Users with no roles are getting onto my system

Question

I am having an issue with my site, there are users accessing it and creating accounts without having a role.

Here we can see user roles is blank. From my understanding someone has found a weakness in our system and has exploited it to create accounts with no roles.

since the account has no role does this mean its not subjected to the rules of any role? Do these accounts have admin access to our site or would it be closer to anon users.

Is there any basic thing that I could do to stop people with no roles getting in? Or is there a way to see how a user with no role is created (understanding the process would help me fix the problem)?

Edit 1

Version: Drupal 7

Module: User 7.32

Module: LoginToboggan 7.x-1.4

Answer 1

Users with no roles are how the default "Authenticated user" role is listed. I.e. these have the access level that the system gives the role ""Authenticated user".

This by itself is nothing to be concerned about.

If you don't want to allow bots and fly-by users to create accounts, navigate to Home » Administration » Configuration » People » Account settings and under Registration and cancellation, click that only admins can create new accounts.

If you want people to able to create accounts, but not bots, you need to let the registration process tell bots and humans apart. One of these modules may help:

• CAPTCHA - See also: How to add CAPTCHA to registration
• In particular; CAPTCHA Riddler
• Mother May I

However, in 2015, bots like XRumer knows how to do most CAPTCHAs including math and "warped" letters - you may need to experiment a bit to find a CAPTCHA configuration that works.

But preventing spam registrations are actually the topic of this question: Unknown User Registered into my system