If you’ve disabled the “Anyone can register” setting in WordPress but are still seeing new users in your dashboard, you’re not alone. Many WordPress site owners have experienced this frustrating issue — spam accounts, bot registrations, or even unexpected user creations caused by plugins or API abuse.

In this article, we’ll dive into:

  • Why users can still be created despite the default setting being disabled
  • A powerful code snippet to stop all user creation
  • Additional ways to lock down your site completely

🤔 Why Are New Users Still Being Created?

Disabling “Anyone can register” in Settings > General only affects the default WordPress registration form (wp-login.php?action=register). However, it does not block user creation at a programmatic level. Here’s how users can still be added:

  1. Plugins (e.g., membership, forms, newsletter tools) that are used wp_create_user() or wp_insert_user() internally.
  2. REST API access to the wp/v2/users endpoint.
  3. XML-RPC methods allow user-related actions.
  4. Custom registration forms that ignore the “Anyone can register” setting.
  5. Malicious scripts directly inject users via POST requests.

So if bots or bad actors hit one of these entry points, WordPress will still happily create new users — unless you take more profound action.

The Ultimate Fix: Disable All User Creation via user_has_cap Filter

To completely stop any new user from being created, whether manually or via a plugin/API, use this powerful snippet:

add_filter('user_has_cap', function($allcaps, $cap, $args) {
    if (in_array('create_users', $cap)) {
        $allcaps['create_users'] = false;
    }
    return $allcaps;
}, 10, 3);

How to Add It

Option 1: Add to functions.php

  1. Go to Appearance > Theme File Editor.
  2. Open your active theme’s functions.php.
  3. Paste the code at the bottom and save.
READ
How To Use ChatGPT For WordPress Content, SEO, And Blog Planning

Option 2: Use a Custom Plugin

  1. Create a new file in /wp-content/plugins/ called disable-user-registration.php.
  2. Add the following:
<?php
/*
Plugin Name: Disable All User Creation
Description: Completely blocks any new user registration on the site.
Version: 1.0
Author: Your Name
*/

add_filter('user_has_cap', function($allcaps, $cap, $args) {
    if (in_array('create_users', $cap)) {
        $allcaps['create_users'] = false;
    }
    return $allcaps;
}, 10, 3);

Activate the plugin from the Plugins page.

🔍 What Does This Code Do?

  • WordPress uses capabilities to control what each role can do.
  • create_users is the capability that allows user creation (usually available to Administrators only).
  • This filter intercepts capability checks and forces create_users always to return false, blocking any attempt to create a new user — whether from plugins, REST API, or admin UI.

🛑 This disables all user creation across the entire site, including for admins. You’ll need to remove or comment out the code if you want to add new users later manually.

🚧 Additional Steps to Lock Down User Registration

If you want to go even further, here are a few extra protections:

✅ 1. Block Access to wp-login.php?action=register

add_action('login_init', function () {
    if (isset($_GET['action']) && $_GET['action'] === 'register') {
        wp_die('User registration is disabled.', 'Registration Blocked', array('response' => 403));
    }
});

✅ 2. Disable User Registration via REST API

add_filter('rest_endpoints', function ($endpoints) {
    if (isset($endpoints['/wp/v2/users'])) {
        unset($endpoints['/wp/v2/users']);
    }
    return $endpoints;
});

This prevents bots or plugins from using the REST API to create users.

✅ 3. Block XML-RPC Access

Add this to your .htaccess file:

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Or use a plugin like Disable XML-RPC.

READ
Netflix Error Codes: Complete Guide To Common Problems And How To Fix Them

✅ 4. Monitor User Creation Logs

Install a plugin like:

This helps track which plugin or process is attempting to add new users.

Top 10 WordPress Problems & Solutions for Better Search Rankings

Disabling the “Anyone can register” checkbox is the first step in protecting your WordPress site. For complete control over user registration, the user_has_cap filter provides a powerful solution that blocks all user creation attempts — no matter where they come from.


Buy ExpressVPN with PayPal or Credit Card

With just a few lines of code, you can lock your site down and end spam user accounts for good.

Advertisement