How to secure your Ghost blog
Want to protect your Ghost site from nonstop sign up attempts, unwelcome visitors or AI crawlers? This article introduces a few easy and effective methods to secure your Ghost site.
Use WAF to block annoying bots or visitors
Web Application Firewall (WAF) is a service Cloudflare provides to checks incoming web and API requests and filters undesired traffic based on sets of rules. With WAF, you can block requests based on criteria like country, IP address, URI, or user agent, and even set rate limits for certain requests. You can also customize these rules to suit your needs.
If you identify specific patterns of annoying bots or visitors, you can use Cloudflare WAF to block them. Analyzing your log can help you identify these patterns.
Please note that to use Cloudflare WAF, you must allow Cloudflare to manage your domain's DNS. While WAF is available for free users with some limitations, such as a limit on the number of custom rules, it still provides sufficient protection for basic needs.
You can refer to Cloudflare's official documentation for more details.
Protect your sign-up and sign-in process
If your Ghost site is flooded with sign-up or sign-in request within a short of period, it can quickly deplete your email quota. Although Ghost has built-in mechanisms to prevent frequent requests from the same email address (e.g., if the same email address request sign-in or sign-up more than 5 time in a short period, Ghost enforces a 10-minute retry delay), users or bots can bypass this by varying their IP or email addresses.
Two effective ways to prevent this are using Cloudflare's WAF as mentioned above:
Block requests based on request patterns
If you can analyze the network logs, such as Nginx log, you may find patterns of these attack requests, such as IP or user agent. You can block them based on these patterns.
Limit request frequency
Maybe it takes time to find the patterns of attack requests, you need a quick fix, then you can set a rate limit on sign-in and sign-up API requests. A key part of Ghost sign-up and sign-in process involves sending users a link via email, which is done through requests to API at https://yoursite/members/api/send-magic-link/. You can add a rate limit for the API in Cloudflare's WAF. For example, in the following image, I add a rate limit on the sign-in/sign-up API:
Remove unwanted subscribers
If you want to remove certain subscribers from your subscriber list and prevent them from sign-up again, you can create an email blocklist through your email service provider. For example, if you are using Mailgun, you can add a blocklist by navigating to Mailgun Dashboard => Suppressions => Bounces => Add Recipients. The email addresses on the list won't receive sign-up, sign-in and newsletter emails anymore.
Block AI Scrapers and Crawlers
You can also use Cloudflare's Bots service to block AI bots from scraping your content, this is a service available to users on all plans. You can refer to this official documentation for more details.
