diff --git a/README.md b/README.md
index 7ea53b3..e734e45 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,14 @@ Use `gunicorn -w 2 'flaskr:create_app()'` to run app. Increase the number of wor
 ## Initializing database
 The first time you install the app in each environment, you need to initialize database using `flask --app flaskr init-db`. This only needs to be run once per environment, and **will delete existing database if run again**.
 
-## Secret key
+## Config file
+
+The config file is located at `<python_environment>/var/flaskr-instance/config.py`
+
+### Secret Key
 Every website with login needs a secret key to hash passwords with.
-`<python_environment>/var/flaskr-instance/config.py` must contain a line `SECRET_KEY = '<secret_key>`, which must be randomly generated.  
+The config file must contain a line `SECRET_KEY = '<secret_key>`, which must be randomly generated.  
 Suggested way of generating the key is `python -c 'import secrets; print(secrets.token_hex())'`, which returns a hexadecimal string with length 64. You may choose to randomly generate a key using a different method, but ensure that it is resistant to brute-force attacks.
+
+### Registration
+Since this blog is meant to be updated by a limited number of people, registration is forbidden (403) by default. In addition, registration (/auth/register) and login (/auth/login) URLs are not hyperlinked anywhere. Registration can be opened by including `REGISTER = True`, or closed by including `REGISTER = False`, in the config file.
\ No newline at end of file
diff --git a/flaskr/__init__.py b/flaskr/__init__.py
index ed7d989..d3f29f9 100644
--- a/flaskr/__init__.py
+++ b/flaskr/__init__.py
@@ -8,6 +8,7 @@ def create_app(test_config=None):
     app.config.from_mapping(
         SECRET_KEY='dev',
         DATABASE=os.path.join(app.instance_path, 'flaskr.sqlite'),
+        REGISTER=False
     )
 
     app.wsgi_app = ProxyFix(
diff --git a/flaskr/auth.py b/flaskr/auth.py
index e41998c..f76418e 100644
--- a/flaskr/auth.py
+++ b/flaskr/auth.py
@@ -1,7 +1,7 @@
 import functools
 
 from flask import (
-    Blueprint, flash, g, redirect, render_template, request, session, url_for
+    Blueprint, flash, g, redirect, render_template, request, session, url_for, current_app, abort
 )
 from werkzeug.security import check_password_hash, generate_password_hash
 
@@ -11,6 +11,8 @@ bp = Blueprint('auth', __name__, url_prefix='/auth')
 
 @bp.route('/register', methods=('GET', 'POST'))
 def register():
+    if not current_app.config['REGISTER']:
+        abort(403)
     if request.method == 'POST':
         username = request.form['username']
         password = request.form['password']
diff --git a/flaskr/templates/base.html b/flaskr/templates/base.html
index a2c26cd..89fd567 100644
--- a/flaskr/templates/base.html
+++ b/flaskr/templates/base.html
@@ -8,9 +8,6 @@
     {% if g.user %}
       <li><span>{{ g.user['username'] }}</span>
       <li><a href="{{ url_for('auth.logout') }}">Log Out</a>
-    {% else %}
-      <li><a href="{{ url_for('auth.register') }}">Register</a>
-      <li><a href="{{ url_for('auth.login') }}">Log In</a>
     {% endif %}
   </ul>
 </nav>