How can I disable "Too many different sign-in attempts" when users try to subscribe?

I have Mailgun set up successfully, but it only intermittently works as new users trying to sign up often receive the error message, “Too many different sign-in attempts, try again in X hours”.

Is there any way to disable whatever is blocking the attempts to subscribe?

For what it’s worth, I’m self-hosting Ghost v5.62.0 via Docker.

That message comes here in the code:

It’s using a module called express-brute, which has options documented here:

The docs show it can be configured with some other options like freeRetries which currently defaults to 2-- a pretty low number.

Someone could contribute a pull request to propose adding a section to config.production.json where values to customize this behavior could be stored.

Right now, it doesn’t appear possible to customize behavior without forking Ghost.

A very simple solution, though, might be to just raise the default value from from “2 free retries” to 3 or 5. It would typically take a lot more tries than that before a brute-force attack to succeed.

This should already be supported:

  "spam": {
    "member_login": { ... }

@vikaspotluri123 I now that it is supposed but there’s a flaw in the documentation.

The configuration for how to configure spamming links to an old version of the config file:

That version doesn’t contain the member_login key, so that part appears to not be configurable.

I’m not sure how to submit a pull request against the documentation, but the issue could be resolved by linking to the same section on the main branch instead:

cc @RyanF to get the docs updated!

Thanks for flagging. The docs have been updated!