php - WooCommerce additional registration field validation being ignored? - Stack Overflow

We've been getting a lot of spam registrations so I am attempting to block registrations from going through that are missing required fields. I have added some additional checks via the woocommerce_register_post, woocommerce_process_registration_errors, and woocommerce_registration_errors filters.

function register_validate_custom_fields( $username, $email, $validation_errors ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || $_POST[$field] == "") {
            $validation_errors->add('required_field', __('Required field missing', 'woocommerce'));
        }
    }
    return $validation_errors;
}
add_action('woocommerce_register_post', 'register_validate_custom_fields', 10, 3);

function custom_registration_errors( $validation_error ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || empty($_POST[$field])) {
            $validation_error = new WP_Error( 'required_field', __( 'Required field missing', 'woocommerce' ) );
        }
    }
    return $validation_error;
}
add_action( 'woocommerce_process_registration_errors', 'custom_registration_errors' );

function validate_required_fields( $errors, $username, $email ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || empty($_POST[$field])) {
            $errors->add('required_field', __('Required field missing', 'woocommerce'));
        }
    }
    return $errors;
}
add_filter( 'woocommerce_registration_errors', 'validate_required_fields', 10, 3 );

However, fake registrations without the required fields still seem to be getting through. We have even got some that were completely blank. Do these filters only return form errors, and not actually block the registrations? Is there another filter that would actually prevent the accounts from being created, and prevent the new account registration emails from being triggered?

We've been getting a lot of spam registrations so I am attempting to block registrations from going through that are missing required fields. I have added some additional checks via the woocommerce_register_post, woocommerce_process_registration_errors, and woocommerce_registration_errors filters.

function register_validate_custom_fields( $username, $email, $validation_errors ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || $_POST[$field] == "") {
            $validation_errors->add('required_field', __('Required field missing', 'woocommerce'));
        }
    }
    return $validation_errors;
}
add_action('woocommerce_register_post', 'register_validate_custom_fields', 10, 3);

function custom_registration_errors( $validation_error ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || empty($_POST[$field])) {
            $validation_error = new WP_Error( 'required_field', __( 'Required field missing', 'woocommerce' ) );
        }
    }
    return $validation_error;
}
add_action( 'woocommerce_process_registration_errors', 'custom_registration_errors' );

function validate_required_fields( $errors, $username, $email ) {
    // make sure all required fields are present
    $required_fields = ["email", "billing_first_name", "billing_last_name", "billing_address_1", "billing_city", "billing_state", "billing_postcode"];
    foreach ($required_fields as $field) {
        if (!isset($_POST[$field]) || empty($_POST[$field])) {
            $errors->add('required_field', __('Required field missing', 'woocommerce'));
        }
    }
    return $errors;
}
add_filter( 'woocommerce_registration_errors', 'validate_required_fields', 10, 3 );

However, fake registrations without the required fields still seem to be getting through. We have even got some that were completely blank. Do these filters only return form errors, and not actually block the registrations? Is there another filter that would actually prevent the accounts from being created, and prevent the new account registration emails from being triggered?

• php
• wordpress
• validation
• woocommerce
• spam-prevention

Share Improve this question Follow edited Apr 5 at 15:37 brassmookie asked Mar 6 at 15:40 brassmookiebrassmookie 27944 silver badges1313 bronze badges 6

• @LoicTheAztec I'm already using reCAPTCHA. It doesn't seem to catch all the bots. I'm sure it helps but there are still a few that get through. – brassmookie Commented Mar 6 at 16:04
• 1 You should better use the filter hook woocommerce_registration_errors like in those threads. Now, maybe you could try to add a custom field (hidden by CSS) acting as a honey pot, that should always require having an empty value, this way you could add it in your validation process. Bots should try to fill it, avoiding the registration process to get completed. – LoicTheAztec Commented Mar 6 at 17:12
• 1 Can you try and use woocommerce_process_registration_errors filter instead? This filter specifically validates the registration errors before the registration process is completed see here. Whereas woocommerce_register_post only adds validation errors before form submission. It doesn't inherently prevent the registration process from continuing, even if there are validation errors. – Richard Commented Mar 6 at 17:16
• Thanks, I'll try the woocommerce_registration_errors and woocommerce_process_registration_errors filters and see if that helps the issue. Not sure the honeypot will help in my case, as the spam registrations coming through aren't filling in any custom fields. – brassmookie Commented Mar 7 at 12:44
• @LoicTheAztec I've added filters and $post checks for woocommerce_register_post, woocommerce_process_registration_errors and woocommerce_registration_errors and we're still continuing to get spam registrations that are missing required fields. we even got a couple that appeared to be completely blank. not even an email address. is it possible that these different filters are somehow interfering with each other's proper function? – brassmookie Commented Mar 8 at 19:43

 |  Show 1 more comment

2 Answers 2

Sorted by: Reset to default 1

you could try adding a "honeypot" field that is hidden to regular visitors, using something like "date of birth", which the bots will faithfully inserta value into. Then in your function you can discard anything which has a value in that field. I know its not exactly what you were asking but it could be a relatively easy win.

Also the hook you are using seems to be to validate extra custom fields in the form and return errors. If the bots are still getting through maybe they are using a different vector

So, I did ultimately find the solution here. There were a couple of problems that needed to be addressed.

Firstly, the reason the WooCommerce filters weren't working was because the registrations were not coming through WooCommerce. They were coming through the standard WordPress registration routes. So the first change that was needed to uncheck the "Anyone can register" option in the WordPress general settings. This cut down on some of the spam registrations. However, the spammers seem to have many backdoors into the registration routes.

So, the second problem was in the user_register hook. I had overridden this at some point and was triggering the wp_new_user_notification function without first checking the user values.

function my_user_register($user_id) {
    $user_info = get_userdata($user_id);

    // make sure required fields aren't empty
    if ( $user_info->user_email != "" && $user_info->user_login != "" ) {

        // do some other stuff, if you want

    // notify the site admin of the new user registration
    wp_new_user_notification($user_id, '', 'admin');
    }
}

I do still have one lingering question/concern, which is how easily it seems to be for spammers to trigger the user_register hook. Particularly so when there isn't even any user data attached to the call.