• NONE - This means that registration is off completely. This is the most safe method. No possible registration form presented to users or bots / hackers.


• PRIVATE - Allows admin to screen all users and to invite them individually to register for the site.


• PUBLIC - This is the most open method and allows all users to register and on the next screen be logged in as "Registered Users"


• VERIFIED - This method allows all public users to register, but sends out a validation email that the user must receive and follow back to complete their registration, thus validating and verifying that they've used a real email address they have access to.

It's important for you to pick the most strict option possible for your needs. As an extreme yet effective method, consider also, turning on and off registration as needed.

Remember, even if you have your Registration.aspx page not in a sitemap, or you don't have a page at all that has a registration module on it, there are URL Query String and alternate methods to get to a registration form for your DNN site, IF registration is set to Public or Validate, so you always have to review these settings.

With the recent wave of bots targeting the DNN Registration forms, turning registration down to Verified or Private will still result in junk emails being sent to those dummy email addresses and junk spam-bot created users in the system. 

Turning off registration will fix that problem... but most sites cannot have "no registration" so we continue on to further options and things to consider.

Step 1B. Set the DNN Captcha ON for Registration

OK, here's a great option in later DNN versions that's a good addition!

Lower down in that same tab, you'll see the option to "Use CAPTCHA For Registration." Turning on this setting will render the core DNN Captcha in a registration form, which looks like this in the core DNN registration form:

This is a good start and can help. A few reported complaints about this Captcha are that it detracts from users and their form process, doesn't look so great when you're focused on design, and most of all, that it's a simplistic type of Captcha that some bots can go through.

So, what's next then?...

XMod Pro To The Rescue!

What could fit better as a solution than the ability for you as a developer to completely customize the perfect solution to balance your needs for control, simplicity for your user audience and the ability to add extra validation methods. XMod Pro is the perfect solution to help stop robots, bots, spam-bots, hackers from annoying you through your DNN Registration form!

Step 2. XMP's Updated DNN Registration Form Module Kit

Many XMP developers have already started customizing their registration process by building their own custom forms and/or starting from our Module Kit which helps show you the basics of how registration works within XMP and has some nice features such as visual password complexity checking and existing username/email checking notices.

http://dnndev.com/Products/Free-XMod-Pro-Kits/User-Registration

This kit has been updated now to include a few other new security and validation features that focus on bot protection.

There are two hidden form fields that are present in these example forms. Both are hidden from users, both are validated / checked by a combination of client-side and server-side validation. It is the different ways these are setup that, in combination, can help foil many bots.

• Honeypot Hidden Field

  There are several good articles that describe the concept... basically, many bots are programmed to put data into every form field present and test submit. By having a field that is present/visible to the bot but is set with CSS to be hidden to the human user, AND having a field name like "website" or "state" it's irresistible to a bot to fill out.

  The field is set with standard XMP validation and Regular Expressions to only accept blank/null value on submission. If there is anything in the field, then the form submission will not complete.

• Hidden Field, Value Changed by JavaScript / jQuery

  The second hidden field takes into account that most bots will operate their form submissions with JavaScript turned off or stripped out of your page. This means that client-side validation and protections evaporate. This field takes that into account and hopes for it!

  The SQL Select Statement for the form sets a default value for the form such as "imabot" and when the page loads properly with jQuery, the value is changed to something like "imahuman". Standard XMP validation and RegEx are in place that only the value "imahuman" is allowed.

  If the bots run without that JavaScript running, then the form won't pass validation!

These are just two simple methods that we've put in place. There are plenty more that you can work out! My favorite part about the combination of these two is that they play different attributes about bot methods against the bot's success.

That, and the fact that they should be completely invisible to users and could allow you to have no visible interruption for users in their registration process!

Step 3. Additional DNN Form Security Tactics

There are several other, similar methods of generating elements on-the-fly and / or hiding or showing items to help confuse or defeat bots.

Here are a few that you can consider working into your XMod Pro Forms:

• JS-generated Checkbox

  There are a few flavors of this idea around... essentially you create a CheckBox on-the-fly with jQuery. Most of the time by simply creating a new checkbox option. That option, then, is the only allowed value that you would set within standard XMP validation. My favorite of this idea is to have only one checkbox field of "I'm not a bot".

  

• Random Numbers / Text Evaluation

  Another method to impact users lightly is to put in a phrase that must be evaluated by a human. The idea here is to have a form label such as:

  "Please enter the middle middle word in this series: ball, pig, rock">

  or

  "Yellow and Blue make..."

  or

  "Add twelve to eleven and you have..."

  >and in your validation you either allow a specific typed word or with RegEx you make a list of a few different accepted variations.

  There are variations on this, too, where you can generate random numbers and values to keep those questions and their answers changing with each form load.

Step 4. XMod Pro Extensions - Custom Validation Controls - Google ReCaptcha & Others

My company has even released a few options on ways to help with this problem, not only with registration forms but with all / any forms that need not only the protection that validation can add, but also the visual presence to the user that there is added security to the form submission process (which can be important to clients and user impression!)

We have been working on a new release of a group of validation options and that means that our stand-alone Google ReCaptcha control has a new lowered price compared to the larger kit with more options. If it helps get anyone currently suffering with these bots some relief through ReCaptcha then I'm glad to help!

Not familiar with ReCaptcha? It's not used heavily in DNN that I've seen elsewhere, but I'm sure you've seen Google's ReCaptcha around.

ReCaptcha:

Once installed and registered in your XMP Forms, you can call it just like any other form control.

• To play with a Demo of it, you can see it in action here:
  http://modules.moorecreative.com/ForXModPro/CustomControlReCaptch.aspx


• You can also purchase it from the DNN Store here:
  http://store.dnnsoftware.com/home/product-details/custom-control-for-xmod-pro-google-recaptcha-form-validation/r/1c4485cd5cfc4f4aa2e9

Other Validation Options:

The larger package of validation options ties in options for several different services that, like Google's ReCaptcha, allow you to tie into other services that provide validation solutions that are external to your site and are always being updated and enhanced.

A few examples of the additional validation options available are:

• Text Phrase Evaluation
• Google Semantic Text Evaluation
• SweetCaptcha's Visual Captcha Service
• Drag & Drop Visual Validation (works great for mobile users!)


•  

So, what have we learned in this article?... Hopefully, it's that if you're having problems with new waves of bots hitting the forms on your site (any form, not just DNN registration forms!) you should review the general core DNN user registration settings to see if you're in the right level, try some alternatives for bot-smashing tactics through custom built XMod Pro Forms...

And finally, that you're not in it alone! Whether you try out custom controls built to enhance XMP with further possibilities, you try out some yourself, or you reach out to your friends and fellow developers here in the XMod Pro community, there are plenty of options available to get help with your DNN site's form security!

MooreCreative XMOD Development Blog

In the MooreCreative XMOD PRO Development Blog, I'll try to share some of the thoughts and ideas that we've come up with on a day-to-day basis as my development company uses DNN + XMOD PRO to tackle client projects. I'll include items such as tips/tricks, did-you-know articles, troubleshooting/testing examples as well as posting samples solutions and explanations behind our experience working with XMOD and jQuery functions, PageBlaster, ZLDNN Article, and other modules/elements.

If you would like to see us tackle a topic, especially anything out of the forums that could use further examples, please, don't hesitate to email me, and I'll look into preparing it for a blog post.