diff --git a/CHANGELOG.md b/CHANGELOG.md
index e575e36d6..82432daef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,7 @@ All notable changes to this project will be documented in this file.
 - Device type is now determined from the User-Agent instead of window.innerWidth plausible/analytics#2711
 - Add padding by default to embedded dashboards so that shadows are not cut off plausible/analytics#2744
 - Update the User Agents database (https://github.com/matomo-org/device-detector/releases/tag/6.1.1)
+- Disable registration in self-hosted setups by default plausible/analytics#3014
 
 ### Removed
 - Remove Firewall plug and `IP_BLOCKLIST` environment variable
diff --git a/config/runtime.exs b/config/runtime.exs
index eb1b91417..0d309932c 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -175,9 +175,17 @@ enable_email_verification =
   |> get_var_from_path_or_env("ENABLE_EMAIL_VERIFICATION", "false")
   |> String.to_existing_atom()
 
+is_selfhost =
+  config_dir
+  |> get_var_from_path_or_env("SELFHOST", "true")
+  |> String.to_existing_atom()
+
+# by default, registration is disabled in self-hosted setups
+disable_registration_default = to_string(is_selfhost)
+
 disable_registration =
   config_dir
-  |> get_var_from_path_or_env("DISABLE_REGISTRATION", "false")
+  |> get_var_from_path_or_env("DISABLE_REGISTRATION", disable_registration_default)
   |> String.to_existing_atom()
 
 if disable_registration not in [true, false, :invite_only] do
@@ -192,11 +200,6 @@ log_level =
   |> get_var_from_path_or_env("LOG_LEVEL", "warn")
   |> String.to_existing_atom()
 
-is_selfhost =
-  config_dir
-  |> get_var_from_path_or_env("SELFHOST", "true")
-  |> String.to_existing_atom()
-
 custom_script_name =
   config_dir
   |> get_var_from_path_or_env("CUSTOM_SCRIPT_NAME", "script")
diff --git a/lib/plausible_web/controllers/auth_controller.ex b/lib/plausible_web/controllers/auth_controller.ex
index 97bc4211f..6719b0b5e 100644
--- a/lib/plausible_web/controllers/auth_controller.ex
+++ b/lib/plausible_web/controllers/auth_controller.ex
@@ -37,7 +37,10 @@ defmodule PlausibleWeb.AuthController do
         conn
 
       disable_registration in [:invite_only, true] ->
-        conn |> redirect(to: Routes.auth_path(conn, :login_form)) |> halt()
+        conn
+        |> put_flash(:error, "Registration is disabled on this instance")
+        |> redirect(to: Routes.auth_path(conn, :login_form))
+        |> halt()
 
       true ->
         conn