Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.I think we've all had the experience of putting up a site and forgetting to turn off the "visitors can create accounts" setting... and getting spam user creation or worse.
I suggest that we change the default to "only administrators can create accounts" on admin/config/people/accounts. The attached patch does that.
What I did: Installed a new Drupal site
What I expected: I would be in complete control of the website (and the only user) until I configured it otherwise.
What happened instead: A thousand spambots found the site and created bogus users.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | drupal.default_no_visitor_user_creation.patch | 5.4 KB | rfay |
Comments
Comment #1
rfayPatch dropped again.
Comment #2
dave reidDuplicate of #174972: User creation setting should be "Visitors, with admin approval". ;)