Fake sign ups from the sign up page

We are getting sign ups from fake accounts.

First, we installed Clarity to see if we can capture such recordings. These sign ups don’t show up in recordings.

Next, we even unpublished the sign up page.

The sign ups from fake accounts still keep happening.

Is there anything we can I do?

These always happen directly and from the sign up page (even when it is unpublished).

I wonder if they’re really coming from your sign-up page, or if the spammers are hitting your magic-link endpoint directly, and just spoofing the referrer. If the sign up page is unpublished, then you should not be getting traffic from it… in fact, it seems like you might be able to safely discard traffic with a referrer that doesn’t exist…

1 Like

I’ve noticed this trend as well. I’ve had my blog on line for almost 2 years without any signups at all, and then I’ve had 7 in the last 3 weeks. All of the e-mail domains are from companies with seemingly legitimate companies and websites, but they have nothing to do with what i blog about. They seem highly suspect, plus they’ve all signed up in the last three weeks.

Not sure what the incentive would be for a bad actor to sign up for my blog. Perhaps they are compromised e-mails from a data breach. But even then, what would be the incentive to sign them up for my blog?

I’m wondering whether to delete them or not.

1 Like

I am hoping for some form of official response from Ghost team. It’s an unrealistic to either unpublish sign up page or delete all members that sign up directly.

Wondering if there is a way to confirm sign ups via email click or captcha?

1 Like

So now I’m really confused. Because the ONLY way to sign up to Ghost natively is to receive a magic link in email and click it. Literally. Users don’t show up in Ghost (unless you created them via API or ran an import or something) without clicking a link.

So… what version of Ghost are you running? Do you have any integrations active? Using Zapier to sync members from somewhere else?

1 Like


If you look at the members one at a time, is there any pattern in where they’re coming from? Seven sign-ups doesn’t sound like all that many - it could be someone shared a link on social media or a forum or sent it to a few friends. This doesn’t sound all that nefarious… I think in your shoes, I’d send them each an email welcoming them to the site and asking how they found you, what their interests are, etc. Maybe you’ll learn something!

I check my members page daily. I delete about 5 to 10 new members per week, and yes, there has been an uptick lately. They’re spammers looking to post SEO links in comments. I check my comments daily as well for comments from new members in case I missed one.

For me, it’s easy to find them because the accounts are usually from Pakistan, India or Vietnam and I know they aren’t looking for my content.

There are pages on the internet – a lot on Medium – of hundreds and hundreds of links to blog signup forms for SEO spammers. That’s where they come from. If you see a signup directly to your signup page, it’s almost certainly safe to delete the account. Real people signup from actual pages on your site.

Thanks for sharing your experience with the fake acounts. Are you determining that they are from India, Vietnam, or Pakistan because of the domain name or is there some other way? I haven’t had any signups post comments so I wonder if there is another motivation for them to signup?

What is the best way you’ve found to moderate comments. There doesn’t seem to be a way in the ghost backend to review comments in a convenient view. Thanks for the help.

We’re having the same problem at our site, and it is baffling. Members are showing up in Ghost so clearly they’ve clicked a link somewhere but they’re certainly spam and I get dozens of spam email responses a week. About 1800 spam Members in the last month.

Using Ghost Pro, not self hosted with no integrations or Zapier sync. Does anyone have advice or do we need to figure out adding in a captcha?

Came here to search the same thing.

Fairly stagnant site with no traffic, a sign-up every 1-3 days over the last month or so. All legit domains, all signed in after sign-up. Time on site basically 0 seconds, acquisition always direct.

Email addresses tend to be all USA-based legit businesses, and locations assigned to members always in Europe.

I have comments off so can’t tell if that is the end game or not but it’s becoming a minor frustration.

The location on the Members page shows the country of origin for the IP.

I’m on Ghost Pro, btw.

They usually have a gravatar, which is also a clue because in my experience, most real people don’t. If you click on the member, you get the signup page and source, so you can see if they came from a page of just the form.

The names and icons often are pharma related - pharma spam seems to be in this year.

You genuinely can’t stop them, you just have to keep deleting them, but if you have comments be very vigilant. If you are slow to delete comments, you’ll become a juicier target.

I have just under 1,000 real members, and if I didn’t delete the spam accounts, I’d probably have 3,000.

1 Like

This thread has been around a while and I haven’t seen anyone from staff weigh in, so at the risk of being impetuous, I’m tagging @John and @prschulz to raise awareness.

Is there anything we can do to prevent these spam accounts? I have added the “agree to receive emails” text to my portal form and marked it required, so I’m hoping that will help, but I have other signup forms on my Ghost(Pro) site outside the portal scattered across the site, so I’m not even sure which form they’re coming from (or if they’re even hitting a form in the first place…)

Any advice would be appreciated.

1 Like

Anyone else effected still seeing these stream in?
Recieveing about 1 per day, all legit emails, location attributed to Europe usually Germany or Austria.
Just shut off sign-ups until I can come up with a solution.

Thank you for tagging us in.

We’ve looked at this issue several times, and (as of yet) have been unable to identify a specific pattern that would stop these upfront that wouldn’t also block real sign ups. From the examples flagged to date, these signups have been real inboxes (mostly gmail), that open emails, click links, and log in.

@coffeemonk - Would you mind sending a note to support@ghost.org with a few recent examples from the past week (if you haven’t deleted them) and the total number you’ve gotten over the past week as well? That would be really helpful as we look into this further.

1 Like

I have sent an email with some examples since Jan 13 or so…

volume is not super high, maybe 8–10 per week…

Never had any fake signup on my self hosted Ghost instance. And I get a lot of bots traffic, but they are all blocked by the Cloudflare proxy. It works wonders (for now).

To follow up, I have not seen any new fake signups since Jan 30th. Not sure if you all did something on your end, or if they just lost interest…

If one has a blog/business that is only marketing to 1 country or region, couldn’t you just ban all the other countries from accessing your website. I know it can still be done with a little effort. I don’t have this issue at all, but one thing I did with Siteground is ban every country that has a strong history of spammers. I don’t know if the functionality really works since my website is hosted with Ghost, which is something I am still very very confused about.

I have Ghost Pro, which says it’s “full hosting”. I am not a tech person nor do I claim to be. But I got hit with a $350 bill from Siteground for this years hosting and I thought to myself “wth” and emailed them and said. Why do I need this hosting plan for my website if my website is hosting by ghost directly or so it says when I read. I said will there be any negative affect to my website if I cancel my hosting plan with Siteground and just keep my domain registered with you all. They were very blunt and told me if I canceled my hosting plan with them, that my website hosted through ghost pro will no longer work. They said it’s because of how my website is set up, and they didn’t give one ounce of additional information or explanation. The thing is, it was one of their reps that helped me get my ghost pro website up and running when I needed to point my domain held with them to my ghost pro website.

If anyone can explain to me if I was mislead. If I wasn’t mislead, could this be due to how they set it up, and if they is the case could I set it up differently so that I could cancel that bill out without it impacting my website, SEO, authority etc. I just find that it doesn’t make any sense to me that I thought the entire purpose of paying for ghost pro was for them to fully host and take care of everything for me and I only needed to have a domain I own to point to my site.

What happen was I have another website hosting by Siteground and for the 1st year it was really cheap. Then when on got my next websites domain from them, and needed help pointing it to my ghost pro website, they did it all for me and switched me to a different hosting plan that allows more than 1 website and then I get hit for the 2nd year cost of $350. I can clearly see it shows 0 traffic in Siteground because I have everything through ghost and I Def have plenty of traffic. I feel like I am being scammed by a reputable company over my lack of education and tech knowledge. Because they were very short with their answer and explanation, and offered me no solution to set it up differently where I could cancel my hosting through them after having things set up differently so my site doesn’t go down.

The reason I went off on a rant about this when it’s not on topic with this Thread, is that I don’t really know if my country bans that I set up with Siteground is really working or if it just shows that those settings are on yet have no impact. If I am being scammed, someone please let me know so I can contact them and get a solution. I just don’t want my website impacted in anyway.

I am experiencing the exact same issue as those above. All accounts that look/sound legit. I run a personal blog that gets little to no traffic (at the moment, fingers crossed!) so there is no way I should be getting 52 members in the space of a couple months.

The solution would be to disable email signup completely. But I spent ages getting my email/subscription system set up, it feels a bit lame to have to take it down.

Your posting this is an unrelated thread, you should have made a new thread.

I thought Ghost Pro is the name of Ghost’s official managed hosting platform?

If you have Siteground hosting, then that is not Ghost Pro.

350$ hosting is very expensive, why not go with something cheaper like Pikapods? It’s only 2$ instead of 350$. If you want Ghost Pro, then that is on the official Ghost website here.

All of the questions about Siteground should be directed to them.

1 Like