You can update the portal without touching core? I assumed the portal was directly tied to Ghosts core and could not be edited.
I was talking about the theme which I wrongly called template. In my case I use „source“. No need to touch the core.
1 Like
Portal is a separate standalone app. While it’s in the monorepo, you certainly can build a custom version and load it instead of the version that automatically ships with Ghost head. Although since Portal makes a LOT of API calls to Ghost, staying in step with any changes made to Ghost core is going to be important for any forks.
I suspect that in the case of a lot of the sign-up spam that Portal isn’t actually being used. The spammers are probably just directly hitting the sign up endpoints. Changing portal to include a capcha will annoy your real users, but since spammers are probably not using portal, you probably won’t improve much.
If you wanted actual capcha protection signups, you’d need to edit the endpoint, not just portal.
3 Likes
Heavily dependent on Ghost to implement I suppose. Doesn’t help it’s a small team. I know they’re doing their best though!
1 Like
I think you’re on to something here. I might try to mess with this and see what I can do.
1 Like
Good luck! After Cloudflare was down for several hours today, I disabled it and took back control of my DNS. Let‘s see how much it played a part in this.
1 Like
To be honest, Cloudflare is pretty solid for security and everything else that goes along with it. Both AWS and Cloudflare have witnessed the same fate. It was one inconvenience. Better than getting DDOS.
Not if the DDoS lasts less than four hours.
Today’s outage told me I have not configured my Cloudflare properly because I was wholly unaffected 
2 Likes
We’re seeing the same issue on one Ghost site: a coordinated burst of ~100 automated form submissions per day using a mix of corporate email domains (e.g., campbells.com, similar large-brand domains) and Gmail addresses, including dot-variants (e.g., n.o.n.a.m.e@gmail.com), all originating from the same server infrastructure. Some accounts appear to confirm due to corporate email security scanners, but session replays clearly show bot behavior—rapid page scanning, repeated form submissions within seconds, no real engagement, then rotation. We’ve traced much of this activity to MoltBot-associated infrastructure using NordVPN and Tor exit nodes, which has polluted our membership data and begun to impact sender reputation, forcing us to disable signups and add Cloudflare protections by blocking but do nothing.
I should also add that we’ve been using Cloudflare for 5+ years on this site with all available protections enabled, and it still hasn’t stopped this behavior. Cloudflare’s recommendation is to implement Turnstile, but that raises the question: why isn’t this supported more easily at the Ghost core level—e.g., via a native integration where we can simply add our Cloudflare or Google CAPTCHA keys for signup, contact, and comment forms?
We’ve had to switch our membership to invite-only as a result.
We had to take the same approach and switch to invite-only after our spam rate jumped from 0% to 4% in a single week. When we spoke with Mailgun, they told us we’re not the first Ghost user to report this, which suggests this is a broader issue that needs to be addressed.
This ongoing issue along with being tied to Mailgun for newsletters is one of the few surprising drawbacks of an otherwise excellent platform.
Maybe I’ve just been lucky, but I haven’t had any fake sign-ups since I edited the template and removed all direct signup forms. The only way to subscribe now is by clicking the subscribe button and filling out the pop-up form. Fingers crossed the bots won’t figure that out too quickly.
That said, Cloudflare (free plan) didn’t help in my case either.
1 Like
Just a note that bots can hit the /members/api/send-magic-link endpoint regardless of theme edits, so removing additional sign up forms is not likely to address the problem.
Obviously not at the root of the problem but unlike Cloudflare, it did help for me and it’s been months since then.