ICYMI: New Ghost changes

A run-down of what's new in Ghost

ICYMI: New Ghost changes

Happy Friday! Here's a run-down of some recent and upcoming changes in Ghost that you might have missed. Some mine, some the work of others, most the work of the awesome Ghost dev team.

The "Super" editor

New permissions for editors to make managing your members and their comments easier! (Live in 5.113.) I wrote about it here:

Introducing the “Super Editor”
Editors who can manage members? Yes, please!

More strings for translating

I found and wrapped a couple missing strings for translation. You can now submit translations for:

  • The CTA in email newsletters
  • The "Add a personal note" on Stripe donations
  • Publication dates in newsletters. (Actually, you don't need to submit anything, but they'll be localized.)

If you're seeing English anywhere except in theme-provided strings, it might be that your language is missing some translations. Contributions welcome!

If you're going to contribute new strings, please:

  • Check for an open PR in your language that might already be doing so.
  • Make sure that your Github notifications are on and going somewhere you'll see them, in case there are questions about your submission. Most submissions need a round of revisions, so this is not submit-and-forget. If you don't respond to comments/questions, your stuff won't get merged.
  • If your PR hasn't had at least a comment from me after a couple weeks, please feel free to @ me. (I'm @cathysarisky over on Github.) I can't merge your translations, but I can check them over and ping (nag) someone on the Ghost team once it's ready to go.

There was an error in the Ghost admin panel that limited featured image alt text to 125 characters. This change by Kai McFarlane brings the admin panel in line with what the API was doing. It still isn't long enough, according to Peter at Disability Debrief, but at least it's a little better.

Ongoing spam fighting: you need to update if self-hosted

Ghost team patched another attack vector for spammers making accounts on Ghost sites. If you haven't updated to at least 5.110.3 and are self-hosting, it's time. These attacks are bad, because tons of bogus magic links may be interpreted by your SMTP server provider as spam, which can endanger your ability to send legitimate email. Lots of discussion of what domains to block on the Ghost forum.

The recent problems might be a good argument for self-hosters not to use Mailgun for transactional email. Sure, it's convenient, but if sign-up spam goes through Mailgun, you risk your newsletter account.

I've said it before: Self-hosting is not for wimps.

2FA for staff is here!

Two-factor authentication is live on my Ghost Pro site, although I haven't seen an announcement yet. Super exciting. As I understand it, the slider determines whether staff users have to log in with 2FA each time, but even with it off, they'll have to do 2FA occasionally. 2FA uses the staff member's listed email, so make sure your site can send email and you have correct addresses in the system for your staff members.


Those are the changes I'm excited about! What did I miss?