Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Self-Registration Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Self-Registration Control

            This control involves deactivating the self-registration feature and its associated Visualforce components to make sure that new site members can only be added through an authorized, administrator-led invitation process.

            Control Name

            Self-Registration

            Recommended Configuration

            Delete/Disable self-registration to invite new visitors to join the Experience Cloud site.

            Setup>Visual Force Pages>CommunitiesSelfReg - should not have profile assigned or Page Referenced and Not Available for Lightning Experience, Experience Builder Sites and Mobile App (Not Checked).

            Control Overview

            This control involves deactivating the self-registration feature and its associated Visualforce components to make sure that new site members can only be added through an authorized, administrator-led invitation process.

            Security Risk If Not Configured

            When self-registration is enabled or left active in the background, any person (or automated bot) on the internet can create a valid user account in your Salesforce org, bypassing your internal vetting and identity verification procedures.

            Threat Scenarios

            An attacker uses a script to mass-register thousands of dummy accounts, which they then use to probe the internal site for vulnerabilities, scrape user directories, or launch a denial-of-service (DoS) attack on your license count.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Uncontrolled account creation leads to license exhaustion, data pollution, and an expanded attack surface, as every new "user" is a potential jumping-off point for exploiting object-level sharing rules.

            Higher Risk When

            If the "CommunitiesSelfReg" Visualforce page is still assigned to profiles, as it remains a functional "backdoor" that can be reached via a direct URL even if the "Register" button is hidden on the UI.

            Low Risk When

            If the site uses reCAPTCHA and a Self-Registration Handler (Apex) that requires manual admin approval before any newly registered account is actually activated.

            Business and Integration Considerations

            Disabling self-registration shifts the burden of user onboarding to your internal team or an automated API-driven invitation system, which may increase administrative overhead but provides superior security governance.

            Recommended Remediation

            Go to Login & Registration, uncheck "Allow customers and partners to self-register," and ensure the CommunitiesSelfReg Visualforce page is not referenced or accessible to any profiles.

            Security Health Review Guidance

            Security Health Review identifies “invite-only" access as the primary defense against automated portal exploitation using self-registration, mandating that the "Self-Registration" window only be opened if there is a verified business necessity and a robust bot-detection strategy in place.

            See Also

             
            Loading
            Salesforce Help | Article