Indeed, Ghost Explore (and also ActivityPub) makes easy to collect all Ghost website addresses. That is a trade-off being easily discoverable, and bots or bad actors are not automatically excluded. This is not specific to Ghost, though. Every public list on the internet, that intends to help some sites being visible to bigger audiences can be a source of data for attackers. I think we can’t avoid this. Don’t miss that, those attackers are always mimicking real people, by either using their IPs or faking the requests like a real visit to your website.