All three Moodle platforms I manage that allow self-registration were targeted by spam accounts. These fake accounts are likely used to post spam on site forums, linking to external websites. The Moodle documentation mentions this as a potential downside of enabling self-registration. It’s interesting how a problem becomes much more real when it’s no longer theoretical. The potential for spam bot exploitation is clearly stated in two places within the platform settings.
The text below the self-registration option reads:
“If an authentication plugin, such as email-based self-registration, is selected, then it enables potential users to register themselves and create accounts. This results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. To avoid this risk, self-registration should be disabled or limited by Allowed email domains setting.”
Limiting domains isn’t feasible as I serve multiple school districts across the state, not just one college with a single domain. If I served a single entity like a district, I could restrict self-registration to that domain. This might be a solution for one of the affected Moodle instances as it serves only one district. Enabling self-registration with domain restrictions could work if they want students to create their own accounts.
Dealing with spam forces you to consider the true necessity of self-registration.
This Moodle document explains the situation well. It’s certainly more concrete now!
Enabling ReCaptcha.
I assumed I had enabled ReCaptcha by selecting “yes” in the settings:
Site administration ► Plugins ► Authentication ►email based self registration
However, I was mistaken. A closer look would have revealed my error. If the service had been active, the spam would have likely been prevented.
Upon reviewing the Moodle documentation, I realized I hadn’t activated ReCaptcha with Google.
_"_In addition to enabling the reCAPTCHA element, email-based self-registration should be set as the self registration authentication plugin and reCAPTCHA keys should be set in the manage authentication common settings. “
I needed to acquire security keys from the Google reCAPTCHA site.
Site administration ► Plugins ► Authentication ►Manage Authentication
I visited http://www.google.com/recaptcha, obtained the necessary keys, and inputted them into the form. Once completed, the account creation page displayed:
What’s the lesson?
To enable self-registration while deterring spam bots, activate Google’s reCAPTCHA service. Register your domain, obtain the required keys, implement them, and the process is complete.