User Accounts
This section describes the configuration options, plugins, and application settings available to control user registrations, reduce unwanted bot accounts, and integrate with third-party authentication services.
Spam / Bot Accountsโ
If the application is publicly accessible, automated bots will attempt to create fake user accounts. The following measures help prevent this.
Account Validation (Email Verification)โ
Require new users to verify their email address before they can log in:
require_validation = On
Set in config.inc.php.
reCAPTCHAโ
Google's reCAPTCHA can be enabled on registration and login forms. Sign up for a Google account to receive public and private keys, then configure config.inc.php:
[captcha]
recaptcha = On
recaptcha_public_key = your_public_key
recaptcha_private_key = your_private_key
captcha_on_register = On
captcha_on_login = On
recaptcha_enforce_hostname = Off
reCAPTCHA sends visitor data to Google's servers. Depending on your jurisdiction, you may be required to notify users.
ALTCHAโ
ALTCHA is an open-source, self-hosted alternative to reCAPTCHA. Configure a self-hosted ALTCHA instance, then set the following in config.inc.php:
altcha = On
altcha_hmackey = 'your-private-key'
altcha_on_register = On
altcha_on_login = On
altcha_on_lost_password = On
altcha_encrypt_number = 10000
Honeypotโ
The pkp-formHoneypot plugin implements a honeypot mechanism to protect registration forms from bots. It is effective against most bots and does not send visitor data to third parties.
Disable Self-Registrationโ
To require all users to be registered by an admin or manager:
- Login as an admin or manager.
- Go to Users & Roles โ Roles.
- Click > next to the Reader role โ Edit.
- Under Role Options, uncheck Allow user self-registration โ OK.
- Repeat for the Author and Reviewer roles.
Remove / Merge Spam Accountsโ
User accounts cannot be deleted. Instead, merge them into another account to preserve editorial data. From the application root directory:
# Merge a single spam account
php tools/mergeUsers.php spamaccount spamuser1
# Merge multiple accounts at once
php tools/mergeUsers.php spamaccount spamuser1 spamuser2 spamuser3
# Merge from a file (one username per line)
php tools/mergeUsers.php spamaccount $(cat usernames.txt)
User Invitations (OJS 3.5+)โ
OJS 3.5 introduced an Invitations toolset covering:
- Email address change requests (with confirmation)
- One-click reviewer access invitations
- GDPR-compliant user account creation
Configure how long a user has to accept an invitation before it expires:
[invitations]
expiration_days = 3
User Uploadsโ
By default, registered users can upload files to a personal user directory (for use in signatures, biographies, or journal settings).
To disable all user uploads:
[files]
public_user_dir_size = 0
The controlPublicFiles plugin provides more granular control over user uploads.
Single Sign-Onโ
Single sign-on allows users to register and log in using an account from another service.
OpenIDโ
The openid plugin supports any OpenID provider, including ORCID, Google, Microsoft, and Apple.
ORCIDโ
Users can register and log in with their ORCID accounts using the OpenID plugin.
Shibbolethโ
Shibboleth enables account synchronization and SSO with institutional identity providers. After installing Shibboleth on your server, install the Shibboleth plugin for OJS and follow the plugin's configuration instructions.
Import / Export User Dataโ
User accounts can be imported and exported. See the Import & Export section for details on the Users XML format and CSV export.
- Multi-journal Setup โ Managing multiple journals on one install
- Security Hardening โ Keeping your installation secure