Registration
Registration and posting settings live at Admin → Permissions. Anti-spam settings live at Admin → Anti-spam.
Registration
Section titled “Registration”Allow public registration
Section titled “Allow public registration”When enabled, anyone can create an account. When disabled, registration is closed — the sign-up form is not shown and the API returns a 403. Admins can still create accounts manually from Admin → Members → New member.
Default: enabled.
Require email verification
Section titled “Require email verification”When enabled, newly registered users must click a confirmation link sent to their email address before they can post. The account is created immediately but posting is blocked until verification is complete.
This setting only works if email delivery is configured. See Email setup.
Default: enabled.
Minimum account age to post
Section titled “Minimum account age to post”The number of hours a new account must exist before the user can post. 0 means no minimum. Maximum is 8760 (one year).
This is separate from email verification — both can be active simultaneously. An account that has verified its email but hasn’t reached the minimum age is still blocked from posting.
Default: 0 (no minimum).
Posting
Section titled “Posting”These settings are on the same Admin → Permissions page as registration.
Allow guest browsing
Section titled “Allow guest browsing”When enabled, non-logged-in users can read the forum — browse spaces, view posts and replies. When disabled, guests are redirected to the login page immediately.
Default: enabled.
New users can post immediately
Section titled “New users can post immediately”When enabled, new users’ posts go live immediately. When disabled, new user posts are placed in a pending approval queue for a moderator to review before they appear on the forum. The queue is visible at Admin → Moderation.
Default: enabled (posts go live immediately).
Allow self-reactions
Section titled “Allow self-reactions”When enabled, users can react to their own posts and replies. When disabled, self-reactions are blocked.
Default: enabled.
Max posts per hour
Section titled “Max posts per hour”Per-user rate limit on new posts. 0 means unlimited. Maximum is 100.
Default: 0 (unlimited).
Who can create spaces
Section titled “Who can create spaces”Controls which roles can create new spaces (sub-forums) from the frontend.
| Option | Who can create spaces |
|---|---|
| Admins only | Only admin accounts |
| Moderators and admins | Moderators and admins |
| All members | Any logged-in member |
Default: Admins only.
Who can upload images
Section titled “Who can upload images”Controls which roles can upload images when composing posts and replies.
| Option | Who can upload |
|---|---|
| Admins only | Only admin accounts |
| Moderators and admins | Moderators and admins |
| All members | Any logged-in member |
Default: All members.
Question posts
Section titled “Question posts”When enabled, users can mark a post as a question. The original poster (or a moderator) can then mark a reply as the accepted answer, which pins it below the question.
Default: disabled.
Public media tabs
Section titled “Public media tabs”When enabled, any user can view the Media tab on another user’s profile, showing all images they’ve uploaded. When disabled, users can only see their own media tab.
Default: disabled.
Account deletion — content handling
Section titled “Account deletion — content handling”Controls what happens to a user’s posts and replies when they permanently delete their account.
| Option | Behaviour |
|---|---|
| Anonymise content | Posts and replies remain but show as “Deleted User” |
| Delete all content permanently | All posts and replies are removed |
Default: Anonymise content.
Anti-spam
Section titled “Anti-spam”Found at Admin → Anti-spam.
Registration rate limit
Section titled “Registration rate limit”Every IP address is limited to 5 registration attempts per 60 seconds. This is always enforced and cannot be disabled.
Honeypot
Section titled “Honeypot”A hidden form field (_hp) is present on the registration form but invisible to real users. Any registration submission where this field is non-empty is blocked silently. This catches the majority of simple bots that fill every field. Always active, no configuration needed.
Disposable email blocking
Section titled “Disposable email blocking”Registrations using known disposable email domains (mailinator.com, 10minutemail.com, guerrillamail.com, and hundreds of others) are blocked automatically. Always active, no configuration needed.
Username heuristics
Section titled “Username heuristics”Usernames are checked for bot-typical patterns and blocked:
- Contains a URL (
http://,www.,.com,.net,.org,.io) - Ends in 4 or more consecutive digits (e.g.
user849271) - 15 or more characters with no vowels (keyboard mash)
Always active, no configuration needed.
StopForumSpam (SFS)
Section titled “StopForumSpam (SFS)”Checks the registering user’s IP address, email (sent as an MD5 hash), and username against the StopForumSpam database.
Enable SFS check at registration — toggle to enable.
When enabled, two thresholds control when a registration is blocked:
- Frequency threshold — the combined report count across IP, email, and username. Default:
5. - Confidence threshold (%) — the highest confidence score returned across the checked fields. Default:
50.
A registration is blocked if either threshold is exceeded, or if the IP, email, or username is on SFS’s direct blocklist.
SFS fails open — if the SFS API is unreachable, registration proceeds normally.
Blocked registrations are logged and visible under Admin → Anti-spam → Blocked registrations.
Cloudflare Turnstile
Section titled “Cloudflare Turnstile”Adds a CAPTCHA challenge to the registration form using Cloudflare Turnstile. The widget automatically matches the forum’s dark or light theme.
Enable Turnstile CAPTCHA on registration — toggle to enable. Requires a site key and secret key from your Cloudflare dashboard.
- Site key — public key embedded in the frontend widget. Safe to expose.
- Secret key — private key used for server-side verification only. Never sent to the browser.
Get your keys at dash.cloudflare.com → Turnstile. When creating the widget, add your forum’s domain as an allowed hostname.
Turnstile fails open — if Cloudflare is unreachable, registration proceeds normally.
New account DM lockout
Section titled “New account DM lockout”New accounts must reach a minimum age before they can send direct messages. The default lockout is 24 hours. Admins and moderators are always exempt.
The duration is configurable from Admin → Registration → New user DM lockout. Set it to any number of hours from 0 to 8760 (one year). Setting it to 0 disables the lockout entirely — all accounts can send DMs immediately after registering.
When a new user attempts to send a DM while the lockout is still in effect, the message composer is replaced with a clear message stating that DMs are temporarily restricted and showing exactly how many hours remain before they can send.
Mark as spammer
Section titled “Mark as spammer”From Admin → Members, any user can be marked as a spammer. This bans the account, deletes all their posts, replies, and DM threads, and revokes all active sessions in a single operation. It cannot be undone.
Composition analysis
Section titled “Composition analysis”Found at Admin → Anti-spam → Composition analysis.
Analyses how posts are written — typing speed, keystroke patterns, and paste events — to detect automated or bot-generated content. Only applied to new users; established members are exempt.
- Enable composition analysis — toggle to enable detection.
- Report-only mode — when enabled, suspicious submissions are flagged and logged but not blocked. Useful for calibrating the detection before enforcing it.