. Deactivating WP Ghost restores the default registration URL instantly.