I’m using a self-hosted installation of PHPList to manage a newsletter.
Subscribers can be added via a POST to this URL:
https://www.[WEBSITE]/lists/?p=subscribe
It’s presently overrun by bots.
I added this to .htaccess to block this URL
RewriteEngine On
RewriteCond %{QUERY_STRING} ^p=subscribe$ [NC]
RewriteRule ^ - [F]
Now, if you visit the subscription page above it will give a 403 error.
But, you can still add subscribers by using a POST to this URL.
How can I actually block folks from using this URL to subscribe?
I know, I know ‘BuT It’s NOt seLFhOStEd!’ but I just let the pros deal with bots and front that kind of stuff with Cloudflare.
If you’ve privacy concerns you can always have that one thing on a specific subdomain and only enable Cloudflare on that, whilst keeping the rest of your subdomains unproxied.
Alternatively can’t you add a capture (again, giving up a bit of privacy).