I might have a problem here… I just noticed that someone has always tried to sign up my website without activating their account, so I implemented a code that will delete their account within 24 hours if not activated but is there another way to detect bots signing up? I have used a $csrf token to check if that matches the session but not sure if this is good enough?
Use Google reCaptcha. It is meant to prevent submitting of bulk data or prevents bots from registering.
CSRF token is essential to prevent Cross-Site Scripting. It is necessary to prevent phishing. To prevent auto-submission of forms, always use ReCaptcha.
I guess from my experience, google recaptcha can be a bit annoying having to solve puzzles etc
ReCaptcha v3 does not always asks for you to solve the puzzle. It only asks you if it doubts your identity as a human. Also, that is the best way to prevent spam and bot submissions. Big sites use it. And, I don’t see how it is annoying in any way.