Would you disable sign up and just let everybody create?

Hi there!

I have a mini side project (https://thankfulsite.com), which is completely free to use, the only thing people have to do before using it is signing up, verifying their email and then logging in.

You can basically create a thankfulsite (4 pages with customizable pictures, texts and music), get a link a send it to others. An online gift thing.

I got a few suggestions that I should make it smoother by disabling authentication altogether, and yes this is a nice idea but I am worried about bots. I'm using a cheap shared hosting, and bots could shut down my site I guess.

And with authentication comes a profile, where you can see the sites you created, change password etc.

Would it improve the overall usage if I let anybody create sites without logging in? Maybe I could setup some honeypot, custom captcha etc.

Right now my main goal is to get as many users as I can, the only monetization there would be merchandise (T-shirts, mugs from Teespring).
I see this website as a learning project, I'm trying out marketing, managing users, improving UX, selling merch.

Any suggestions are very welcome!

Should I disable authentication?
  1. Yes
  2. No
  1. 3

    Voted no also curios about the analytics, your answer should be there. If people visiting site, clicks to create button and leaves. Then yeah you should move towards another solution. Other than that I don't see the point. If I want to prepare a page I wouldn't mind creating an account.

    1. 1

      I see, thank you for your advice!!

  2. 2

    I voted Yes.

    Your product isn't free if I have to create a profile to use it.

    Even before signing up, you drop tracking cookies from google analytics (a GDPR no-no) and your privacy policy and terms and conditions are in the style of "by continuing, you accept all this" (another GDPR no-no).

    Your privacy policy leads with "one of our main priorities is the privacy of our visitors." then you just told us "I'm using a cheap shared hosting". Those two phrases are mutually exclusive.

    There are quick and effective solutions to the "bot problem", if it even becomes a problem - not so much with failing to comply with legislation.

    1. 1

      Thank you for your detailed answer - much value in there.

      You're right, I will create a Cookie consent before letting GA collect any data.

      The Privacy Policy and Terms of conditions were actually generated by an automated website - although I read through it, I'm not really experienced in this so I didn't know it could be a GDPR problem.

      What would you say about this solution: no sign-up, but when completing the site, users should complete reCaptcha (to make sure they are not bots).
      And in the mean time, expanding the Privacy policy where I let the users know that I use GA and reCaptcha, which can collect data.

      And, of course, create a popup when visiting the site for accepting these policies(?).

      1. 2

        Use something like https://plausible.io/ instead of GA, then you won't need a cookie popup for that. I'm not 100% sure on reCaptcha, you might be able to escape without needing consent on the grounds of it being "essential for security/functionality".

        I'm hoping to operate https://flxs.co.uk without a privacy policy at all, and with minimal plain language T&C's when I have to have them.

        The biggest GDPR failure that almost everyone (even large companies and sites) make is bundling everything into a single "tick" I agree to T&C's and Privacy Policy. You can't do that anymore.

        For example, if you wanted to send marketing and promotional material via email, you would have to two tick boxes. One for "I agree to the general T&C's" and a separate one for "Yeah, you can spam me".

        The UK's GDPR guidelines are full of little snippets like this:-

        where possible you should provide granular consent options for each separate type of processing


        Yes, the whole lot is pretty heavy reading and daunting. We have shitty marketing practices and invasive advertising to thank for that!

        1. 1

          I have heard about Plausible, I will consider using it.

          Man, thanks for all of this info.
          My biggest weakness in my knowledge in businesses is probably law and these kind of things. I like how simple you wrote this info.

          Are you a lawyer btw? Or did you learn all of these from somewhere? Would love to get some recommendations (blogs/books) if you don't mind!

          Anyway, thanks again.

          1. 2

            Not a lawyer, no. 25 years in the web dev game.

            Last 10-15 in senior or consulting roles, so I have to prop my eyelids open with matches and wade through rubbish like GDPR so I have at least a high level overview of what I am consulting about.

            I always try and go direct to the source for information whenever possible. I'm almost exclusively working in the UK and I've previously run my own companies (2 of them over the years) so I've spent a lot of time reading gov.uk, ico.uk and companies house (now part of gov.uk) websites.

            If I have to get something from a blog, I'll always try to find a second or third source to make sure I'm getting balanced information and not just a single persons perspective on a subject.

  3. 2

    Great product. Congratulations.

    Have you thought about AB testing opening up the site but needing to sign up to share vs creating only after registering? Not sure how possible it is, but it'll give you some data on whether sessions convert to signups.

    1. 1

      I see that is a good advice, but if I let anyone create a site, maybe bots and spammers would have an easier work.

      But you got me thinking!
      And thank you! :)

  4. 2

    I voted no, but I think you have some other options.

    You can disable signup, but the pages don't get published until they do. That way people can start playing around with the product, but there is no value in having a bot sign up.

    You can also smooth out the authentication by doing SSO with Google/Twitter/Github/etc. Makes it easier because the user doesn't feel like they need to make yet another username/password combination somewhere.

    1. 1

      Yes you're right, although I've never implemented google auth, I will give it a look.

      Thank you for your feedback!! :)

  5. 2

    try to use reCAPTCHA

    1. 1

      I've read some reddit post about reCaptcha, and a lot of developers hate it for privacy(?) reasons.
      But I will take a closer look, thanks!

  6. 2

    Nice project idea!

    Things to consider regarding authentication:

    • Abuse could also happen with the account system.
    • How would I edit one of my pages without an account? (Let's say I found a typo.)
    • If an email is required for signup, you can use it to contact the user and bring him/her back to the app later (e.g. via a newsletter).
    • If you keep the current system, I'd redirect users to the signup form instead of the login when they click the "Create" button. One click less for new users. Recurring users will be more willing to make that click.
    • It might also work to let your users configure their sites and only prompt them for login/signup when they try to save/share it: "To save your site, please create an account or log in." That way, I can test your site builder right away and can create an account if I like it.

    Other stuff:

    • Do you display a "please support this project" message when the user has successfully created a site? If not, I'd consider adding it.
    • Maybe add a donation option for people who do not want to spend $10+? Something like https://ko-fi.com?
    1. 2

      Really good suggestions! Thanks for your time!!
      I especially liked when you said I should alert them to authenticate once their site is finished.

      1. 1

        You're welcome! I wish you all the best for your project. :)

Trending on Indie Hackers
Acquisition Channel Opportunities: Traffic Sources, Facebook Ads, Live Audio Wars 18 comments Building a business-themed card game 8 comments Product Features: 24 methods to help you prioritize features 6 comments 10K visitors in one day: how I launched a Netflix recommendation app 6 comments I've bootstrapped my two-sided company to $500k ARR, changed our product in 13 days during Covid, and have doubled revenue in 12mo. AMA! 6 comments Founder's Struggle 2 comments