phpwordpressvalidationwoocommercespam-prevention

WooCommerce additional registration field validation being ignored?


We've been getting a lot of spam registrations so I am attempting to block registrations from going through that are missing required fields. I have added some additional checks via the woocommerce_register_post, woocommerce_process_registration_errors, and woocommerce_registration_errors filters.

function register_validate_custom_fields( $username, $email, $validation_errors ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || $_POST[$field] == "") {
            $validation_errors->add('required_field', __('Required field missing', 'woocommerce'));
        }
    }
    return $validation_errors;
}
add_action('woocommerce_register_post', 'register_validate_custom_fields', 10, 3);

function custom_registration_errors( $validation_error ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || empty($_POST[$field])) {
            $validation_error = new WP_Error( 'required_field', __( 'Required field missing', 'woocommerce' ) );
        }
    }
    return $validation_error;
}
add_action( 'woocommerce_process_registration_errors', 'custom_registration_errors' );

function validate_required_fields( $errors, $username, $email ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || empty($_POST[$field])) {
            $errors->add('required_field', __('Required field missing', 'woocommerce'));
        }
    }
    return $errors;
}
add_filter( 'woocommerce_registration_errors', 'validate_required_fields', 10, 3 );

However, fake registrations without the required fields still seem to be getting through. We have even got some that were completely blank. Do these filters only return form errors, and not actually block the registrations? Is there another filter that would actually prevent the accounts from being created, and prevent the new account registration emails from being triggered?


Solution

  • So, I did ultimately find the solution here. There were a couple of problems that needed to be addressed.

    Firstly, the reason the WooCommerce filters weren't working was because the registrations were not coming through WooCommerce. They were coming through the standard WordPress registration routes. So the first change that was needed to uncheck the "Anyone can register" option in the WordPress general settings. This cut down on some of the spam registrations. However, the spammers seem to have many backdoors into the registration routes.

    So, the second problem was in the user_register hook. I had overridden this at some point and was triggering the wp_new_user_notification function without first checking the user values.

    function my_user_register($user_id) {
        $user_info = get_userdata($user_id);
    
        // make sure required fields aren't empty
        if ( $user_info->user_email != "" && $user_info->user_login != "" ) {
    
            // do some other stuff, if you want
    
        // notify the site admin of the new user registration
        wp_new_user_notification($user_id, '', 'admin');
        }
    }
    

    I do still have one lingering question/concern, which is how easily it seems to be for spammers to trigger the user_register hook. Particularly so when there isn't even any user data attached to the call.