Introduction

The General Settings page is the central hub for configuring Secure User Registration by PureDevs. This comprehensive guide explains every setting available and helps you optimize your registration security.

Access the settings page by navigating to Settings → Safe Registration in your WordPress admin menu.

Accessing Settings

  1. Log in to your WordPress admin dashboard
  2. In the left sidebar, hover over Settings
  3. Click on Safe Registration
  4. You’ll see the General Settings page with all configuration options

General Settings Section

The General Settings section controls basic protection features for your registration forms.

Enable Protection Options

These checkboxes control which registration forms are protected:

Protect user Registration

  • Description: Enables protection for standard WordPress registration forms
  • Default: Checked (enabled)
  • Affects: /wp-login.php?action=register and custom registration pages
  • Recommendation: Keep this enabled unless you’re not using WordPress registration

Protect WooCommerce user Registration

  • Description: Enables protection for WooCommerce registration forms
  • Default: Checked (enabled)
  • Affects: My Account page registration and checkout registration
  • Recommendation: Enable if you have WooCommerce installed
  • Note: Only relevant if WooCommerce is active
Best Practice

Enable both options if you use both WordPress and WooCommerce registrations. This ensures comprehensive protection across your entire site.

Enable Nonce

  • Description: Enable or disable custom nonce field for registration forms
  • Default: Checked (enabled)
  • Purpose: Adds an additional CSRF protection layer with custom nonce validation
  • Impact: No visible change to users; adds hidden security field
  • Recommendation: Keep this enabled for maximum CSRF protection
Recommended Configuration

Enable all three checkboxes (WordPress protection, WooCommerce protection, and Nonce) for comprehensive security coverage.

Email/Domain Blocklist

  • Description: Text field for blocking specific emails or entire domains
  • Format: Comma-separated list
  • Examples:
    • Single email: spam@example.com
    • Entire domain: @example.com
    • Multiple entries: @test.com,@example.com,spam@bad.com
  • Help Text: “Use Comma as a separator, ‘@example.tld to block a domain.”
  • Default: Empty (no blocks)
Important

Use commas WITHOUT spaces. Correct: @test.com,@example.com. Incorrect: @test.com, @example.com

Google Captcha Section

Configure Google reCAPTCHA integration to protect against automated bot registrations.

Enable Captcha

  • Description: Enable or disable Google Captcha field for registration forms
  • Default: Unchecked (disabled)
  • Purpose: Adds “I’m not a robot” reCAPTCHA checkbox to registration forms
  • Requirement: Must have valid Site Key and Secret Key
  • Impact: Adds visible reCAPTCHA widget to registration forms

Site Key

  • Description: Your Google reCAPTCHA Site Key (public key)
  • Required: Yes (if Captcha is enabled)
  • Format: 40-character alphanumeric string
  • Source: Obtained from Google reCAPTCHA Admin
  • Help Text: “Enter your Site Key here. You can get Site Key from here.”
  • Visibility: Public (embedded in HTML)

Secret Key

  • Description: Your Google reCAPTCHA Secret Key (private key)
  • Required: Yes (if Captcha is enabled)
  • Format: 40-character alphanumeric string
  • Source: Obtained from Google reCAPTCHA Admin
  • Help Text: “Enter your Secret Key here. You can get Secret Key from here.”
  • Security: Keep private; used for server-side validation
Getting reCAPTCHA Keys

Visit the Google reCAPTCHA Integration guide for step-by-step instructions on obtaining your Site Key and Secret Key.

Error Messages Section

Customize the error messages shown to users when validation fails.

Invalid nonce error message

  • Description: Message shown when nonce validation fails
  • Default: “Invalid nonce error.”
  • When shown: CSRF token validation fails or expires
  • Customization tips:
    • Avoid technical terms like “nonce”
    • Suggest refreshing the page
    • Keep it user-friendly
  • Example: “Your session has expired. Please refresh the page and try again.”

Email/Domain blocklist error message

  • Description: Message shown when blocked email or domain is used
  • Default: “Your email not allowed from registration! Try using another email address.”
  • When shown: User tries to register with blocked email/domain
  • Customization tips:
    • Be polite but firm
    • Suggest using alternative email
    • Explain why (optional)
  • Example: “This email address is not allowed. Please use a different email.”

Captcha error message

  • Description: Message shown when reCAPTCHA validation fails
  • Default: “Google captcha error! Please try again.”
  • When shown: reCAPTCHA verification fails or is not completed
  • Customization tips:
    • Clearly mention the reCAPTCHA requirement
    • Avoid blaming the user
    • Provide clear instructions
  • Example: “Please verify you’re not a robot by checking the reCAPTCHA box.”
Writing Good Error Messages

Good error messages are clear, actionable, and match your site’s tone. Avoid technical jargon and always tell users what to do next.

Saving Your Settings

After making any changes to the settings:

  1. Review all your changes to ensure accuracy
  2. Scroll to the bottom of the page
  3. Click the Save Changes button
  4. Wait for the success message confirming changes were saved
  5. Changes take effect immediately
Settings Saved

You’ll see a success notification at the top of the page when settings are saved successfully.

Testing Your Configuration

After configuring settings, always test to ensure everything works correctly:

Testing Checklist

  1. CSRF Protection:
    • View page source to confirm hidden nonce fields exist
    • Leave registration form open for hours, then submit (should fail)
  2. Email Blocking:
    • Try registering with a blocked email (should fail with custom message)
    • Try registering with allowed email (should succeed)
  3. reCAPTCHA:
    • Verify reCAPTCHA checkbox appears
    • Try submitting without checking box (should fail)
    • Complete reCAPTCHA and submit (should succeed)
  4. Error Messages:
    • Trigger each error condition
    • Verify custom messages appear correctly
Important

Always test from a logged-out state. Admin users may bypass certain security checks.

Resetting to Defaults

If you want to reset settings to their default values:

  1. Navigate to Settings → Safe Registration
  2. Manually adjust settings back to defaults:
    • Check: Protect user Registration
    • Check: Protect WooCommerce user Registration
    • Check: Enable Nonce
    • Clear: Email/Domain Blocklist
    • Uncheck: Enable Captcha
    • Clear: Site Key and Secret Key
    • Restore default error messages
  3. Click Save Changes

Note: The plugin doesn’t have an automatic “Reset to Defaults” button, so changes must be made manually.

Troubleshooting Settings Issues

Settings not saving

  • Check WordPress file permissions
  • Verify you have admin privileges
  • Look for JavaScript errors in browser console
  • Try a different browser

reCAPTCHA keys not working

  • Verify keys are copied correctly (no extra spaces)
  • Ensure you’re using reCAPTCHA v2 keys
  • Check domain is registered in Google reCAPTCHA admin

Email blocklist not blocking

  • Verify syntax: use @ prefix for domains
  • Ensure no spaces in comma-separated list
  • Save settings after making changes

For more detailed troubleshooting, see the Troubleshooting Guide.