Making WordPress.org

#4739 closed defect (fixed)

Signup flow needs tweaking to reduce unconfirmed accounts

Reported by: dd32 Owned by: dd32
Milestone: Priority: normal
Component: Login & Authentication Keywords:


After looking at the signup flow recently, there's a few things that have stood out as being needed:

  1. We shouldn't create users until after they've verified their email addresses, A lot of users never complete the signup process (Spam mostly I'd be willing to bet) or make typo's in their email addresses resulting in accounts that are never used.
  1. We should "upgrade" to reCaptcha v3 from the v2 invisible version we're currently using. Upgrading will allow us to gain access to the reCaptcha "score" of the user which can be used as a signal for spam and moderation tooling.

We probably want to run v2 and v3 concurrently to tweak the scores used to prevent too much spam bypassing the captcha process currently in place.

Change History (14)

#1 @dd32
11 months ago

In 9146:

Login: Store user registrations in a custom table until they confirm their email address (at which time, we create the actual wp_users records).

This is to combat the significant number of unconfirmed accounts that are created, by separating them it's easier to purge them periodically, but also easier to add extra anti-spam checks as needed.

See #4739.

#2 @dd32
11 months ago

In 9147:

Login: Add reCaptcha v3 in logging-only mode for registration.

See #4739.

#3 @dd32
11 months ago

In 9148:

Login: Handle the various SSO routes a bit better when passing to reCaptcha.

See #4739.

This ticket was mentioned in Slack in #meta by tellyworth. View the logs.

11 months ago

#5 @dd32
10 months ago

In 9167:

Login: Require a valid reCaptcha v3 score during registration, add reCaptcha to the account confirmation screen as well.

See #4739.

#6 @dd32
10 months ago

In 9168:

Login: Purge records from the 'pending registrations' table after 14 days.

By this time, either the account has been created, or the user_login/user_email is now available for registation again.

See #4739.

#7 @tobifjellner
10 months ago

@dd32 r9167 contains a string on the login screen "Please wait.."
I think three stops would be better than two.

#8 @dd32
10 months ago

In 9169:

Login: Remove a string.

Props tobifjellner.
See #4739.

#9 follow-up: @casiepa
10 months ago

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

Probably https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php#L101 ?

#10 in reply to: ↑ 9 @dd32
10 months ago

Replying to casiepa:

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

It used to be 7 days, and then the activation link would expire, the user would end up on a confused page, and they'd have to do the password reset flow (which wasn't obvious).

Adding something to the email, in addition to a "The link you've followed has expired" was on my internal TODO list, but wasn't a priority given the small number of people it affects - Most people complete signup within a few hours (Most i've seen in the last month was ~23hrs), or never do it.

#11 @dd32
10 months ago

In 9224:

Login: Add a link expired template, and redirect expierd links to that url.

See #4739.

#12 @dd32
10 months ago

In 9225:

Login: bump the caches after r9224.

See #4739.

#13 @dd32
10 months ago

In 9226:

Login: Hard-code the lostpassword endpoint to avoid including the regex in the public-facing urls :)

See #4739.

#14 @dd32
10 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

I'm going to close this as fixed for now.

I'm going to skip adding a "must do within 2 weeks" notice to the signup email, as it's not really that critical - if they haven't clicked it, it'll redirect them back to the registration form with their username prefilled and it's just another email verification.

If anyone feels strongly, please re-open with exact wording you'd like to see.

Note: See TracTickets for help on using tickets.