How can I protect the signup form in my website? Is special spam prevention needed?

Question

I'm struggling to write a secure sign-up form for my website. (My site is some kind of an image gallery. I have knowledge in html, javascript, msql and php)

I know there is a tactic to secure login forms via checking and storing the failed login attempts, but do I need to protect my sign-up form in the same way? (Is it a stupid idea to log sign up submissions and ban ip-s if someone sends too many requests?) Will someone "spam register" my sign up form? Is it a common attack?

At first i was thinking about using ReCaptcha, but many sites says it's not necessary in this case and it's very annoying for normal (human) users.

My second thought was a database table: storing user ip-s and sign up attempts, to prevent too many registrations, but it's not 'too much' security? (My main concern about this is the constant database checking/writing process because it uses resources)

PS: my system send an e-mail confirmation request before letting users in, but still not confirmed users will be registered in the database so (if i want to) i can register hundreds of fake users (with some kind of a automated program) just for fun which is bad.

Answer 1

You may want to try Invisible ReCaptcha. It should be the best compromise between security and convenience. Normal ReCaptchaV2 is also simple enough, if you need more security.

Answer 2

Spam today is provided as a service - the client pays their money and a distributed network of spammer-controlled machines does the work. They additionally use proxies to further diversify their IPs.

On a forum I run, whenever we weaken our captcha for any reason, we get 50-100 spammers in a day; they come from 50-100 different IPs, even though we permit multiple registrations from one IP. Blocking them doesn't seem to do anything (and occasionally ends up locking out some legit users). One spambot will not try for hours to register from the same IP, or to register a hundred accounts from it.

ReCaptcha v2 is reasonably resistant to spambots. The only solution we found that completely blocks out automated spam is a text entry quiz on our site rules - but that's certainly unnecessary for an image gallery. It could be useful as a backup for users that can't get ReCaptcha working.

Limiting the number of consecutive registration attempts from the same IP can still be useful, even if only against kiddie scripts. Just keep the lock-out period reasonably short, and you can just delete the IPs once it expires. For logging the attempts, a simple text log should suffice.