Users registering without registration form being published

Need help with the Administration of your Joomla! 3.x site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14286
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Users registering without registration form being published

Postby mandville » Tue Aug 11, 2015 1:37 pm

This is not always due to a hack, mostly, it is a site administrators failure.
I have had a spate of new Users appearing in my User Manager.
I am the only authorised user on my sites (Super User) - so how do these spammers get in; and how to block them in future?


I've received email messages from my website, telling me that a new user has registered.
1. There is no user registration form on the website
2. These appear to be hacks
.


The symptom checklist is as follows:
Did you turn off New User Registration in the Options of User Manager? Since J3.4.0
The User Registration option is switched OFF by default for new Joomla installations
If you have upgraded from an older version then you may need to change it yourself:

On all joomla installations, unless the module code is deleted, the registration form is still available even when you don't have a menu item pointing to it. Spam bots are preprogammed with the non sef link to the module (likewise for drupal and wordpress targetting bots)

[*]In Users > User ManagerClick on [Options] (on the right)
on [Component] tab set "Allow User Registration" to No.

Prevention:

If you require users to register but want to cut down on the bot registrations, then on a normal site it is good idea to be using
[*] the self activation part as a lot of bots use fake addresses and wont be able to confirm their registration.
or
[*]you can set new registrations to "public" which means they think they have registered but cant do anything until you raise them to registered level.
or
[*] you can set new registrations to no /disabled
It helps to have captcha installed, meaning one more hurdle for bots and spammers to go through.

Related links

https://docs.joomla.org/Help34:Components_Users_Configuration
https://docs.joomla.org/Setting_user_registration_policy
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Hellen VH
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Mar 11, 2011 5:27 pm

Re: Users registering without registration form being publis

Postby Hellen VH » Tue Aug 11, 2015 2:59 pm

I had post this question under “Remove "Forgot your password? Forgot your username?", but today when I read your post I thought that maybe it is a good idea ask this question here.

I am not a Joomla expert, your advice will be very important for me. In my case, I do not want the login form be shown when someone tries to access the site using /component/users.

Is it correct to override the /com_users/login/default_log.php into my html folder template and redirect the user to the homepage? Something likes this:
<?php
defined('_JEXEC') or die;
JHtml::_('behavior.keepalive');
function Redirect($url, $permanent = false)
{
if (headers_sent() === false)
{
header('Location: ' . $url, true, ($permanent === true) ? 301 : 302);
}
exit();
}
Redirect('http://domain-name.com/', false);
?>
It works for me perfectly on my localhost; but I am not sure if it is the correct way to do it. Or is better through the .htaccess?

Thanks for the info you can give me.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11438
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users registering without registration form being publis

Postby brian » Tue Aug 11, 2015 5:59 pm

No the correct way is to do exactly what Mandville says above and "turn off New User Registration in the Options of User Manager? "

What you are proposing is easy to overcome (not posting here how)
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Hellen VH
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Mar 11, 2011 5:27 pm

Re: Users registering without registration form being publis

Postby Hellen VH » Tue Aug 11, 2015 8:31 pm

Oh! Thanks for your information. Sorry that I posted that here.
The New User Registration option is off, of course this works.
Is there another way to prevent the login form to be shown?

User avatar
uaintgotthisid
Joomla! Explorer
Joomla! Explorer
Posts: 344
Joined: Wed Sep 10, 2008 6:05 pm
Location: Essex, England, United Kingdom
Contact:

Re: Users registering without registration form being publis

Postby uaintgotthisid » Wed Oct 14, 2015 1:32 pm

To unpublish the login form.

Go to Extensions > Modules

Change the "type" to "login"

The modules you see are all Login modules. Unpublish them and you will remove the login form.
Just another lonely website designer trying to make his way.
https://www.squareballoon.co.uk
JOIN US at Joomla! User Group London or on G+
https://www.joomlalondon.co.uk

hvitnov
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Oct 21, 2015 10:58 am

Re: Users registering without registration form being publis

Postby hvitnov » Wed Oct 21, 2015 11:11 am

I am not able to turn of user registration since I don't see an "options" button in my user manager in Joomla 3.4.4 (see attached screenshot). It seems to be missing from the menu.
Also when creating a login form, it comes with the option for users to register, so I assume the user registration option is not set to off in my case.
I am not the first admin on the site, so it may well be a consequence of a failed upgrade or similar, but checking database etc. in the extension manager produces no errors, so I am puzzled.

Any ideas as to why the options button would not show up?
You do not have the required permissions to view the files attached to this post.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11438
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users registering without registration form being publis

Postby brian » Wed Oct 21, 2015 11:13 am

You are not logged in asa Super Administrator - just a regular admin
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

hvitnov
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Oct 21, 2015 10:58 am

Re: Users registering without registration form being publis

Postby hvitnov » Wed Oct 21, 2015 11:21 am

You are absolutely right. I've been placed in the admin and not the super user group.
Talk about looking in all the wrong places, when the answer is (literally) right under your nose.

Thanks Brian

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11438
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users registering without registration form being publis

Postby brian » Wed Oct 21, 2015 11:36 am

Glad to help
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
bluesardine
Joomla! Explorer
Joomla! Explorer
Posts: 449
Joined: Fri Nov 16, 2007 10:49 pm
Location: Cornwall
Contact:

Re: Users registering without registration form being publis

Postby bluesardine » Wed Nov 25, 2015 10:54 am

did you sort this?
Go to users - then right hand side options - Allow registration set to NO
Web design Cornwall https://www.swankypixels.com
Landscape Photographer http://www.peterhaken.com

DorsetJoomla
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 180
Joined: Thu Jan 24, 2008 12:20 pm

Re: Users registering without registration form being publis

Postby DorsetJoomla » Wed Dec 23, 2015 8:32 pm

Thanks for this I was just about to raise a new topic about this very issue.

legalno
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jul 28, 2015 5:06 pm

Re: Users registering without registration form being publis

Postby legalno » Sat Jan 02, 2016 12:00 pm

Dear representatives of Joomla!

In my CMS Joomla! v. 3.4.8 constantly receive a large number of new users. I think that there are bots (spammers). Disable new user registration in the CMS settings did not help solve the problem. Please help solve the problem

Yours sincerely,
Alexander

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14286
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Users registering without registration form being publis

Postby mandville » Wed Feb 24, 2016 2:37 pm

Please make a new post with your forum post assistant report
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

sua may tinh
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Jul 27, 2016 1:23 am

Re: Users registering without registration form being published

Postby sua may tinh » Wed Jul 27, 2016 1:28 am

wow. good thank

lukebainton
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Sep 05, 2016 4:26 am

Re: Users registering without registration form being published

Postby lukebainton » Mon Sep 05, 2016 4:32 am

ok that is good but i have registered already

thanks

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 327
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece

Re: Users registering without registration form being published

Postby changlee » Mon Sep 05, 2016 7:50 pm

You have also to use Google reCaptcha, it will save your lifes :-)
If you do not programm your life, someone else will do it for you.
Free and low cost Templates at: https://www.b2b-templates.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14286
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Users registering without registration form being published

Postby mandville » Mon Sep 05, 2016 8:15 pm

changlee wrote:You have also to use Google reCaptcha, it will save your lifes :-)



mandville wrote:or
[*] you can set new registrations to no /disabled
It helps to have captcha installed, meaning one more hurdle for bots and spammers to go through.

HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

ofir
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Nov 01, 2016 12:11 pm

Re: Users registering without registration form being published

Postby ofir » Tue Nov 01, 2016 12:29 pm

Hi, I have Joomla at version 3.6.2 and today I've received an email that a user registered.
I go to the User Manager and I see it has a random name and a random Gmail address and he has Administrator access,

Image

I deleted him and navigated to User > Options and the user registration was not enabled (was on 'No'),
Guest User Group was set to Public.

So how is this possible? Did someone hack into my server/Joomla?

apsilva
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 162
Joined: Tue Jul 12, 2016 11:22 pm

Re: Users registering without registration form being published

Postby apsilva » Tue Nov 01, 2016 12:46 pm

update to 3.6.4 now. That's a known security issue
See https://www.joomla.org/announcements/re ... eased.html

ofir
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Nov 01, 2016 12:11 pm

Re: Users registering without registration form being published

Postby ofir » Tue Nov 01, 2016 3:54 pm

apsilva wrote:update to 3.6.4 now. That's a known security issue
See https://www.joomla.org/announcements/re ... eased.html

Thank you, While I'm surprised that such a major flaw existed, good thing it was fixed already.

sithub
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Sep 14, 2016 11:04 am

Re: Users registering without registration form being published

Postby sithub » Wed Jan 25, 2017 1:23 pm

down vote
There are many possible ways that the hacker has broken into your web,

I recommend you see these documents:

https://docs.joomla.org/Security

As to your question I would bet that the hacker could somehow upload a file to your website with a script that creates the user directly into the database.

With knowledge of Joomla tables and function it is relatively simple to do.

sithub
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Sep 14, 2016 11:04 am

Re: Users registering without registration form being published

Postby sithub » Sat Jan 28, 2017 12:20 pm

Did you turn off New User Registration in the Options of User Manager? Since J3.4.0
The User Registration option is switched OFF by default for new Joomla installations
If you have upgraded from an older version then you've to change it yourself:

pcpetes
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sun Sep 03, 2017 10:15 am

Re: Users registering without registration form being published

Postby pcpetes » Sun Sep 03, 2017 10:59 am

sithub wrote:down vote
There are many possible ways that the hacker has broken into your web,

I recommend you see these documents:

https://docs.joomla.org/Security

As to your question I would bet that the hacker could somehow upload a file to your website with a script that creates the user directly into the database.

With knowledge of Joomla tables and function it is relatively simple to do.


Can hacker scripts targetting the database be stopped by changing the table prefix from the default when installing joomla 3.7.5 as a hacker would need that for a accurate script to work ??

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 23552
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Users registering without registration form being published

Postby Per Yngve Berg » Sun Sep 03, 2017 11:21 am

pcpetes wrote:Can hacker scripts targetting the database be stopped by changing the table prefix from the default when installing joomla 3.7.5 as a hacker would need that for a accurate script to work ??


There is no default database prefix in Joomla 3.7.5. It's randomly set during installation. The default was "jos_" back in version 1.5.

pcpetes
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sun Sep 03, 2017 10:15 am

Re: Users registering without registration form being published

Postby pcpetes » Wed Sep 13, 2017 10:31 am

Per Yngve Berg: Ok, thanks


Return to “Administration Joomla! 3.x”

Who is online

Users browsing this forum: Baidu [Spider] and 12 guests