Page 1 of 2

Users registering without registration form being published

Posted: Tue Aug 11, 2015 1:37 pm
by mandville
This is not always due to a hack, mostly, it is a site administrators failure.
I have had a spate of new Users appearing in my User Manager.
I am the only authorised user on my sites (Super User) - so how do these spammers get in; and how to block them in future?
I've received email messages from my website, telling me that a new user has registered.
1. There is no user registration form on the website
2. These appear to be hacks
.
The symptom checklist is as follows:
Did you turn off New User Registration in the Options of User Manager? Since J3.4.0
The User Registration option is switched OFF by default for new Joomla installations
If you have upgraded from an older version then you may need to change it yourself:

On all joomla installations, unless the module code is deleted, the registration form is still available even when you don't have a menu item pointing to it. Spam bots are preprogammed with the non sef link to the module (likewise for drupal and wordpress targetting bots)

[*]In Users > User ManagerClick on [Options] (on the right)
on [Component] tab set "Allow User Registration" to No.

Prevention:

If you require users to register but want to cut down on the bot registrations, then on a normal site it is good idea to be using
[*] the self activation part as a lot of bots use fake addresses and wont be able to confirm their registration.
or
[*]you can set new registrations to "public" which means they think they have registered but cant do anything until you raise them to registered level.
or
[*] you can set new registrations to no /disabled
It helps to have captcha installed, meaning one more hurdle for bots and spammers to go through.

Related links

https://docs.joomla.org/Help34:Componen ... figuration
https://docs.joomla.org/Setting_user_re ... ion_policy

Re: Users registering without registration form being publis

Posted: Tue Aug 11, 2015 2:59 pm
by Hellen VH
I had post this question under “Remove "Forgot your password? Forgot your username?", but today when I read your post I thought that maybe it is a good idea ask this question here.

I am not a Joomla expert, your advice will be very important for me. In my case, I do not want the login form be shown when someone tries to access the site using /component/users.

Is it correct to override the /com_users/login/default_log.php into my html folder template and redirect the user to the homepage? Something likes this:
<?php
defined('_JEXEC') or die;
JHtml::_('behavior.keepalive');
function Redirect($url, $permanent = false)
{
if (headers_sent() === false)
{
header('Location: ' . $url, true, ($permanent === true) ? 301 : 302);
}
exit();
}
Redirect('http://domain-name.com/', false);
?>
It works for me perfectly on my localhost; but I am not sure if it is the correct way to do it. Or is better through the .htaccess?

Thanks for the info you can give me.

Re: Users registering without registration form being publis

Posted: Tue Aug 11, 2015 5:59 pm
by brian
No the correct way is to do exactly what Mandville says above and "turn off New User Registration in the Options of User Manager? "

What you are proposing is easy to overcome (not posting here how)

Re: Users registering without registration form being publis

Posted: Tue Aug 11, 2015 8:31 pm
by Hellen VH
Oh! Thanks for your information. Sorry that I posted that here.
The New User Registration option is off, of course this works.
Is there another way to prevent the login form to be shown?

Re: Users registering without registration form being publis

Posted: Wed Oct 14, 2015 1:32 pm
by uaintgotthisid
To unpublish the login form.

Go to Extensions > Modules

Change the "type" to "login"

The modules you see are all Login modules. Unpublish them and you will remove the login form.

Re: Users registering without registration form being publis

Posted: Wed Oct 21, 2015 11:11 am
by hvitnov
I am not able to turn of user registration since I don't see an "options" button in my user manager in Joomla 3.4.4 (see attached screenshot). It seems to be missing from the menu.
Also when creating a login form, it comes with the option for users to register, so I assume the user registration option is not set to off in my case.
I am not the first admin on the site, so it may well be a consequence of a failed upgrade or similar, but checking database etc. in the extension manager produces no errors, so I am puzzled.

Any ideas as to why the options button would not show up?

Re: Users registering without registration form being publis

Posted: Wed Oct 21, 2015 11:13 am
by brian
You are not logged in asa Super Administrator - just a regular admin

Re: Users registering without registration form being publis

Posted: Wed Oct 21, 2015 11:21 am
by hvitnov
You are absolutely right. I've been placed in the admin and not the super user group.
Talk about looking in all the wrong places, when the answer is (literally) right under your nose.

Thanks Brian

Re: Users registering without registration form being publis

Posted: Wed Oct 21, 2015 11:36 am
by brian
Glad to help

Re: Users registering without registration form being publis

Posted: Wed Nov 25, 2015 10:54 am
by bluesardine
did you sort this?
Go to users - then right hand side options - Allow registration set to NO

Re: Users registering without registration form being publis

Posted: Wed Dec 23, 2015 8:32 pm
by DorsetJoomla
Thanks for this I was just about to raise a new topic about this very issue.

Re: Users registering without registration form being publis

Posted: Sat Jan 02, 2016 12:00 pm
by legalno
Dear representatives of Joomla!

In my CMS Joomla! v. 3.4.8 constantly receive a large number of new users. I think that there are bots (spammers). Disable new user registration in the CMS settings did not help solve the problem. Please help solve the problem

Yours sincerely,
Alexander

Re: Users registering without registration form being publis

Posted: Wed Feb 24, 2016 2:37 pm
by mandville
Please make a new post with your forum post assistant report

Re: Users registering without registration form being published

Posted: Wed Jul 27, 2016 1:28 am
by sua may tinh
wow. good thank

Re: Users registering without registration form being published

Posted: Mon Sep 05, 2016 4:32 am
by lukebainton
ok that is good but i have registered already

thanks

Re: Users registering without registration form being published

Posted: Mon Sep 05, 2016 7:50 pm
by changlee
You have also to use Google reCaptcha, it will save your lifes :-)

Re: Users registering without registration form being published

Posted: Mon Sep 05, 2016 8:15 pm
by mandville
changlee wrote:You have also to use Google reCaptcha, it will save your lifes :-)
mandville wrote: or
[*] you can set new registrations to no /disabled
It helps to have captcha installed, meaning one more hurdle for bots and spammers to go through.

Re: Users registering without registration form being published

Posted: Tue Nov 01, 2016 12:29 pm
by ofir
Hi, I have Joomla at version 3.6.2 and today I've received an email that a user registered.
I go to the User Manager and I see it has a random name and a random Gmail address and he has Administrator access,

Image

I deleted him and navigated to User > Options and the user registration was not enabled (was on 'No'),
Guest User Group was set to Public.

So how is this possible? Did someone hack into my server/Joomla?

Re: Users registering without registration form being published

Posted: Tue Nov 01, 2016 12:46 pm
by apsilva
update to 3.6.4 now. That's a known security issue
See https://www.joomla.org/announcements/re ... eased.html

Re: Users registering without registration form being published

Posted: Tue Nov 01, 2016 3:54 pm
by ofir
apsilva wrote:update to 3.6.4 now. That's a known security issue
See https://www.joomla.org/announcements/re ... eased.html
Thank you, While I'm surprised that such a major flaw existed, good thing it was fixed already.

Re: Users registering without registration form being published

Posted: Wed Jan 25, 2017 1:23 pm
by sithub
down vote
There are many possible ways that the hacker has broken into your web,

I recommend you see these documents:

https://docs.joomla.org/Security

As to your question I would bet that the hacker could somehow upload a file to your website with a script that creates the user directly into the database.

With knowledge of Joomla tables and function it is relatively simple to do.

Re: Users registering without registration form being published

Posted: Sat Jan 28, 2017 12:20 pm
by sithub
Did you turn off New User Registration in the Options of User Manager? Since J3.4.0
The User Registration option is switched OFF by default for new Joomla installations
If you have upgraded from an older version then you've to change it yourself:

Re: Users registering without registration form being published

Posted: Sun Sep 03, 2017 10:59 am
by pcpetes
sithub wrote:down vote
There are many possible ways that the hacker has broken into your web,

I recommend you see these documents:

https://docs.joomla.org/Security

As to your question I would bet that the hacker could somehow upload a file to your website with a script that creates the user directly into the database.

With knowledge of Joomla tables and function it is relatively simple to do.
Can hacker scripts targetting the database be stopped by changing the table prefix from the default when installing joomla 3.7.5 as a hacker would need that for a accurate script to work ??

Re: Users registering without registration form being published

Posted: Sun Sep 03, 2017 11:21 am
by Per Yngve Berg
pcpetes wrote:Can hacker scripts targetting the database be stopped by changing the table prefix from the default when installing joomla 3.7.5 as a hacker would need that for a accurate script to work ??
There is no default database prefix in Joomla 3.7.5. It's randomly set during installation. The default was "jos_" back in version 1.5.

Re: Users registering without registration form being published

Posted: Wed Sep 13, 2017 10:31 am
by pcpetes
Per Yngve Berg: Ok, thanks

Re: Users registering without registration form being published

Posted: Tue Nov 28, 2017 1:32 pm
by changlee
ofir wrote:Hi, I have Joomla at version 3.6.2 and today I've received an email that a user registered.
I go to the User Manager and I see it has a random name and a random Gmail address and he has Administrator access,

I deleted him and navigated to User > Options and the user registration was not enabled (was on 'No'),
Guest User Group was set to Public.

So how is this possible? Did someone hack into my server/Joomla?
Have you updated EVERYTHING? Joomla, Components, Modules, Plugins?

Re: Users registering without registration form being published

Posted: Fri Oct 12, 2018 2:50 am
by john-doe
Per Yngve Berg wrote:
Sun Sep 03, 2017 11:21 am
pcpetes wrote:Can hacker scripts targetting the database be stopped by changing the table prefix from the default when installing joomla 3.7.5 as a hacker would need that for a accurate script to work ??
There is no default database prefix in Joomla 3.7.5. It's randomly set during installation. The default was "jos_" back in version 1.5.
Some hosting providers with "Autoinstallers" sets up Joomla 3.X with jos_ prefix which does not help much. It is better practice upload the files and install it by yourself.

Re: Users registering without registration form being published

Posted: Mon Oct 21, 2019 5:42 am
by leolam
john-doe wrote:
Fri Oct 12, 2018 2:50 am
g providers with "Autoinstallers" sets up Joomla 3.X with jos_ prefix which does not help much.
Please clarify this statement since it is not clear for me? You refer to Softaculous and co?

Leo 8)

Re: Users registering without registration form being published

Posted: Mon Oct 21, 2019 8:26 am
by sozzled
I go away for a week and nothing changes. *sigh*

Why are we resurrecting these things, years after they were once "topical"?

Re: Users registering without registration form being published

Posted: Mon Oct 21, 2019 8:40 am
by AMurray
@Leolamn perhaps miss-read the last post date as October 12, 2019, not 2018.