Introduction

Find quick answers to the most commonly asked questions about Secure User Registration by PureDevs. If you don’t find your answer here, check our detailed documentation or contact support.

General Questions

What does this plugin do?

Secure User Registration by PureDevs protects your WordPress and WooCommerce registration forms from CSRF (Cross-Site Request Forgery) attacks and automated bot registrations. It adds multiple layers of security including:

  • CSRF protection with custom nonce fields
  • Email and domain blocking capability
  • Google reCAPTCHA v2 integration
  • Customizable error messages

Is this plugin free?

Yes, Secure User Registration by PureDevs is completely free and available from the WordPress.org plugin repository. All features are included at no cost.

Does this work with WooCommerce?

Yes! The plugin protects both standard WordPress registration forms and WooCommerce registration forms (My Account page and checkout registration).

Will this slow down my website?

The plugin has minimal impact on performance. CSRF protection and email blocking add negligible overhead. Google reCAPTCHA may add 1-2 seconds to page load time when enabled, as it loads external JavaScript from Google’s servers.

Do I need WooCommerce to use this plugin?

No, WooCommerce is optional. The plugin works perfectly with just WordPress. However, if you do have WooCommerce, the plugin will protect those registration forms as well.

Is the plugin compatible with my theme?

Yes, the plugin is compatible with all standard WordPress themes that follow WordPress coding standards. It works with popular themes and page builders.

Installation and Setup

How do I install the plugin?

There are three methods:

  1. Via WordPress Dashboard (Recommended): Go to Plugins → Add New, search for “Secure User Registration by PureDevs”, and click Install
  2. Via Upload: Download from WordPress.org, then upload via Plugins → Add New → Upload Plugin
  3. Via FTP: Upload the extracted plugin folder to /wp-content/plugins/

See the Installation Guide for detailed instructions.

What are the system requirements?

  • WordPress 3.5 or higher (tested up to 6.8.3)
  • PHP 7.0 or higher
  • WooCommerce 3.0+ (optional, only if protecting WooCommerce forms)

Do I need to configure anything after installation?

Basic CSRF protection works immediately after activation. For optimal security, you should:

  1. Enable all protection options in Settings → Safe Registration
  2. Optionally configure email/domain blocklist
  3. Optionally set up Google reCAPTCHA
  4. Customize error messages if desired

Features and Functionality

What is CSRF protection?

CSRF (Cross-Site Request Forgery) is an attack where malicious websites trick users into performing unwanted actions on your site. CSRF protection uses nonce (number used once) tokens to verify that registration requests originate from your site, not from external sources.

What is a nonce?

A nonce is a unique, time-limited security token generated by WordPress. It’s added as a hidden field in your registration forms and validated when the form is submitted. If the nonce is invalid or expired, the registration is rejected.

How does email blocking work?

You can block specific email addresses or entire domains from registering. For example:

  • spam@example.com blocks that specific email
  • @example.com blocks all emails from example.com

When a blocked email attempts to register, they see a customizable error message.

Do I need a Google account to use reCAPTCHA?

Yes, you need a Google account to obtain reCAPTCHA keys from the Google reCAPTCHA Admin Console. The reCAPTCHA service itself is free.

Which reCAPTCHA version does the plugin support?

The plugin supports Google reCAPTCHA v2 with the “I’m not a robot” checkbox. It does not support reCAPTCHA v3 or invisible reCAPTCHA.

Can I use this plugin without reCAPTCHA?

Absolutely! reCAPTCHA is optional. The plugin provides strong CSRF protection and email blocking even without reCAPTCHA. Add reCAPTCHA only if you’re experiencing bot registration issues.

Configuration

Where do I find the plugin settings?

Navigate to Settings → Safe Registration in your WordPress admin menu.

What should I enable in the settings?

For comprehensive protection, enable:

  • ✓ Protect user Registration
  • ✓ Protect WooCommerce user Registration (if using WooCommerce)
  • ✓ Enable Nonce
  • ✓ Enable Captcha (if you have reCAPTCHA keys and want bot protection)

How do I block disposable email services?

In the Email/Domain Blocklist field, add domains like:

@10minutemail.com,@guerrillamail.com,@mailinator.com,@tempmail.com

Use commas to separate multiple domains, with no spaces.

Can I customize the error messages?

Yes! Scroll to the Error Messages section in settings to customize:

  • Invalid nonce error message
  • Email/Domain blocklist error message
  • Captcha error message

See Customizing Error Messages for best practices.

Do changes take effect immediately?

Yes, all setting changes take effect immediately after clicking “Save Changes”. No cache clearing is required.

Troubleshooting

Why aren’t my settings saving?

Common causes:

  • Not logged in as Administrator
  • Browser cache issue – try clearing cache or different browser
  • JavaScript errors – check browser console (F12)
  • Database connection issue

Why don’t I see the reCAPTCHA on my registration form?

Check these points:

  1. Is “Enable Captcha” checkbox checked in settings?
  2. Are both Site Key and Secret Key filled in?
  3. Are you using reCAPTCHA v2 keys (not v3)?
  4. Is JavaScript enabled in your browser?
  5. Check browser console for errors (F12)

Users are seeing “Invalid nonce error” frequently

This usually happens when:

  • Registration forms are being cached – exclude from caching
  • Users leave forms open for many hours before submitting
  • Server time is incorrect

Update the error message to suggest refreshing the page.

Email blocking isn’t working

Verify:

  • Syntax is correct: @domain.com for domains
  • No spaces in the comma-separated list
  • Settings have been saved
  • Protection is enabled for the form type (WordPress or WooCommerce)

reCAPTCHA says “Invalid site key”

Solutions:

  • Verify you copied the complete Site Key from Google
  • Check you’re using reCAPTCHA v2, not v3
  • Ensure your domain is registered in Google reCAPTCHA admin
  • Add both www and non-www versions of your domain in Google admin

Security and Privacy

Is this plugin secure?

Yes, the plugin follows WordPress security best practices. It uses WordPress’s built-in nonce system for CSRF protection and properly sanitizes all inputs.

Does the plugin collect any data?

The plugin itself does not collect or transmit any data. All validation happens on your server.

What data does Google reCAPTCHA collect?

When reCAPTCHA is enabled, Google collects:

  • User IP address
  • Browser and device information
  • Cookies
  • User interaction patterns

This data is used to distinguish humans from bots. You should disclose this in your privacy policy.

Is the plugin GDPR compliant?

The plugin’s core features (CSRF protection, email blocking) don’t involve data collection. However, Google reCAPTCHA does collect user data. If you serve EU users:

  • Update your privacy policy to disclose reCAPTCHA usage
  • Consider obtaining consent before loading reCAPTCHA
  • Link to Google’s privacy policy

Can this plugin prevent all bot registrations?

No security solution can prevent 100% of bot activity. However, this plugin significantly reduces bot registrations by:

  • Blocking automated scripts with CSRF protection
  • Blocking known spam domains
  • Using Google’s advanced bot detection (when reCAPTCHA enabled)

Compatibility

Does this work with other security plugins?

Generally yes, but some conflicts can occur if multiple plugins add reCAPTCHA to the same forms. If you see duplicate reCAPTCHA widgets, disable reCAPTCHA in one of the plugins.

Is it compatible with caching plugins?

Yes, but you should exclude registration pages from full-page caching to ensure nonces are always fresh. Most caching plugins allow page exclusions.

Does it work with multisite?

Yes, the plugin is compatible with WordPress Multisite installations. Install network-wide or on individual sites as needed.

Can I use this with custom registration forms?

The plugin automatically protects standard WordPress and WooCommerce registration forms. For custom registration forms, you may need developer assistance to integrate the plugin’s protection.

Does it work with membership plugins?

It depends on the membership plugin. If the membership plugin uses standard WordPress registration hooks, it should work. Test with your specific membership plugin to verify.

Advanced Questions

Can I programmatically bypass the protection?

For developers: The plugin uses WordPress hooks and filters. You can use custom code to modify behavior, but this requires PHP knowledge and isn’t recommended for most users.

How do nonces expire?

WordPress nonces typically expire after 12-24 hours. This is a WordPress default and provides a balance between security and user experience.

Can I whitelist specific emails instead of blocking?

The plugin currently supports blocklist only, not whitelist. If you need whitelist functionality, contact support or consider custom development.

Does the plugin log blocked registration attempts?

No, the plugin does not log blocked attempts. If you need logging, consider using it alongside a security plugin that provides logging features.

Can I translate the plugin?

The plugin is translation-ready. You can translate it using translation plugins like WPML, Polylang, or Loco Translate. Error messages can be customized directly in the settings.

Support and Updates

How do I get support?

Support options:

  • Documentation: Check this comprehensive documentation first
  • WordPress.org Support Forum: Search existing threads or post a new question
  • PureDevs Support: Contact through official support channels

How often is the plugin updated?

The plugin is maintained by PureDevs and updated as needed for WordPress compatibility, security improvements, and bug fixes.

What information should I provide when asking for help?

Include:

  • WordPress version
  • PHP version
  • WooCommerce version (if applicable)
  • Exact error message or description of issue
  • Steps to reproduce the problem
  • Screenshots if relevant
  • List of other active plugins

Can I request new features?

Yes! Feature requests are welcome. Post them in the WordPress.org support forum or contact PureDevs directly.

Is there a premium version?

Currently, all features are included in the free version. Check PureDevs website or WordPress.org for any future premium offerings.

Uninstallation

How do I uninstall the plugin?

  1. Go to Plugins → Installed Plugins
  2. Find “Secure User Registration by PureDevs”
  3. Click Deactivate
  4. Click Delete
  5. Confirm deletion

What happens to my settings when I deactivate?

Settings are stored in your WordPress database. They remain when you deactivate the plugin. If you reactivate, your settings will still be there.

What happens when I delete the plugin?

When you delete the plugin, all settings are removed from the database. Your existing user accounts remain unchanged.

Will uninstalling affect existing user accounts?

No, the plugin only affects the registration process. Existing user accounts are not affected by installing or uninstalling the plugin.

Still Have Questions?

If you didn’t find your answer in this FAQ, here are more resources:

Need More Help?

Visit the WordPress.org support forum or contact PureDevs support directly. Include as much detail as possible about your issue for faster resolution.