Ghost
Open-source publishing platform. Nonprofit-operated. No revenue cut. Self-host or use managed hosting.
What should journalists know about Ghost?
Ghost is what Substack would be if it were open-source, nonprofit-operated, and took zero revenue cut. Publishers on Ghost have collectively earned over $100M in subscription revenue. Ghost's own ARR hit $10.4M in 2024 on roughly 20,000 customers — all reinvested into the product because there are no shareholders. Version 6.0 (August 2025) added native ActivityPub federation, first-party analytics, and 60+ language support. The ActivityPub integration connects publications to Mastodon, Threads, Bluesky (via Bridgy Fed), Flipboard, and WordPress — organic reach without algorithmic suppression. The tradeoff is real: Ghost has no built-in discovery network like Substack's recommendation engine. You build your own audience. That's a feature if you value independence, a limitation if you need network effects. Compared to Beehiiv ($49/month to unlock paid subscriptions), Ghost's Publisher plan at $29/month is cheaper and takes no revenue cut. Compared to WordPress, Ghost is far more opinionated — fewer plugins, less flexibility, but dramatically less maintenance. The nonprofit structure matters: Ghost Foundation is a Company Limited by Guarantee incorporated in Singapore, with a constitution defining charitable objectives. No acquisition risk, no pivot to ads, no enshittification incentive.
Publications that want full content and revenue ownership. Journalists migrating off Substack who want 100% of subscription revenue. Newsrooms that need a modern CMS with newsletters, memberships, and analytics in one package. Publications that want to federate with the open social web via ActivityPub.
Writers who rely on platform-driven audience discovery. Solo journalists who want zero infrastructure responsibility and no monthly hosting cost. Publications that need Substack's recommendation network for growth. Anyone uncomfortable with light DevOps if self-hosting.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
Ghost the software collects no telemetry — it's open-source and runs on your server. Ghost(Pro): Ghost Foundation stores account and billing data. Member/subscriber data is controlled by the publication owner, not Ghost. No data selling, no advertising, no tracking pixels. Ghost Foundation is a nonprofit with no incentive to monetize user data. Ghost 6.0's native analytics are first-party, privacy-first: no cookies, no external trackers, no third-party scripts. Built on open-source ClickHouse via Tinybird partnership.
How to protect yourself:
Self-host for maximum data control — you own the database, the server, and the backups. Use a custom domain from day one (portable if you switch hosts). Export your content and member list regularly via Ghost's built-in tools. If using Ghost(Pro), understand that Ghost Foundation operates the infrastructure but you own the data and can export anytime. Enable device verification and optional 2FA for all staff accounts. Keep Ghost updated — security patches are frequent. For self-hosted: use Ghost-CLI for automatic SSL via Let's Encrypt, and never run as root.
Open-source with active security response. Nonprofit structure eliminates data monetization incentives. Passwords use bcrypt with salting per OWASP standards. No raw SQL — uses Bookshelf ORM and Knex query builder exclusively. Ghost-CLI runs without root privileges and auto-configures SSL via Let's Encrypt. Login attempts rate-limited to 5/hour/IP. Device verification on new staff logins. Optional email-based 2FA (though CVE-2026-22594 showed a bypass, now patched). Responsible disclosure program at security@ghost.org with defined response timelines (critical fixes within one month). Continuous dependency scanning via GitHub and yarn audit. Several CVEs in 2024–2026 (XSS, SSRF, auth bypass) were all patched promptly. Self-hosting option gives full infrastructure control. No compliance certifications (SOC 2, ISO 27001) claimed by Ghost Foundation directly, though third-party Ghost hosting providers like Elestio hold them.
Who Owns This
Known issues
CVE-2024-23724: Stored XSS via unsanitized SVG uploads in profile pictures — allowed low-privileged Contributors to take over Owner accounts. Patched. CVE-2024-43409: Improper authentication on member action endpoints in versions 4.46.0–5.89.5, enabling unauthorized access to member data. Patched. CVE-2025-9862: SSRF via oEmbed in versions 5.99.0–5.130.3 and 6.0.0–6.0.8 from improper URL validation. Patched. CVE-2026-22594: 2FA bypass in versions 5.105.0–5.130.5 and 6.0.0–6.10.3 allowed staff users to circumvent email-based 2FA. Patched. ActivityPub federation on self-hosted installs is rough: webhook secret errors, JWT auth failures, reverse proxy misconfigurations, and no ARM64 Docker images for the ActivityPub and Traffic Analyzer services. Ghost(Pro) ActivityPub has a 100-interaction-per-day limit. ActivityPub discovery on the front end is minimal — no obvious way for visitors to find or subscribe via federation. Ghost takes a Node.js-specific approach (requires Node 22, MySQL 8, Ubuntu 24 for production) that limits hosting flexibility compared to WordPress's PHP ubiquity.
Pricing
Self-hosted: free (you pay for server and email delivery). Ghost(Pro) managed hosting: Starter $15/month (annual) or $18/month (monthly), Publisher $29/$35, Business $199/$239. All plans include 1,000-member base. No per-email charges on Ghost(Pro). 14-day free trial on all plans. Zero platform commission on paid subscriptions — you pay only Stripe processing fees.
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.