Spam users registration despite of recaptcha

I had a few days ago my OJS 2.4.8 flooded with spam article comments. I got thousands of new users registered and spam comments published.
I then added a recaptcha v2 in my site for user registration page (and comments page as well)
Despite of this I’m still getting some spam user registration, which insert ads urls in their personal page field

This is my captcha configuration:


; Whether or not to enable Captcha features
captcha = on

; Whether or not to use Captcha on user registration
captcha_on_register = on

; Whether or not to use Captcha on user comments
captcha_on_comments = on

; Whether or not to use Captcha on notification mailing list registration
captcha_on_mailinglist = on

; Font location for font to use in Captcha images
font_location = /usr/share/fonts/truetype/freefont/FreeSerif.ttf

; Whether to use reCaptcha instead of default Captcha
recaptcha = on

; Version of ReCaptcha to use: 0: Legacy (default), 2: ReCAPTCHA v2
recaptcha_version = 2

; Public key for reCaptcha (see
recaptcha_public_key = (hidden)

; Private key for reCaptcha (see
recaptcha_private_key = (hidden)

; Validate the hostname in the ReCaptcha v2 response
recaptcha_enforce_hostname = Off

Is my config file properly configured?

Thanks in advance for your help.


Hi @jascanio

Did you enable email_validation parameter as well?

; If enabled, email addresses must be validated before login is possible.
require_validation = Off 

It prevents that any account not validate remains active and be removed from system after a custom period of time you can set in this parameter bellow:

; Maximum number of days before an unvalidated account expires and is deleted
validation_timeout = 14

Israel Cefrin
Public Knowledge Project Team

1 Like

Hi @israel.cefrin,

I’ve just set the require_validation parameter to On.

What I still don’t understand is why the recaptcha solution could be by-passed.


Hi @jascanio

Google Recaptcha is a computer challenge, but a human being is able to skip over it. However, spammers don’t use real email accounts in most cases. Since it is an email address that won’t validate, a related user account will be removed automatically after validation timeout.

Israel Cefrin
Public Knowledge Project Team

Hi @israel.cefrin
Thanks for your reply.
I’m doing some clean-up. I’ve already deleted all the spam comments.
But, can I delete the fake users that posted the comments to artciles? (they are some 50K users)


Hi @israel.cefrin
I’ve added both re-captcha and e-mail validation, the latter parameter being set for 14 days value.
However, once re-enabling user registration (which I had disabled for security) I still once again start receiving dummy users registration, such as the following:

| horace9063 | 2018-10-11 11:26:05 | |
| sabinal371 | 2018-10-10 12:36:07 | |
| carma2127 | 2018-10-10 07:46:18 | |
| deborahpla | 2018-10-10 06:09:34 | |
| reaganroun | 2018-10-10 01:54:06 | |
| leannasauc | 2018-10-09 21:48:48 | |

Can anyone see an explanation to this?

The University Systems Department is up to shut down our OJS service.

I will deeply appreciate your help.


Hi, did you find any solution? I have the same problem.

Hi @piotreba
No, sorry I haven’t. I’m tracking my re-captcha activity and see that there are many attempts from bots, some of them bypassing the re-captcha.
I’ve set my advanced configuration for re-captcha to max security, but I’m stil getting spam users registered.
By applying the mail confirmation, I have reduced the number of spam users registered, but some bots still manage to bypass all security.

See also:

Hi How can I go to this page. I need to also customization this page.I have the same problem. So I thought I will solve below these way.

  1. Recaptcha
  2. Email validation.
  3. Approve by admin.

Please let me know is there any way to protect hackers or unwanted users.

@@ please let me know how can I find ip address of these unwanted users?

Thanks and Regards,
Md Maidul Islam

1 Like