Community Feedback Proposal: Anti-Abuse Measure on Free Plan

Hi Bubble community,

We’re reaching out to get input on a new measure on the free plan we’re considering. We value the Bubble community and we want to get your thoughts prior to potential implementation. Recently, we’ve noticed an upswing in bad actors abusing the power of our free plan to create phishing / scam / illegal apps. This trend has been quite troubling for us, but especially for potential victims of these scams. The Bubble team already has a number of “safety nets” in place to proactively flag and take down as many bad actors as we can, but some are still getting through.

These bad actors take advantage of the fact that the Development version (bubble apps with the URL /version-test) of free bubble apps are freely available on the internet. As a result, one option we’re considering is to implement user-generated password protection on the Development version (/version-test) of Bubble apps on our free plan. Note: This feature is currently already an optional setting for all Bubble apps.

The proposal is that for users visiting their Development version via the editor, nothing will change. For people visiting the dev version of a free Bubble app by its URL (/version-test), they will be prompted to enter a password that the app owner specifies. You may notice other web builders (e.g. Wix, Webflow) already do this too.

We know Bubble users on the free plan enjoy the fact that they can share their dev version with friends and family - and we love the fact that you want to show off the amazing stuff you are building! We don’t want to unnecessarily add more friction to this process, but we do believe that password protection will have a real effect on slowing down these bad actors. (It should also be explicitly noted that this is NOT meant to be an upgrade driver, but a means to keep the Bubble platform safe.)

You can share your thoughts on password protection through answering the poll below:

Do you agree with implementing password-protection on development versions of free plan apps to prevent abuse?
  • Yes
  • No

0 voters

Also, if you have alternative ideas on how we can stop free Bubble apps from being abused, we always appreciate your thoughts in the comments. Thank you!


How about requiring a CC on ALL accounts regardless of tier, but not billing on the free plan? Wouldn’t that weed out much of the lowlives out there?


This is a good idea. But the proposal also works.

Yeah not a bad idea. The added friction might harm conversion but would definitely be a deterrent to bad actors. Will float this with the team as well, thanks.


I don’t see any harm in requiring a password on the /version-test URL of free plan apps, but I’m not someone that currently uses the free plan and I’m guessing most people responding to the poll aren’t either. So while I definitely appreciate you checking with the community about a potential change, I worry that this poll may give you a skewed impression if the users responding don’t have any “skin in the game.”

On another note, I’m curious why scammers are taking advantage of the /version-test URL rather than just using the app’s main URL? What am I missing here?


Great question, free plans do not have a Live version, so no main URL. Using the preview functionality for the Development version allows them to essentially work around the lack of a Live mode.

1 Like

How would it work for templates?

I write some Bubble tutorials at and share the preview and editor link for readers. I’d have to share a password for them to view the preview page. It can make things cumbersome.

1 Like

Without committing to anything, I think we can avoid Templates from this requirement as Templates are individually reviewed by our team before they can be published. Are you sharing the editor link & preview from the Template itself or from an app created using the Template?

1 Like

I’m sorry for the confusion. They are two different cases.

The app for tutorials is separate and is not available as a template. Here is a link Beginner's guide to sorting a Repeating Group in and there are links for the editor and preview at the bottom.


If users are taught that they can use prepend the username password in the URL when sharing their apps


Then I suspect, no one will have an issue.

I would like the username/password to be per app, not per account. And be generated on run time when creating a new app or cloning a new app.

I know flywheel hosting does this.



Thanks for clarifying @nick.carroll. With that additional context, perhaps some sort of banner or watermark should be overlaid on the /version-test pages for free plans? I think adding a password would prevent some abuse but what’s stopping a scammer from setting up a simple password and also providing that to their victims? A prominent watermark on the page could provide potential victims with a warning and would have the added benefit of providing some incentive to upgrade from the free plan.

Or perhaps the idea is to have the “password required” screen include some language/warnings to potential victims which would also achieve this goal?

Full support.

Bubble’s reputation is important to all of us.

You only have to make it a bit harder to use your product than your competitors and the scammers will go to the other product.

I’d also recommend dynamic signup pages/inputs so it’s harder to bot your way through signup.

I don’t want Bubble sites getting added to possible scam/spam/junk in web filters. So I fully support anything that will reduce bad actors.


I support the idea of adding some protection to protect the reputation. I am not sure the password is the best solution. I like the idea of a watermark or if there is a way to just limit the visits by unique users per day for free plans. This would a developer to visit/test their page many times as they make edits but ‘detect’ when someone is spamming with the site.

Thanks for running the potential update by the community @nick.carroll!

I wanted to mention one impact of this change on the users of our Canvas template. The way the template works is that once the user creates an app from it, they use the “Run as” functionality to get into the admin portal of the template, which then guides them through the rest of the onboarding process.

If this restriction is implemented, I expect that there will be lots of users who get the template, use “Run as”, and then won’t know what the password is to access the run mode.

I imagine a related issue is that a new Bubbler might start an app, put some stuff on the page, hit Preview and run into the same issue, which could confuse them.

Sounds like the kind of thing that could be addressed with some extra UX around the experience of setting the password.


What about plugin demo pages? What about just creating small apps with non-profit purposes?


Agree. The measure is sound.

However, and also in reference to @nick.carroll post, it’s crucial for me that the user and password are auto filled when hitting the “preview” button or at least stores it in a cookie. Otherwise the design iteration time will be severely slowed down.

Iteration time must not suffer (in my opinion) from additional security measures. There already lots to improve there.

In therms of using a badge, as far as I remember, the free version already have a “made with bubble” badge. Isn’t that enough?

Visit limits or other plan limiting is a really bad solution in my opinion and amount to an upgrade incentives and innovation blocks for seasoned designers and newcomers as well. #restrictioncreep


Same here. More than 100 tutorials with preview, will be required for all app, even if it is created before this update ?

1 Like


I think @sharma.himanshu0608 is right. That’s something that will be annoying in the beginning but I’m willing to deal with it for safety improvements for others.

I have a lot of free apps that I make examples for the forum and it would be impossible to go back to all the old posts and put in a username and password.

Is there any way we can add some instructions in the popup that asks for the username and password?

So we can just tell them what it is from there? So if I being tricked, I would know there was something up but for ones that know it, just giving them instructions on how to log in might be helpful.

Anyways, just a thought. Not sure if that would still be an issue for those bad apples or not. Would it actually still help if this is added?

Another idea, maybe a popup advertisement for Bubble that says “This is the development version for a site made on Bubble” or something like that. Then at least they can click through it without a password? Hmm :thinking: Not sure if that is a good idea or worse. :man_shrugging:t2:

1 Like

Maybe they could do the password effective on apps made after 2022 or something.