If your website is suddenly flooded with a large number of fake affiliate registrations, it can be an alarming experience.

This guide will walk you through how to verify the source of the issue, clean up the spam users in bulk, and, most importantly, how to block the attack to prevent it from happening again.

Part 1: First Steps: Checking if the Registrations are from Coupon Affiliates

When you see lots of new users, it’s natural to suspect the Coupon Affiliates plugin as a potential cause.

Here’s how you can quickly and definitively verify the source of the registrations.

1. Check the “Registrations” Tab in our Plugin Go to the "Registrierungen" tab within the Coupon Affiliates section of your WordPress dashboard. This page nur shows users who have successfully registered through a Coupon Affiliates form.
   • If the spam users do NOT appear on this list, they are most likely being created by another method that bypasses our plugin.
   • If they do appear here, ensure you have enabled spam protection like Google reCAPTCHA or Cloudflare Turnstile in the plugin’s settings.
2. Perform the Deactivation Test (The Most Reliable Method) The most conclusive test is to temporarily deactivate the Coupon Affiliates plugin.
   • Gehe zu Plugins > Installed Plugins and deactivate Coupon Affiliates.
   • Wait for a couple of hours (or however long the typical interval is between spam registrations).
   • Check your main WordPress user list at Users > All Users.
   • If a new spam user appears while our plugin is inactive, it provides 100% confirmation that the registrations are coming from an external source, not our plugin. You can then reactivate Coupon Affiliates.

If these checks confirm the registrations are happening outside of our plugin, continue with the guide below to find and block the real source of the attack.

Part 2: Finding the Real Cause of Spam Registrations

If you’ve confirmed the spam is happening even with our plugin disabled, it means the attackers are not using your website’s frontend forms.

Instead, they are creating users programmatically through a “backdoor” into WordPress, most commonly the WordPress REST API.

The REST API is a core feature of WordPress that allows applications to interact with your site’s data. Spambots can send direct requests to the user registration endpoint (/wp-json/wp/v2/users) to create new users. This method completely bypasses your website’s theme, pages, forms, and any spam protection like CAPTCHA that you have in place.

Attackers can also specify a role in their API request. This could be why spam users are assigned the “Affiliate” role, even though the request is not coming through the Coupon Affiliates plugin’s forms.

Part 4: How to Permanently Block Spam Registration Attacks

Here are the most effective steps to secure your site. It is highly recommended to implement at least one of the following measures. For these steps, you may want to contact your website hosting support or developer for assistance.

Option 1: Disable Open Registration (Easiest Method)

If you do not require public user registration outside of your dedicated affiliate form, this is the quickest fix.

1. Gehen Sie in Ihrem WordPress-Admin zu Settings > General.
2. Find the “Membership” setting.
3. Make sure the box for “Anyone can register” is UNCHECKED.
4. Save your changes. This closes the public registration endpoint in the REST API.

Option 2: Use a Web Application Firewall (WAF) (Recommended)

A WAF is the best long-term security solution. It acts as a shield to automatically block malicious requests, including spambot attacks targeting the REST API.

Popular and effective security solutions include:

• Wordfence: The free version includes a robust firewall that can block malicious API requests.
• Sucuri Security: A comprehensive security plugin with excellent firewall and monitoring features.
• Cloudflare: A service that operates at the DNS level; its firewall can block bad traffic before it even reaches your server.

Option 3: Selectively Disable the REST API User Endpoint

If you must keep public registration open, you can install a plugin to block just the user creation endpoint.

1. Install a plugin like Disable WP REST API.
2. In its settings, you can selectively disable the endpoints related to user creation (wp/v2/users) while keeping the rest of the API functional.

Part 3: How to Bulk Delete Fake Users

Now, let’s clean up the existing spam accounts.

Das ist wichtig: Before you begin, create a full backup of your website and database.

Manually deleting hundreds or thousands of users is not practical, but you can do this simply by going to the “Users” admin page, and bulk delete them in batches per page.

Alternatively you can use a plugin:

1. Install and activate a plugin like WP Bulk Delete from the WordPress plugin repository.
2. Navigieren Sie zu WP Bulk Delete > Delete Users page.
3. From this screen, complete the form to bulk delete users within a certain time range.