“Allow User Registration” Should Be Set to “No” By Default on Joomla

We get constant calls from clients telling us that their Joomla websites were hacked, that they are seeing, in the User Manager, new and suspicious users every day, although they don’t have any registration form on their websites.

We first comfort them by telling them that their websites are most likely not hacked and what they’re experiencing is pure spam. We then tell them that they don’t have to have a registration form on their websites for spammers to spam their User Manager. In fact, spammers do not even use a registration form even if it exists, they have some tools to register automatically, provided Allow User Registration is set to “Yes”, which is the default. So, what is that Allow User Registration?

The Allow User Registration is a Joomla setting (you can see this field by logging in to the backend, and then going to Users -> User Manager, and then clicking on the Options button on the top right, and finally clicking on the Component tab), that, when set to “Yes” (which is the default), will permit users to register through the website. In other words, Joomla’s own core will allow user registration when the value of this setting is “Yes”. Clearly, if your User Manager is getting spammed, and you don’t need to have people register on your website, then the best thing that you should do is to set its value to “No”.

Now, the question is, why is the Allow User Registration defaulted to “Yes”? We’re not exactly sure. We think that the Joomla developers assume that by enabling user registration by default they make the life of Joomla administrators easier if they want people to register on their websites. Maybe that’s their logic, but, in this day and age, where spammers and hackers are always searching for a weak Joomla website to spam or to attack, we think it’s a wiser move to disable user registration by default, and those who need this feature can enable it at will.

There you go, that’s our opinion about this whole issue. If your Joomla’s user manager is getting spammed and you don’t need people to register on your website, then disable user registration by setting the value of Allow User Registration to “No”. If, however, you want people to register, and you are getting many spam registrations, then please contact us. We can definitely fix this issue for you and we won’t charge you much!

3 Responses to ““Allow User Registration” Should Be Set to “No” By Default on Joomla”
  1. Pingback by The JoomlaSupport User Is a Scam! Beware! | itoctopus — March 29, 2014 @ 11:51 am

    […] By default, Joomla websites allow user registration, and that’s how any user (or any script) can register to the website, even if the website doesn’t have a registration form. Joomla administrators must disable user registration if they’re no using it, we have explained how to do this, in details, here. […]

  2. Comment by David Cole — April 17, 2017 @ 7:28 am

    This most likely would work if we had a working Option button. In fact, many of our capabilities have disappeared. Categories, gone. Global configuration, gone. Edit profile, gone. Help, gone. We are using version 2.5.9 Any suggestions would be greatly appreciated.


  3. Comment by Fadi — June 21, 2017 @ 4:24 am

    Hi David,

    It seems that your ACL is corrupt. Additionally, you are running a very old version of Joomla with many known vulnerabilities, and you need to migrate/update your website immediately.

Leave a comment