I went looking for a CAPTCHA for my blog. Ghost built one, deleted it, and Cloudflare showed me why.

A while back I opened my Ghost members list and found that a Fortune 500's worth of executives had subscribed to my blog about self-hosting overnight. Law firm partners, an airport, a company that makes bathtubs, a sitting energy-company CEO. None of them had ever heard of me. What I was looking at is called newsletter bombing: someone feeds a victim's email address into a bot that signs it up to hundreds of forms at once, so the one security alert that matters drowns under a flood of confirmation messages. My open signup form was one of the hundreds the bot walked through. I wrote the whole field guide to it in the Fortune 500 CEO post.

That post ended on a loose thread. Ghost ships with no CAPTCHA and no bot protection on its signup form, and the only fix that actually spares the victim is a challenge on the signup endpoint itself, something like Cloudflare Turnstile, so that no confirmation email is ever sent in the first place. So I went looking for how to bolt one on.

Yubico YubiKey 5 NFC

The one login factor a fingerprinted browser or a phished password can't reproduce. You tap it, the key proves you're you to the site and nothing else, and no amount of WebGL scraping gets anywhere near it.

Yubico YubiKey 5 NFC

Ghost built one. Then it deleted it.

The short answer in 2026 is that you cannot, not natively. The longer answer is funnier.

Ghost actually built it. In early 2025 an engineer shipped a full hCaptcha flow across about ten pull requests: a captcha service and middleware on the magic-link endpoint (#22014), the hCaptcha widget bolted onto the Portal signup and signin pages, a setting in Admin to switch it on. There was even a bug fix titled "Fixed issue where signup was not always called with hCaptcha", which tells you the gate and the login flow were already stepping on each other during development.

Then at the end of April 2025 another maintainer opened a pull request called Cleanup captcha and ripped the whole thing back out. Service, middleware, Portal widget, Admin toggle, the database migration, the dependency, the tests. The stated reason was four sentences of corporate calm: "We're not moving forward with the captcha feature at this time. Therefore, I'm removing all the related code." An earlier self-hoster PR was closed the same month with the comment "No longer needed."

So the official position today, confirmed on the forum, is that Ghost has no CAPTCHA. The spam story is domain blocking plus network monitoring on the hosted product. If you self-host and want a gate, you bolt Cloudflare Turnstile onto your theme yourself, where it guards the footer but not the signup popup. I closed the tab and went back to my paperwork. Two weeks later I am glad I did, because the gate I was about to install turned out to be frisking everyone's graphics card.

GL.iNet GL-MT3000 (Beryl AX)GL.iNet GL-MT3000 (Beryl AX)

Portable travel router, pocket-sized Wi-Fi 6 wireless Gigabit router, with OpenVPN and security features for public and hotel Wi-Fi, suitable for cruises and RVs

GL.iNet GL-MT3000 (Beryl AX)

What Turnstile actually asks for now

Cloudflare sold Turnstile as the privacy-friendly alternative to Google's reCAPTCHA. The launch copy said it never looks for cookies and never harvests data for ad retargeting. That was the whole pitch. You get bot defense without the surveillance tax.

On 30 May 2026 a security researcher who writes as lanodan documented what changed. Turnstile had started demanding consistent, fingerprintable data out of WebGL. It queries your GPU vendor, the renderer string, the driver version, the supported extensions, and the pixel-level output of hidden rendering calls. Together that is a device identifier that survives a cookie wipe and a VPN switch. The post went to the top of Hacker News at 779 points within a day, which is usually a sign that a lot of people just discovered they were locked out of something.

Locked out is literal. Browsers built on WebKitGTK, and privacy builds like Mullvad and Tor, mask their WebGL details on purpose. Turnstile reads that masking as evasion and loops forever with "WebGL renderer info is spoofed." Turn on Firefox's privacy.resistFingerprinting, the setting Tor Browser ships by default, and you get flagged for "Canvas Randomization Detected." The Firefox behaviour has been documented since Bugzilla 1916271 in 2024: Gecko leaks sanitised GPU characteristics while WebKit and Blink hand back hardcoded strings. Safari mostly sails through, the going theory being Apple's hardware attestation gives it a quiet pass on its own platforms.

The part that removed any doubt about intent is Cloudflare's own diagnostic page, which lanodan quoted directly:

Turnstile uses browser fingerprinting to verify you're human. Privacy tools that block or randomize fingerprinting make your browser look like a bot trying to hide its identity. Temporarily allowing fingerprinting for this site will fix the issue.

Read that again. The privacy-preserving CAPTCHA is now asking the user to switch off their privacy protection so it can identify them. The honest version of the sentence is "please hold still while we take your fingerprint."

Adapter zabezpieczający przed kradzieżą danych USB, ochrona przed kradzieżą danych przez USB-C, kondom ochronny do ładowania laptopów, telefonów komórkowych i komputerów PC. - AliExpress 44

Smarter Shopping, Better Living! Aliexpress.com

aliexpress.

The part that lands on the operator

Here is the bit most site owners have not clocked. If you drop Turnstile on your site, the fingerprinting happens under your domain, in your name. Under GDPR that makes you the data controller for it. "I used a third-party widget" has never been a defence to a regulator, and it is not one here. You shipped a script that takes a biometric-grade device identifier from every visitor before they are allowed to read your blog. Cloudflare has not publicly answered the GDPR question, and until it does, the compliance exposure sits with the operator, not the vendor.

The economics behind this are not mysterious. Bot operators got good. Headless browsers render real WebGL now, residential proxies launder the traffic, and the cheap signals stopped working. So the anti-bot industry reaches for deeper client-side telemetry, because that is the only ground left where a real device still looks different from a farmed one. The cost of that arms race does not land on the bot farms, who can spoof a consistent fake GPU all day. It lands on the person running Mullvad because they read one too many privacy posts.

I went looking for a bouncer for my own front door after a bot army turned the world's CEOs into fake subscribers on my list. What I found is that the bouncer the whole web is hiring now pats down every guest's hardware on the way in, refuses anyone wearing a privacy coat, and hands the legal liability to whoever owns the door. Ghost spent ten pull requests building that gate and then quietly deleted it with a shrug. From where I sit that looks less like a missing feature and more like the one piece of restraint left in the room.

I will keep my open signup and eat the spam. At least the spammers never asked to read my GPU.

Webcam cover

A two-millimeter slab of plastic and the most reliable privacy tool on your laptop. Slide it shut and the camera sees a wall: no driver, no permission prompt, no trust required.

Webcam Cover

Legal stuff - affiliate links

One link to AliExpress, three to Amazon. Buy through any of them and I get a small cut at no extra cost to you, which goes straight back into hardware I can break and write about later. If that feels wrong, the search terms work just as well typed in by hand.

Buy Me a Coffee

Fuel my creativity with a coffee — every sip keeps this blog running!

Support This Blog — Because Heroes Deserve Recognition!

Whether it's a one-time tip or a subscription, your support keeps this blog alive and kicking. Thank you for being awesome!

Tip Once