Add Captcha to Subscriber Form


#1

Enable option to include captcha to prevent spammy emails from being added to a subscriber list.


#2

This is indeed a problem with the current subscription form. I get like 10 spam subscriptions every day on each blog.

The subscription is still in beta so it will be improved in the future. Until then check these simple solutions:

An option for those who get spams is to enable Zapier integration and send subscribers to MailChimp with double op-in enabled.
Another option is for those who are self-hosted.

Connect to your database.
Do a backup for your subscribers table in case of something goes wrong.
Do a select: SELECT * FROM subscribers WHERE subscribed_url != ‘’;

This should select all those who are not spams.
subscribed_referrer might be empty sometimes but subscribed_url seems to always be filled.

So you could simply delete all those that have subscribed_url empty. Do a backup first just to be sure.
DELETE * FROM subscribers WHERE subscribed_url = ‘’;


#3

I feel like step one here should be to just make the signup form smarter. If subscribed_url is always empty for spammers, then maybe we should not write to the database at all when that’s detected.


#4

I need to test another option here. If it is manually completed by the user, subscribed_url is never empty. But I’m not sure what happens if a Zap is created and a New Mailchimp Subscriber is set to Create a Subscriber in Ghost. I will test and come back with an answer.

EDIT: It is empty.


#5

But I’m not sure what happens if a Zap is created and a New Mailchimp Subscriber is set to Create a Subscriber in Ghost

In that case the subscribed_url will not be set. However Zapier integrations use the private API whereas signup’s from the blog itself go via a public subscribe endpoint so there can be different levels of protection for each.


#6

Just a humble suggestion to add to this. Is it possible or wise to add captcha at the ghost sign ins to prevent running bruteforce tools or scripts on it?


#7

Another workaround if you’re self hosted is to implement a wider spam detection system at the DNS level - you can use the Cloudflare free plan to automatically show captchas to users that appear automated. You can also set custom rules for particular endpoints.


#8

Ghost already has built-in brute force protection for signin and password reset


#9

Oh my bad. Wasn’t aware that bruteforce protection is already there. I don’t use cloudflare because of the known complications which occurs when setup by a newbie :joy: i don’t want to get locked out of my own home(page).


#10

I was wondering what’s a good way for a newbie like me to block these spams? I’m self-hosted and I get about 20 subscriber error mails from Zapier.


#11

The easiest way would be to replace the subscription form with a Mailchimp form. Until Ghost’s Subscription gets out of beta I recommend this option. This way you will also be GDPR compliant, if you want. Mailchimp has the option to do this.