I am using Google recaptcha and also cleantalk to protect the registration spam.
I then tried to create a fake user in my wordpress database which got created successfully. I have email confirmation enabled in wpforo sessions for double optin.
Question is even if the user has not created password by using the email which was sent by Wpforo registration form it still shows in the wordpress database. I know that email id does not exist and there is no way to create the password and that user might never login on the forum but it's polluting my wordpress user database.
The registration and user creation should only be successful after user created the password or clicked on the link sent to the user in the email.
I am not sure double opt in is working here. I want to make sure only genuine users who click on verification link sent to their email will show in my wordpress user database.
Please let me know how to configure / fix this.
How you are tackling it on your (Wpforo forum) site ?
Question is even if the user has not created password by using the email which was sent by Wpforo registration form it still shows in the wordpress database.
All is correct. it doesn't matter the user has confirmed his email or not. The user data should be stored in the database. There is no other way to keep user information and approve him. This is the standard working flow of WordPress user registration.
Moreover, wpForo doesn't have any affection on this process. You should know that the user registration and password creation processes are based on WordPress functions. wpForo only provides nice forms for these actions, nothing else. So if you don't like this, you should open a new support topic in WordPress support forum.