ActiveLayer Blog

WordPress Tutorials, Tips, and Resources to Help Grow Your Business

ActiveLayer for AffiliateWP, native spam protection for the affiliate registration form

Introducing ActiveLayer for AffiliateWP

Posted on Written By: ActiveLayer Team

AffiliateWP spam protection comes down to one form: the affiliate registration page. It stays open to strangers by design. Anyone can load it, type a name and an email, and apply to your program. Bots count on it.

Fake affiliates do more than pad a list. They poison your referral stats, fish for coupon codes, and clutter the affiliate dashboard you use to run the program. Every junk application is another row you review by hand, and another approval queue you stop trusting.

The usual answer is a CAPTCHA. AffiliateWP ships a honeypot and one optional puzzle, and no native Akismet or CleanTalk hook on that form. So the bots that learned to read CAPTCHAs walk right through, and the people who hate them quietly give up.

There is a better place to catch them.

Today, ActiveLayer ships native spam protection for AffiliateWP. Every affiliate registration is scored by AI on the server, before the affiliate row and the WordPress user are ever created. No puzzles. No checkboxes. Real applicants never see a thing.

Get Spam-Free AffiliateWP →

How ActiveLayer stops AffiliateWP registration spam

1. The public affiliate registration form

Your affiliate registration form is the one page that has to stay open to strangers. That is the whole point of it, and exactly why bots target it. The fields are predictable, the URL is public, and a successful submit creates a real affiliate and a real WordPress user. A registration form is a chokepoint. So we guard it.

When someone applies to your program, ActiveLayer scores the submission on the server in the same request. The check is synchronous, so the verdict comes back before AffiliateWP creates the account. A clean application goes through untouched and the affiliate is created as normal. A spam application is stopped cold: the form re-renders with an inline error, and no affiliate row and no WordPress user are ever written.

A few details we cared about:

  • ActiveLayer runs after AffiliateWP finishes its own validation, not before. If AffiliateWP already rejected the submission with its honeypot, its CAPTCHA, or a bad email, we don’t waste an API call second-guessing it.
  • It covers both render paths. Whether your registration form comes from the [affiliate_registration] shortcode or the block-based form, the same hidden signal fields and the same gate apply.
  • The blocked applicant sees a plain message, “Registration blocked: your submission was flagged as spam.” No stack trace, no clue about what tripped it.

And the scope, stated plainly: this release protects your public affiliate registration form, full stop. The affiliate login form, AffiliateWP add-on registration forms (WPForms, Gravity Forms, the other builders), and affiliates that get auto-registered when you let new WordPress users become affiliates automatically are out of scope for this release. We started at the front door on purpose. The registration form is where affiliate spam begins, and a bot that never gets an affiliate account never reaches your dashboard. This release does not score referral or coupon fraud, either. That is a separate problem from spam, and it belongs to AffiliateWP’s own roadmap.

AffiliateWP affiliate registration form showing an inline error blocking a fake affiliate signup attempt

2. The Submissions log

A spam filter you can’t see is a spam filter you can’t trust. If something blocks a real applicant on your registration form, that is a partner you lost and never heard about. So ActiveLayer shows its work.

Every registration it processes lands in the Submissions log, blocked or clean. Open ActiveLayer → Submissions and each affiliate application is right there. The form column reads Affiliate: followed by the username or email, because there is no named form to point at, just the one global registration flow. You see the verdict, the score, and the signals behind it.

Three things worth knowing:

  • Clean applications are logged alongside the blocks. You get the full picture of who tried to join, not a one-sided list of rejects.
  • If a real applicant ever gets caught, open the entry and report it. ActiveLayer retrains on that signal, so the same mistake gets less likely over time.
  • Each row carries the attempted username or email, so a blocked application is a name you can actually look up, not an anonymous counter.

You audit the door instead of trusting it blindly. That’s the difference between a tool that works and a tool that says it does.

ActiveLayer Submissions log showing a blocked AffiliateWP affiliate registration labelled with the attempted username

Why we built this without CAPTCHAs

An affiliate application is a high-intent moment. Someone decided your program is worth their time. That is a poor time to hand them a puzzle. Drop the CAPTCHA and you keep the applicants it was quietly costing you, the ones who give up rather than count traffic lights.

ActiveLayer does its work entirely server-side. There is no challenge to render, no widget to load, no third party watching your applicants. The plugin drops a few hidden signal fields into the registration form, invisible to visitors, and the verdict happens on our API. Your form looks exactly like it did yesterday.

Three properties matter here:

  • The check is synchronous and runs in the right order, after AffiliateWP validates and before the affiliate exists. A blocked bot never becomes a row in your affiliates table or your users table.
  • It fails open. If our API is slow or unreachable, the application proceeds as if the check passed. ActiveLayer never blocks a legitimate signup because we had a bad afternoon.
  • It does nothing until you connect a key, then it blocks on spam by default. No tracking-only half-measures on account creation, because letting a known bot register would create a real affiliate you then have to clean up.

Most spam tools start by suspecting your visitors. We start from the other direction. Never block a real applicant. Catch the bots at the door.

AffiliateWP registration spam, gone in three steps

Setup is the same shape as every other ActiveLayer install.

1. Install the ActiveLayer plugin. It’s free on the WordPress plugin directory. Activate it like any other plugin.

2. Paste your API key. Sign up at app.activelayer.com for 1,000 free checks, no credit card. Paste the key into the plugin settings.

3. There is no step three. AffiliateWP protection is on by default the moment your key connects. You’ll see AffiliateWP marked Active under ActiveLayer → Integrations, with a single toggle if you ever want to turn it off.

That’s the whole setup. The next bot that applies gets stopped, and you don’t lift a finger.

A note for agencies

One ActiveLayer account covers every client site you run. Every plan includes unlimited sites, and you’re billed by check volume, not by how many installs you manage. Add an affiliate program, drop in the key, done.

That’s the part our agency customers asked us to keep simple. We did.

Pricing

Same plans as everywhere else. Nothing new to buy for AffiliateWP.

  • Free: 1,000 spam checks in total, unlimited sites, full API access, no credit card.
  • Pro: from $5/month for 5,000 checks, scaling up to 250,000. Unlimited sites. Email support.
  • Enterprise: from $149/month for 500,000+ checks, custom SLA, SSO, dedicated support.

One blocked spam run can mean dozens of fake affiliates and a poisoned referral report in an afternoon. The monthly fee costs less than the hours you’d spend cleaning that up by hand.

See Full Pricing →

Get started

Install ActiveLayer, connect your key, and AffiliateWP spam protection is live by the time you finish your coffee. No CAPTCHA to configure, nothing to tune.

Get Spam-Free AffiliateWP →

Already running ActiveLayer on your contact forms? Then there’s truly nothing to do. The same key already turns on AffiliateWP spam protection, on by default, the moment you update.

Questions about your affiliate program’s specific setup? Reach out. We read every message, and our team will help you get this running.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.