WordPress.org

Making WordPress.org

Opened 3 weeks ago

Last modified 7 days ago

#4739 assigned defect

Signup flow needs tweaking to reduce unconfirmed accounts

Reported by: dd32 Owned by: dd32
Milestone: Priority: normal
Component: Login & Authentication Keywords:
Cc:

Description

After looking at the signup flow recently, there's a few things that have stood out as being needed:

  1. We shouldn't create users until after they've verified their email addresses, A lot of users never complete the signup process (Spam mostly I'd be willing to bet) or make typo's in their email addresses resulting in accounts that are never used.
  1. We should "upgrade" to reCaptcha v3 from the v2 invisible version we're currently using. Upgrading will allow us to gain access to the reCaptcha "score" of the user which can be used as a signal for spam and moderation tooling.

We probably want to run v2 and v3 concurrently to tweak the scores used to prevent too much spam bypassing the captcha process currently in place.

Change History (10)

#1 @dd32
3 weeks ago

In 9146:

Login: Store user registrations in a custom table until they confirm their email address (at which time, we create the actual wp_users records).

This is to combat the significant number of unconfirmed accounts that are created, by separating them it's easier to purge them periodically, but also easier to add extra anti-spam checks as needed.

See #4739.

#2 @dd32
3 weeks ago

In 9147:

Login: Add reCaptcha v3 in logging-only mode for registration.

See #4739.

#3 @dd32
3 weeks ago

In 9148:

Login: Handle the various SSO routes a bit better when passing to reCaptcha.

See #4739.

This ticket was mentioned in Slack in #meta by tellyworth. View the logs.


3 weeks ago

#5 @dd32
8 days ago

In 9167:

Login: Require a valid reCaptcha v3 score during registration, add reCaptcha to the account confirmation screen as well.

See #4739.

#6 @dd32
8 days ago

In 9168:

Login: Purge records from the 'pending registrations' table after 14 days.

By this time, either the account has been created, or the user_login/user_email is now available for registation again.

See #4739.

#7 @tobifjellner
8 days ago

@dd32 r9167 contains a string on the login screen "Please wait.."
I think three stops would be better than two.

#8 @dd32
8 days ago

In 9169:

Login: Remove a string.

Props tobifjellner.
See #4739.

#9 follow-up: @casiepa
8 days ago

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

Probably https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php#L101 ?

#10 in reply to: ↑ 9 @dd32
7 days ago

Replying to casiepa:

@dd32 Do you somewhere in the email want to mention that the password has to be set within 14 days otherwise the pending account will be destroyed (and so the process has to be repeated) ?

It used to be 7 days, and then the activation link would expire, the user would end up on a confused page, and they'd have to do the password reset flow (which wasn't obvious).

Adding something to the email, in addition to a "The link you've followed has expired" was on my internal TODO list, but wasn't a priority given the small number of people it affects - Most people complete signup within a few hours (Most i've seen in the last month was ~23hrs), or never do it.

Note: See TracTickets for help on using tickets.