Ghost Release: 5.11.0

TL;DR

Ghost v5.11.0 introduces significant enhancements to membership management with expiring complimentary subscriptions, free trials for tiers and offers, and member attribution tracking. The release also adds webhook security with signature verification, an audit log for administrators to track system changes, and various UX improvements across the admin interface. This update focuses on giving publishers more flexibility in managing their membership offerings while improving security and analytics capabilities.

Highlight of the Release

• Added ability to set expiry dates for complimentary subscriptions
• Enabled free trials for tiers and offers
• Implemented member attribution tracking for signups and conversions
• Added webhook security with signature verification
• Introduced an audit log for tracking system changes
• Added email notifications for member activity

Migration Guide

Webhook Security

If you're using webhooks, you can now enhance security by implementing signature verification:

1. Set a webhook secret in the Ghost admin interface
2. Update your webhook receiver to verify the X-Ghost-Signature header
3. Use HMAC-SHA256 with your secret to verify the signature against the raw payload

Member Attribution

Member attribution is available behind a feature flag. To use it:

1. Enable the member attribution feature flag
2. Attribution data will appear in member lists, post/page lists, and the dashboard activity feed
3. You can filter members by attribution source in the members list

Audit Log

The audit log is accessible from Settings > General > About section. Administrators can:

1. View a chronological list of system changes
2. Filter by event type, resource, or user
3. Search for specific events
4. Access user-specific activity from staff profiles

Email Notifications

New email notification options for member activity are off by default. To enable:

1. Go to your staff profile settings
2. Configure notification preferences for member signups and subscription changes

Upgrade Recommendations

This is a feature-rich minor release that adds significant capabilities for publishers managing memberships and tracking system activity. The upgrade is recommended for all users, especially those who:

• Use complimentary subscriptions and want to set expiry dates
• Want to offer free trials to potential members
• Need better tracking of which content drives member conversions
• Use webhooks and want to enhance security
• Need to audit system changes

There are no breaking changes in this release, making it a safe upgrade from v5.10.x. As always, it's recommended to backup your database before upgrading and test the upgrade in a staging environment if possible.

Bug Fixes

• Fixed empty error CSV file issue for member imports, which was hiding both errors and affected rows
• Fixed content-length header in Explore snapshot to handle Ghost version number changes
• Fixed display of free trial pill in Portal
• Fixed member attribution for subdirectories
• Fixed pagination in audit log table
• Fixed source attribution for staff token API requests
• Fixed bug with free membership price card
• Fixed border radius styling issues
• Fixed dark mode bugs in the UI
• Fixed page actions being stored under incorrect resource type

New Features

Membership Enhancements

• Expiring Complimentary Subscriptions: Publishers can now set expiry dates for complimentary subscriptions, creating time-limited free access for members.
• Free Trials for Tiers and Offers: Added ability to configure default free trial periods for tiers and create custom offers with free trials.
• Comped Member Upgrades: Complimentary members can now upgrade to paid memberships through the checkout flow.

Member Attribution

• Attribution Tracking: Track which content drives member signups and conversions with new attribution data.
• Filtering Options: Filter members by signup and conversion attribution sources.
• Attribution Columns: Added attribution data columns to posts, pages, and member lists.

Audit Log

• System Change Tracking: New audit log feature allows administrators to track changes across the platform.
• Filtering and Search: Filter audit events by user, action type, and resource.
• User Activity Access: Access user activity directly from staff profiles.

Webhook Security

• Signature Verification: Added webhook signature verification using the X-Ghost-Signature header.
• Secret Management: Ability to set and manage webhook secrets for secure integrations.

Other Features

• Email Notifications: Added email notification options for member signups and subscription changes.
• Publication Language: Added publication language to admin site endpoint for i18n handling in third-party apps.
• Staff Invitation for Editors: Editors can now invite staff users directly through the Admin UI.

Security Updates

• Added webhook signature verification using HMAC-SHA256, allowing recipients to verify that webhook payloads are genuinely from Ghost
• Implemented secret handling for webhooks, similar to GitHub's approach for securing webhook communications
• Added X-Ghost-Signature header to webhook requests that contains a hash signature of the payload

Performance Improvements

• Added 60-second timeout to Mailgun API calls to prevent email analytics jobs from getting stuck indefinitely
• Improved dependency structure of member-attribution package
• Extracted context to source mapping logic for better maintainability
• Refactored verification trigger constructor for better testability
• Removed unused dependencies including matchdep
• Removed bluebird catch predicates from API endpoints to prepare for future removal of bluebird dependency

Impact Summary

Ghost v5.11.0 significantly enhances the membership management capabilities of the platform, giving publishers more flexibility in how they acquire and retain members. The addition of expiring complimentary subscriptions and free trials provides powerful tools for membership growth strategies.

The new member attribution features deliver valuable insights into content performance, helping publishers understand which posts and pages drive signups and conversions. This data can inform content strategy and help optimize conversion paths.

The audit log feature improves governance and troubleshooting capabilities, especially important for multi-user teams or sites with complex workflows. Combined with webhook security enhancements, this release strengthens both the operational and security aspects of Ghost.

For developers, the improvements to API endpoints and the removal of deprecated code patterns pave the way for future enhancements while maintaining backward compatibility.

Overall, this release balances new user-facing features with important infrastructure improvements, making it a valuable update for all Ghost users.

Full Release Notes