Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

curtsheller's avatar

Catching Bot Registering New Users

Using Laravel 11 and have been getting bots registering new users. How can I catch theses?

App is using Laravel Breeze and Spatie Honeypot.

Don't know where to start.

0 likes
6 replies
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

To tackle the issue of bots registering new users in your Laravel application, you can implement several strategies. Since you're already using Laravel Breeze and Spatie Honeypot, you're on the right track. Here are some additional steps you can take:

  1. Ensure Honeypot is Properly Configured: Make sure that the Spatie Honeypot package is correctly set up in your forms. This package works by adding a hidden field that bots are likely to fill out, but humans will not. Ensure that this field is present in your registration form.

    // In your registration form view
@honeypot

  2. Implement Google reCAPTCHA: Adding Google reCAPTCHA to your registration form can significantly reduce bot registrations. You can use the anhskohbo/no-captcha package to integrate reCAPTCHA with Laravel.

    First, install the package:

    composer require anhskohbo/no-captcha

    Then, add your reCAPTCHA site and secret keys to your .env file:

    NOCAPTCHA_SITEKEY=your-site-key
NOCAPTCHA_SECRET=your-secret-key

    Add the service provider in config/app.php:

    'providers' => [
    Anhskohbo\NoCaptcha\NoCaptchaServiceProvider::class,
],

    Add the reCAPTCHA field to your registration form:

    {!! NoCaptcha::renderJs() !!}
{!! NoCaptcha::display() !!}

    Validate the reCAPTCHA response in your controller:

    use Illuminate\Http\Request;
use Anhskohbo\NoCaptcha\Facades\NoCaptcha;

public function register(Request $request)
{
    $request->validate([
        'g-recaptcha-response' => 'required|captcha',
        // other validation rules
    ]);

    // Registration logic
}

  3. Rate Limiting: Implement rate limiting to prevent multiple registration attempts from the same IP address in a short period. You can use Laravel's built-in rate limiting feature.

    In your RegisterController, you can apply rate limiting like this:

    use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;

public function __construct()
{
    $this->middleware('throttle:register');
}

// In your RouteServiceProvider or a dedicated service provider
public function boot()
{
    RateLimiter::for('register', function (Request $request) {
        return Limit::perMinute(5)->by($request->ip());
    });
}

  4. Email Verification: Ensure that email verification is enabled. This will require users to verify their email addresses before they can fully use their accounts, which can deter bots.

    In your User model, implement the MustVerifyEmail interface:

    use Illuminate\Contracts\Auth\MustVerifyEmail;

class User extends Authenticatable implements MustVerifyEmail
{
    // ...
}

    Ensure your routes are set up to handle email verification:

    Auth::routes(['verify' => true]);

By combining these strategies, you should be able to significantly reduce the number of bot registrations in your Laravel application.

jdc1898's avatar

I recently fought this. Registrations were running up outbound emails costing me real money. I ended up adding an input to the form and used css to basically hide it but not using the hidden attribute. I made it 1 px by 1 px and the same color. When the bots picked up the registration page, they now saw the new input and they filled it out. So I know now when a bot fills it out. I just drop it now.

I’m sure there are better ways but this worked for me. I hate re-captcha so I refused to inflict them on my users…

Snapey's avatar
Snapey
1 year ago
Best Answer
Level 122

@curtsheller thats basically what Spatie Honeypot does. Are you sure its applied correctly?

If the cost of the email is not an issue, you can defer registering the user until they confirn.

So, they fill in their email address on the registration page, you create a signed URL using their email address.

When they click on the signed URL, the route signature is checked and if valid, they are presented with the registration form with the email address already filled. They choose a password and register.

This way, you are moving the email validation to before registration and if they never confirm the email then no new users are created on your side.

I would probably also couple this with IP based rate limiting.

curtsheller's avatar

@Snapey It was commentd out for some reason (my errot). They rest of what you propose - that's above my pay grade and would be awesome if I could do that. Solo programmer and skills are not there.

Thanks.

Curt

Please or to participate in this conversation.