I understand the topic isn’t new but I’m wondering if there’s an option to integrate a captcha into the signup process?
The reason I‘m asking is because a bot has been signing up random emails three times each on my self-hosted blog. Most people seem to discard it but some declared it as spam (which it actually is in a way). That hurt my spam rate with SMTP2GO. That‘s also how I noticed since none of the accounts were actually signed up and no other notices were given.
Just want to chime in to say the same thing happened to me, and my emails now go to spam. Most of the sign-ups are to Gmail, so I can’t block the domain.
I really don’t like captchas, but if it prevents something like this, I’m all for it.
Something like Cloudflare Turnstile could be really beneficial to combat this. I wonder if there is a way to integrate it into the theme, to depend on a complete verification before allowing to hit subscribe or something.
It could be integrated into the theme to appear in the footer section, but I’m not sure it can be added to the signup popup window, since that is part of Ghost itself. I’ve been experimenting with the Source theme for a few hours and was able to get Turnstile working in the signup footer, but not in the popup. So that remains a possible point of attack for bots.
On a related note, since bots have been sending subscription confirmation emails through my Ghost site to random Gmail addresses for days, my spam rate in Google Postmaster has taken a serious hit. This seems like a significant issue, and I’m surprised it hasn’t been addressed by the Ghost development team. Any bot can damage your sender reputation by submitting hundreds of fake emails through the signup form.
I don’t have any suggestions on how to add some kind of captcha to the signup form which would be a great feature to include, but one thought that might help mitigate the problem in the meantime is to try and block as many bots as possible from accessing your site in the first place.
For example, if you use Cloudflare, you can do the following things on their Free plan which helps to greatly reduce bot traffic from reaching your site:
Geoblocking by Country
You can actually allow or block certain countries from accessing your site by setting up a security rule on Cloudflare’s free plan (you get 5 rules you can set for free).
I block a lot of countries that unfortunately send a bunch of junk/bot traffic to my site, below are the settings and a few examples of blocked countries.
Enable Bot Fight Mode and various AI bot protection
You can block AI bots if you don’t want your website content scraped up by AI companies, and you can also enable Bot Fight mode for other bots in Cloudflare’s security settings. Here’s my setup.
While the above mitigations won’t stop all bots, it does help to greatly reduce the amount of bot traffic that reaches your site, which might help with your form issues.
Having a captcha option on the sign-up form though would be a more direct approach and welcomed feature (Cloudflare Turnstile would be awesome).
These blocks are IP based. Reducing freeRetries values would help the mitigate the issue without disturbing real members. Maybe writing a detailed document about that is what we need to do first.
Thanks. I understand Cloudflare can help reduce bots but then again, Cloudflare is not for everyone. Especially if it’s just a small fan driven website. A captcha would address the issue at its roots. I don’t see any reasons why it shouldn’t be an option. It’s easy enough to implement as well.
None of these measures counteract this problem. It’s random IPs entering random Gmails into the member signup form. This results in the recipients declaring the email as spam because they never signed up in the first place. This hurts the sender’s reputation. Almost every other website where one can sign up uses some kind of captcha for exactly that reason. I don’t understand why the Ghost team removed this approach. I had to set my site to “invite only” and have to wait it out until my sender’s reputation is in the clear again.
I don’t see why it can’t be, Cloudflare offers some really generous optimization and security features that absolutely almost everybody can benefit from, including small fan driven websites. To me it doesn’t make sense not to have it unless it just breaks some aspect of your Ghost site/configuration, however I agree the problem you mentioned would be better handled at the root, so a captcha on the signup form would be preferable.
However, you could still have both options for even greater bot protection.
If you really want to know, Cloudflare requires completely taking over DNS administration for my domain and that’s something I’m not ready to do because I have other applications connected to it including Mailcow, Listmonk and Mastodon.
That is because Cloudflare IS a DNS provider… They have an easy migrate process to which they transfer everything automatically for you. Just count how many items you have on your current set up, and then count how many is populated on Cloudflare’s side. If all is good, you can complete the process. If not, you can find which one is missing with a simple CTRL+F. If you get cold feet (IDK why you would) you can then hit “Cancel.”
I don’t understand why you’re making Cloudflare out to be a cancer of some sorts.
Yeah, as @KBExit said, Cloudflare is not evil lol. You would just be moving the management of your DNS records from one company (your current DNS provider) to another company (Cloudflare). You can still keep all the same DNS records at Cloudflare, so you wouldn’t lose access to any of your other services (Mailcow, Listmonk, Mastodon, etc.)
The only difference you’d see really is that Cloudflare gives you a ton of performance and security features for free, whereas your current DNS provider probably does not.
Cloudflare is awesome and I recommend everybody that can use it, does. Did I mention it’s free?!
I looked into this and set some environment variables in my docker-compose.yml to the below value, hoping it would reduce the number of signups to one single email with a signup link:
For some reason, it allows for two signups now instead of just one. Before it was five. So that’s an improvement. Does anyone know how to reduce it to one single email per signup though?
Also, I believe I set too many of these to zero. Which is the exact one for signup emails? I know it should be possible to see this in the source code but I’m not a developer.
