We launched our production Pro Sites website today at https://toursoft.co. After sending out our initial announcement email, we realized that we have a problem – there is a huge potential for <strong>orphaned and spam sign ups</strong> even when requiring a credit card up front.
The debate between "no credit card up front, yes credit card up front" for a free trial will never end. We actually prefer the "Require credit card up front" and have been excited that Pro Sites is actually designed this way. The reason, like so many others that prefer this approach, is because it saves us so much time by not investing in sign ups who aren't serious.
But, as I said above, there is a problem with the sign up process.
If a person signs up for an account and either does not put credit card information in or puts in invalid credit card information. that person's wordpress account is created, and so is their website, which is held for 48 hours. We don't know what happens to the reserved URL after 48 hours (Can you tell us? Is it just deleted?) but we do know after talking to WPMU Dev support on a related issue that the WordPress Account remains indefinitely.
We believe this should be regarded as a bug.
One of the reasons we chose Pro Sites is, again, because we actually wanted to require a credit card up front. Most importantly for our small 3 man team is because this would remove the hassle of having to deal with spam sign ups – a valid credit card immediately ensures that there is a legitimate person with a valid interest in our product sitting at the keyboard.
As Pro Sites is currently designed, there is no security benefit and not only can we be bombarded by fake accounts, as I write, we're already experiencing many of them. Even if it is a legitimate interests and for whatever reason they don't come back, those are unnecessary accounts clogging the system that have to manually be dealt with.
We see two possible ways to fix this:
1) Do not create a WordPress User account before a credit card is validated. This would also prevent URLs from being reserved. There would be no need to hold anything for 48 hours – either the credit card works and a user account and site is created, or nothing at all is created.
2) Treat the WordPress user accounts that are created as "Reserved" also. This will still allow a client 48 hours to provide a valid credit card. If they do not provide a valid card in that time frame, then the WP user account that was created should also be deleted when the reserved URL is deleted. This would provide the missing security benefit of thwarting spam by associating wordpress user accounts with valid credit card entries.
If someone is just going to sign up and abandon the purchase process, there is no reason to ever have these people as part of the system. And manually having to find them and delete them is just too much of a strain on labor resources.
Developer to Developer, you may already have something in place to help with this. Do you have any action hooks we can tap into when a site removes the reserved URL so we can programmatically automatically delete the user that created it?
Taking it a bit further, this could be an option in Pro Sites – a checkbox if you will "Also delete user accounts with reserved URLs are deleted?"
I think this simple bit of logic would vasty improve the usability of the plugin.