Last month there were reports that a cyber-criminal gang had infected 30,000 WordPress blogs to market “anti-virus” software. WordPress is a popular target; keep your version and plugins up to date; and don’t expose your site to unnecessary risks.
If you require users to register before posting comments, for no other purpose than as part of your spam prevention strategy, then think again:
but more importantly
2. you are gifting the bad guys access to more potential vulnerabilities on your site, and your .htaccess security won’t always protect you.
This is not security paranoia; below is a real example that didn’t even require “hacking” skills.
Real World Example
An Ad site with no “contact us” had copied one of my articles. With no “contact us” and no response via WHOIS address my last resort was to post a comment on the site.
After registering I discovered that I was not only able to comment but also allowed to POST without moderation, so the site ended up with a post at the top of the front page highlighting its dubiousness.
This could have been a good site and I could have been the bad guy doing more than just posting text. This “feature” was fixed a few months back by WordPress 3.1.2.
By requiring registration (allowing strangers to “log in”) as a spam prevention measure you are opening up your site to additional current or future exploits.
Why email registration may not be effective in preventing spam
Wikipedia (it must be true 
) states “Some spambots will pass this step by providing a valid email address and use it for validation”. Registration Spam is a growing problem.
Yes, there are plugins to combat registration spam; but comment spam scumware packages are updated to provide their own counter measures:
For example, I have just read the change log for one blog commenting tool that targets WordPress and other platforms. It has increased the length of delay until it responds to email verification requests to improve success rate – presumably to avoid a newish anti registration-spam measure.
Conclusion
Requiring registration before users can comment does little to protect you from spam, but increases risks to your site’s security.
You would be better served just using one of the better anti-spam plugins AND (ideally) setting WordPress to require all comments to be moderated, so that you can check for any the plugin may have missed.
For the past week I have been trialling an anti-spam plug-in on another site. The plugin is supposed to be 100% effective, low maintenance (no checking and emptying of spam box) and comment poster friendly. I will report back in a few weeks but first impressions are favourable.
If you do decide to revert to no new user registration, don’t forget to untick BOTH of the highlighted boxes below:
