Disable registrations by default due to spam.

docs/source/siteadmin/deploying.rst

@@ -317,6 +317,9 @@ your own email address and enter a secure password when prompted::
     $ ./bin/gmg adduser --username you --email you@example.com
     $ ./bin/gmg makeadmin you
 
+Public registrations is disabled by default due to automated spam
+registrations. For more details, see ":ref:`enable-registration`"
+
 
 Test the Server
 ~~~~~~~~~~~~~~~

docs/source/siteadmin/production-deployments.rst

@@ -18,28 +18,30 @@ Further Considerations for Production Deployments
 This page extends upon our ":doc:`deploying`" guide to describe some common
 issues affecting production deployments.
 
+.. _enable-registration:
 
 Should I Keep Open Registration Enabled?
 ----------------------------------------
 
-Unfortunately, in this current release of MediaGoblin we are suffering
+Unfortunately, enabling public registrations in MediaGoblin will usually result
-from spammers registering to public instances en masse.  As such, you
+in many thousands of automated spam registrations. Spam accounts will typically
-may want to either:
+remain un-activated, but the volume alone may cause poor performance on your
+site. For this reason, registrations are disabled by default and we recommend
+against enabling public registration.
 
-a) Disable registration on your instance and just make
+Should you choose to enable registration, you can update in your mediagoblin.ini
-   accounts for people you know and trust (eg via the `gmg adduser`
-   command).  You can disable registration in your mediagoblin.ini
 like so::
 
      [mediagoblin]
      allow_registration = false
 
-b) Enable a CAPTCHA plugin.  But unfortunately, though some CAPTCHA
+Alternatively, you may wish to just make accounts for people you know and trust
-   plugins exist, for various reasons we do not have any general
+(eg via the `gmg adduser` command).
-   recommendations we can make at this point.
 
-We hope to have a better solution to this situation shortly.  We
+A further option may be to enable a CAPTCHA plugin. But unfortunately, though
-apologize for the inconvenience in the meanwhile.
+some CAPTCHA plugins exist, for various reasons we do not have any general
+recommendations we can make at this point. We hope to provide a better solution
+to this problem in the future.
 
 
 Confidential Files

docs/source/siteadmin/relnotes.rst

@@ -44,6 +44,7 @@ This chapter has important information about our current and previous releases.
 - Remove Debian 10 development Dockerfile (BenSturmfels)
 - Document running multiple MediaGoblin instances on one server (Ben Sturmfels)
 - Begin conversion from jQuery to vanilla JS (Ben Sturmfels)
+- Disable registration by default due to spam (Ben Sturmfels)
 
 **Bug fixes:**
 

mediagoblin.example.ini

@@ -27,8 +27,9 @@ email_debug_mode = true
 # email_smtp_host = ""
 # email_smtp_port = 0
 
-# Set to false to disable registrations
+# Set to true to enable registrations. We recommend reading "Should I Keep Open
-allow_registration = true
+# Registration Enabled?" in the production deployment documentation first.
+allow_registration = false
 
 # Set to false to disable the ability for users to report offensive content
 allow_reporting = true

mediagoblin/config_spec.ini

@@ -50,7 +50,7 @@ email_smtp_pass = string(default=None)
 
 
 # Set to false to disable registrations
-allow_registration = boolean(default=True)
+allow_registration = boolean(default=False)
 
 # tag parsing
 tags_max_length = integer(default=255)