Take a look at Settings > General in your site’s Dashboard, and uncheck “Anyone can Register” and save, this won’t affect Jetpack or its subscriptions system, but it will stop those registrations you’re referring to.
Next, at the Users section of your site’s Dashboard, it’s safe to delete any User there listed as a “Subscriber”. Don’t worry about the role’s name. WordPress itself doesn’t even send subscription content, and there currently are no major plugins which use this role. It was the most limited role, created for subscription plugins hence the name, but none use it. I tried to convince the developers to change the role’s name, but it appears to have been denied: https://core.trac.wordpress.org/ticket/40599
So, to re-cap, switch off “Anyone can Register” at Settings > General, and delete “Subscribers” under Users. This will stop the problem.
Unfortunately, disabling “Anyone can Register” does not solve this, since this only hides the registration page. Bots do not use the UI.
I’m currently trying to fight that tdska-bot with plugins like “Disable Registration Page” or “Disable WP Registration Page”. This does help against most spam bots, but not against tdska…
If you disable “Anyone can Register,” it disables the whole registration system, it doesn’t just hide the page.
If you have disabled “Anyone can Register” and new users are still appearing, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
Could you please show me where I can confirm that “Anyone can Register” really disables the whole registration system? At least, the woocommerce customer registration is not disabled.
If I enable use the Plugin “Disable User Registration” by Andrei Gheorghiu, the Creation of Testusers by tdska stops, but that also disables woocommerce customer registration, what, of course is not acceptable.
I don’t have time to dive through the code right now, but you can look there if you’d like, or just trust my 17 years of experience with this. 😉
WooCommerce’s customer registration system is not affected by the setting, that’s a fully separate system.
If you need help with that, I recommend asking at https://wordpress.org/support/plugin/woocommerce/ so the plugin’s developers and support community can help you with this.
Well, if there can be “separate systems”, than it should be possible that there are other plugins (like Forum) with “separate systems” that open a door for registration even if the whole registration system is disabled by unchecking “Anyone can Register”.
Seems to me that “you have been hacked” is not the only possible explanation.
I downloaded a plugin called anti-spam by CleanTalk. It had an option to remove all spam users and prevent them from creating new accounts. Thank you all for the help!
Yes, I checked all spam adresses in the past manually at the cleantalk website, and it had a very high accuracy. But the plugins they provide are not for free use, are they?
