diff --git a/server/accounts.js b/server/accounts.js
index 164e4c4..d59b1f3 100644
--- a/server/accounts.js
+++ b/server/accounts.js
@@ -18,6 +18,15 @@ const signup = (connection) => (req, res) => {
 	form.parse(req, (err, fields) => {
 		if (err) throw err;
 
+		//prevent too many clicks
+		if (isThrottled(fields.email)) {
+			res.status(400).write(log('signup throttled', fields.email));
+			res.end();
+			return;
+		}
+
+		throttle(fields.email);
+
 		//validate email, username and password
 		if (!validateEmail(fields.email) || fields.username.length < 4 || fields.username.length > 100 || fields.password.length < 8 || fields.password !== fields.retype) {
 			res.status(400).write(log('Invalid signup data', fields));
@@ -56,15 +65,6 @@ const signup = (connection) => (req, res) => {
 					connection.query(query, [fields.email, fields.username, salt, hash, rand], (err) => {
 						if (err) throw err;
 
-						//prevent too many clicks
-						if (isThrottled(fields.email)) {
-							res.status(400).write(log('signup throttled', fields.email));
-							res.end();
-							return;
-						}
-
-						throttle(fields.email);
-
 						//build the verification email
 						let addr = `http://${process.env.WEB_ADDRESS}/verify?email=${fields.email}&verify=${rand}`;
 						let msg = 'Hello! Please visit the following address to verify your account: ';
@@ -277,6 +277,15 @@ const passwordRecover = (connection) => (req, res) => {
 	form.parse(req, (err, fields) => {
 		if (err) throw err;
 
+		//prevent too many clicks
+		if (isThrottled(fields.email)) {
+			res.status(400).write(log('recover throttled', fields.email));
+			res.end();
+			return;
+		}
+
+		throttle(fields.email);
+
 		//validate email, username and password
 		if (!validateEmail(fields.email)) {
 			res.status(400).write(log('Invalid recover data', fields.email));
@@ -307,15 +316,6 @@ const passwordRecover = (connection) => (req, res) => {
 				let msg = 'Hello! Please visit the following address to set a new password (if you didn\'t request a password recovery, ignore this email): ';
 				let msgHtml = `<html><body><p>${msg}<a href='${addr}'>${addr}</a></p></body></html>`;
 
-				//prevent too many clicks
-				if (isThrottled(fields.email)) {
-					res.status(400).write(log('recover throttled', fields.email));
-					res.end();
-					return;
-				}
-
-				throttle(fields.email);
-
 				//send the verification email
 				sendmail({
 					from: `passwordrecover@${process.env.WEB_ADDRESS}`,
diff --git a/sql/drop_everything.sql b/sql/drop_everything.sql
index 6179bad..ab5e2ab 100644
--- a/sql/drop_everything.sql
+++ b/sql/drop_everything.sql
@@ -1,5 +1,5 @@
-DROP TABLE signups;
-DROP TABLE accounts;
-DROP TABLE sessions;
-DROP TABLE passwordRecover;
 DROP TABLE profiles;
+DROP TABLE passwordRecover;
+DROP TABLE sessions;
+DROP TABLE accounts;
+DROP TABLE signups;