In my case, I’m getting flooded with automated “password reset” requests. Given that everything, but my username, is private in my instance, /about page is the only place where bots can get my username and perform a password reset request.
It’s not a big deal in general, but I’m using discourse for a small project and I’m using free tier transactional e-mails: it might seems silly, but automated requests count against the quota.
In general, I would like to make all the user and content related data hidden from the outside world (bots included). It seems to me that the about page is the only thing I don’t have (easy) control over.
What’s your setup? Can unregistered users see the forum without logging in, and every category is private?
I’m wondering what you mean by “everything is private” since the /about page isn’t accessible if “login required” is enabled.
HA! That one I missed I probably set up my instance wrong: that was not checked, but I restricted visibility of users, groups and categories from the public. Thank you, I guess my use case is covered.
Hi @ale-re and welcome to meta! I moved your post into its own topic so we can look into it a bit more closely. How many password reset requests are you seeing? Is it only your account that is being targeted?
What you are describing seems a bit weird because there’s no particular benefit to bots requesting a password reset, since it just sends an email to the account owner.
I think when the hide_email_address_taken site setting is enabled, you can only reset the password by entering the email address. In this case, knowing the username no longer helps. This setting was recently enabled by default. If it isn’t already enabled, enabling it could be helpful to prevent the resets.
We also rate limit everything so the likelihood that this would become an overwhelming problem is quite small, even if someone wanted to be really annoying.
Do let us know @ale-re if you can recall how many unwanted password reset emails appeared in your inbox.
Hello,
sorry for the late reply. Indeed, it was not an actual problem, just a nuisance. Once I enabled the “login required” option, I didn’t see password reset requests anymore, but I would guess that the number was in the small tens since setting up the forum (a few days, at the time). I don’t have the exact figure.
I probably set up my instance wrong: that was not checked, but I restricted visibility of users, groups and categories from the public. Thank you, I guess my use case is covered.