WordPress.org

Making WordPress.org

Opened 7 weeks ago

Closed 3 weeks ago

#4739 closed defect (fixed)

Signup flow needs tweaking to reduce unconfirmed accounts

Reported by: dd32 Owned by: dd32
Milestone: Priority: normal
Component: Login & Authentication Keywords:
Cc:

Description

After looking at the signup flow recently, there's a few things that have stood out as being needed:

  1. We shouldn't create users until after they've verified their email addresses, A lot of users never complete the signup process (Spam mostly I'd be willing to bet) or make typo's in their email addresses resulting in accounts that are never used.
  1. We should "upgrade" to reCaptcha v3 from the v2 invisible version we're currently using. Upgrading will allow us to gain access to the reCaptcha "score" of the user which can be used as a signal for spam and moderation tooling.

We probably want to run v2 and v3 concurrently to tweak the scores used to prevent too much spam bypassing the captcha process currently in place.

Change History (14)

#1 @dd32
7 weeks ago

In 9146:

Login: Store user registrations in a custom table until they confirm their email address (at which time, we create the actual wp_users records).

This is to combat the significant number of unconfirmed accounts that are created, by separating them it's easier to purge them periodically, but also easier to add extra anti-spam checks as needed.

See #4739.

#2 @dd32
7 weeks ago

In 9147:

Login: Add reCaptcha v3 in logging-only mode for registration.

See #4739.

#3 @dd32
7 weeks ago

In 9148:

Login: Handle the various SSO routes a bit better when passing to reCaptcha.

See #4739.

This ticket was mentioned in Slack in #meta by tellyworth. View the logs.


7 weeks ago

#5 @dd32
5 weeks ago

In 9167:

Login: Require a valid reCaptcha v3 score during registration, add reCaptcha to the account confirmation screen as well.

See #4739.

#6 @dd32
5 weeks ago

In 9168:

Login: Purge records from the 'pending registrations' table after 14 days.

By this time, either the account has been created, or the user_login/user_email is now available for registation again.

See #4739.

#7 @tobifjellner
5 weeks ago

@dd32 r9167 contains a string on the login screen "Please wait.."
I think three stops would be better than two.

#8 @dd32
5 weeks ago

In 9169:

Login: Remove a string.

Props tobifjellner.
See #4739.

#9 follow-up: @casiepa
5 weeks ago

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

Probably https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php#L101 ?

#10 in reply to: ↑ 9 @dd32
5 weeks ago

Replying to casiepa:

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

It used to be 7 days, and then the activation link would expire, the user would end up on a confused page, and they'd have to do the password reset flow (which wasn't obvious).

Adding something to the email, in addition to a "The link you've followed has expired" was on my internal TODO list, but wasn't a priority given the small number of people it affects - Most people complete signup within a few hours (Most i've seen in the last month was ~23hrs), or never do it.

#11 @dd32
3 weeks ago

In 9224:

Login: Add a link expired template, and redirect expierd links to that url.

See #4739.

#12 @dd32
3 weeks ago

In 9225:

Login: bump the caches after r9224.

See #4739.

#13 @dd32
3 weeks ago

In 9226:

Login: Hard-code the lostpassword endpoint to avoid including the regex in the public-facing urls :)

See #4739.

#14 @dd32
3 weeks ago

  • Resolution set to fixed
  • Status changed from assigned to closed

I'm going to close this as fixed for now.

I'm going to skip adding a "must do within 2 weeks" notice to the signup email, as it's not really that critical - if they haven't clicked it, it'll redirect them back to the registration form with their username prefilled and it's just another email verification.

If anyone feels strongly, please re-open with exact wording you'd like to see.

Note: See TracTickets for help on using tickets.