Signup flow needs tweaking to reduce unconfirmed accounts

[dd32]

After looking at the signup flow recently, there's a few things that have stood out as being needed:

1. We shouldn't create users until after they've verified their email addresses, A lot of users never complete the signup process (Spam mostly I'd be willing to bet) or make typo's in their email addresses resulting in accounts that are never used.

2. We should "upgrade" to reCaptcha v3 from the v2 invisible version we're currently using. Upgrading will allow us to gain access to the reCaptcha "score" of the user which can be used as a signal for spam and moderation tooling.

We probably want to run v2 and v3 concurrently to tweak the scores used to prevent too much spam bypassing the captcha process currently in place.

[dd32]

In 9146:

Login: Store user registrations in a custom table until they confirm their email address (at which time, we create the actual wp_users records).

This is to combat the significant number of unconfirmed accounts that are created, by separating them it's easier to purge them periodically, but also easier to add extra anti-spam checks as needed.

See #4739.

[dd32]

In 9147:

Login: Add reCaptcha v3 in logging-only mode for registration.

See #4739.

[dd32]

In 9148:

Login: Handle the various SSO routes a bit better when passing to reCaptcha.

See #4739.

[dd32]

In 9167:

Login: Require a valid reCaptcha v3 score during registration, add reCaptcha to the account confirmation screen as well.

See #4739.

[dd32]

In 9168:

Login: Purge records from the 'pending registrations' table after 14 days.

By this time, either the account has been created, or the user_login/user_email is now available for registation again.

See #4739.

[tobifjellner]

@dd32 r9167 contains a string on the login screen "Please wait.."
I think three stops would be better than two.

[dd32]

In 9169:

Login: Remove a string.

Props tobifjellner.
See #4739.

[casiepa]

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

Probably https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php#L101 ?

[dd32]

Replying to casiepa:

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

It used to be 7 days, and then the activation link would expire, the user would end up on a confused page, and they'd have to do the password reset flow (which wasn't obvious).

Adding something to the email, in addition to a "The link you've followed has expired" was on my internal TODO list, but wasn't a priority given the small number of people it affects - Most people complete signup within a few hours (Most i've seen in the last month was ~23hrs), or never do it.

[dd32]

In 9224:

Login: Add a link expired template, and redirect expierd links to that url.

See #4739.

[dd32]

In 9225:

Login: bump the caches after r9224.

See #4739.

[dd32]

In 9226:

Login: Hard-code the lostpassword endpoint to avoid including the regex in the public-facing urls :)

See #4739.

[dd32]

I'm going to close this as fixed for now.

I'm going to skip adding a "must do within 2 weeks" notice to the signup email, as it's not really that critical - if they haven't clicked it, it'll redirect them back to the registration form with their username prefilled and it's just another email verification.

If anyone feels strongly, please re-open with exact wording you'd like to see.