Magento stores have witnessed an increase in SPAM user registrations. Originating from multiple IP addresses these attacks can easily overwhelm a small Magento store even when paired with a WAF.

There are additional defences against such attacks that can be quickly and easily implemented.

Block IPs

This can be a short time fix. However, these bot networks can have thousands of nodes and blocking will only work for a short time

Enable Captcha
Everyone is familiar with the next line of defence, Captcha. Introduced from Magento 1.7 onwards this presents the user an image with random words/numbers to be entered and is a challenge to automated bots.

Google Invisible reCaptch can be added as an extension which both performs as an additional level of security while minimising the impact on user experience.

This is the only effective protection from this type of attack.

Blocking by User Agent
A browser user-agent can be faked, blocking this fake User Agent will therefore be very effective. Blocking a genuine user-agent is always a possibility. You can use this to block services that you know are not in use i.e AhrefsBot. With any block care must be taken to ensure you are not blocking a user-Agent that could be detrimental to your store.

To block you simply edit your domain’s file.

However, most bot networks will disguise themselves as standard browsers.

The below example would block the YandexBot

if ($http_user_agent ~* “YandexBot”) {
return 403;


Clean up Created Users
Finally you would need to clean up all the SPAM user accounts that exist. Please, please be careful when deleting Users. Do not delete all, go through them and ensure genuine Users are not caught up in the process.

Magento 1 in particular uses very poor wording and just because you have searched for a email eg does not limit the Select all to just those emails.. it WILL select all.

The only fix for this is to restore you database.