Spammers creating accounts and bypassing membership pro payment process

I have a site set up using Membership pro to charge for membership. It is set up so that in order to create an account users must fill out a form, answering required unique professional questions and either pay, or choose to send a check option. Membership pro then creates their pending subscription, and we manually verify them for membership qualifications. A Joomla account isn't created until we approve them.

All this works well, but on several occasions this past week, somehow a spammer has managed to create a joomla account without going through membership pro component. I need to lock this down but I'm not sure where the hole is.

Their account is not activated, so they can't log in with it, but it is given a subscriber group privilege, but not admin privilege.

Joomla is 3.9.11
Akeeba Admintools latest version is installed.

Need some help before I get hacked.

Hello

1. Spam still happens but it does not mean that your site is being hacked. To avoid spam, you should configure and use recaptcha. See docs.joomla.org/J3.x:Google_ReCaptcha for instructions to setup

2. I don't understand why an account (without payment) is having subscriber group privilege? Maybe there is something wrong with your setup. You can submit a support ticket sending us super admin account of your site so that I can take a quick look at your settings and make sure it's OK

Tuan

Was a solution for this ever reached? I am also encountering this issue. Spammers are submitting false registrations and somehow even able to fill in the transaction id from paypal.

Ira,
Yes, we were able to fix the problem. I deleted my Recaptcha keys and created new ones using invisible captcha for one thing. This helped.
We set two redirect plugins, both system and one provided by Joomdonation up properly.so that using Joomla's default signup form redirects to the membership pro sign up. Look for "system - redirect" and "Membership Pro Registration Redirect" in your plug in list and set them to redirect to your desired registration URL.
Also in the Joomla Users area, under the Options tab, set email domain options to reject subscriptions from the domain that is spamming your site.
While you are there, make sure that the default group for registered users is set to 'registered' not 'subscribers' and then if you do get spammed, they won't be in your paid user group, and therefore will still have limited access to content.

So far, after making these changes, we haven't had any fake accounts set up.

Here is the info I used for the ReCaptcha config.

docs.joomla.org/J3.x:Google_ReCaptcha

For Joomla groups assignment see - membershipprodoc.joomservices.com/joomla-groups-integration for detailed instructions

I also enabled this plugin membershipprodoc.joomservices.com/miscel...tion-redirect-plugin

Thanks for your help!

:: set email domain options to reject subscriptions from the domain that is spamming your site

Whoever is doing this is spoofing domains like gmail and hotmail; the goal here is to stop them from even making someone go in and clean out 100 fake registrations every couple days.

Yes, that could be an option. However, from my experience, there are real customers with gmail emails, so be careful with domains restriction

Tuan

I think the redirect plugin will stop most of the attacks. We are open to suggestions about how to handle free 30-day trial memberships.