Enable option to include captcha to prevent spammy emails from being added to a subscriber list.
This is indeed a problem with the current subscription form. I get like 10 spam subscriptions every day on each blog.
The subscription is still in beta so it will be improved in the future. Until then check these simple solutions:
An option for those who get spams is to enable Zapier integration and send subscribers to MailChimp with double op-in enabled.
Another option is for those who are self-hosted.
Connect to your database.
Do a backup for your subscribers table in case of something goes wrong.
Do a select: SELECT * FROM subscribers WHERE subscribed_url != ‘’;
This should select all those who are not spams.
subscribed_referrer might be empty sometimes but subscribed_url seems to always be filled.
So you could simply delete all those that have subscribed_url empty. Do a backup first just to be sure.
DELETE * FROM subscribers WHERE subscribed_url = ‘’;
I feel like step one here should be to just make the signup form smarter. If
subscribed_url is always empty for spammers, then maybe we should not write to the database at all when that’s detected.
I need to test another option here. If it is manually completed by the user,
subscribed_url is never empty. But I’m not sure what happens if a Zap is created and a New Mailchimp Subscriber is set to Create a Subscriber in Ghost. I will test and come back with an answer.
EDIT: It is empty.
But I’m not sure what happens if a Zap is created and a New Mailchimp Subscriber is set to Create a Subscriber in Ghost
In that case the
subscribed_url will not be set. However Zapier integrations use the private API whereas signup’s from the blog itself go via a public subscribe endpoint so there can be different levels of protection for each.
Just a humble suggestion to add to this. Is it possible or wise to add captcha at the ghost sign ins to prevent running bruteforce tools or scripts on it?
Another workaround if you’re self hosted is to implement a wider spam detection system at the DNS level - you can use the Cloudflare free plan to automatically show captchas to users that appear automated. You can also set custom rules for particular endpoints.
Ghost already has built-in brute force protection for signin and password reset
Oh my bad. Wasn’t aware that bruteforce protection is already there. I don’t use cloudflare because of the known complications which occurs when setup by a newbie i don’t want to get locked out of my own home(page).
I was wondering what’s a good way for a newbie like me to block these spams? I’m self-hosted and I get about 20 subscriber error mails from Zapier.
The easiest way would be to replace the subscription form with a Mailchimp form. Until Ghost’s Subscription gets out of beta I recommend this option. This way you will also be GDPR compliant, if you want. Mailchimp has the option to do this.