Most people are using third party cloud providers, and they’re very invested in securing their service. The overhead is mainly keeping Discourse itself updated, which plenty of people manage to do (in fact, most sites using Discourse do it themselves!).
Even for actual computer-in-my-home hosting… you have to pay some more attention to security, but it’s certainly not in the “hundreds of thousands of dollars per year” area of complicated.
Paying us for hosting when possible is certainly a great way to support our work on Discourse though!
It doesn’t matter whether you run your own hardware or whether you instead run virtual hardware on a cloud server. Running your own hardware introduces additional elements via hardware failures, but the basic dilemmas of maintaining a cloud server are similar. Can you answer these questions:
What ports does your firewall allow into your virtual hardware?
What ports does your firewall allow out of your virtual hardware?
If you allow port 80 and port 443 out, do you restrict the websites the outgoing connection can visit?
What are the seven most likely hacking strategies that an intruder would use to penetrate your virtual hardware via the web server, and how do you protect against each of those?
What is your system administration strategy to know if there is an intrusion onto your machine?
I could go on for a while, but most people who administer their own cloud servers don’t answer these kinds of questions well enough. And now with AI the sophistication of the hacks is going to get stronger and stronger.
Does your cloud hosting provider give you a virtual computer onto which you install Discourse, or are they a Discourse-specific hosting provider that just gives you access to one Discourse instance on a server they maintain?
Different topic: we had the same experience with FB, but in my case they didn’t even send me the “you won the appeal” email. My account suddenly started to work and now FB acts like nothing ever happened. There is no record of any event in my security settings and activity log. Now that I understand that FB does NOT protect content we have created, I am seriously traumatized, and my relationship with FB is permanently altered and damaged.
Right. Although I shouldn’t have to justify myself (let alone take a « test » ), I would like to reassure you that the security of my setup does not rest on my shoulders
Same here. I was under no illusions regarding the fact that Facebook can arbitrarily determine the life or death of any account or community, but it hits home differently having experienced it personally.
You are side-stepping the issue I raised rather than addressing it. It’s your right to do so. I have stated my opinion clearly, which you are welcome to ignore.
It’s one thing to acknowledge that FB can suspend our accounts. That’s bad enough, but I think most people understand and accept that risk. But they cross over a sacred line when they delete historical content. They deleted two years of research data that far exceeded the value of my individual account. They threw a group of 15K+ users into disarray. There is no coming back from that.
Yes. What I mean is community organizing, not how the site is organized. They’re distinct from each other - you’re organizing your community to migrate to discourse, it’s essentially a campaign.
I looked above and didn’t see anything towards this - what ideas do you have? Perhaps we could focus on the actionables - how to materialize your ideas, or point you in the right direction. I wonder if receiving more focused responses could help the feeling of only receiving more information or being made to make more choices. I apologize if I’ve contributed to that, and if I came across as presumptuous in my suggestions for recruiting members.
Steph’s comment “security of my setup does not rest on my shoulders” sounds more like she has a sysadmin type onboard to help with security.
I could answer some with a bit of poking around in my configuration. For others I don’t have the experience. Perhaps you’re in a position to write up some security tips for self-hosters without a six-figure budget? I’m sure it would be welcome.
As I responded to @awesomerobot near the beginning of this thread, I realised I maybe haven’t been presenting my issues at the right « flight level » so far:
No worries, you don’t have all the context, and I maybe haven’t done a very good job of conveying exactly where my issue lies. It happens! I do really appreciate your willingness to help and provide support
Oh, I did not! That’s great, and I am happy to share how we have approached some of the ideas you’ve listed there. I think my previous comments have been leading towards what’s already been posted there, so I’ll step back here as to not take up more space
@stephtara I get that looking into the abyss of seemingly unending configuration options within a Discourse instance can be overwhelming but with options comes opportunities. With that said, I have two reoccurring thoughts as I read your topics and posts.
First
“We shape our tools and they shape us” yes and I think we can agree Facebook no longer shapes in a desirable way. You seem to prefer Discourse but lament the process and ask for less options and/or an easier config process. Although all that would likely be cool to some and desirable by many this is Discourse not Facebook or some other service that is perceived as being easier to use. My tip is just get on with making your Discourse happen. There is plenty of time for the very much welcome and appreciated eloquent critiques of Discourse later, as you build your community.
Second
I agree with @jenmck
As a former colleague used to say “Hey Phil, don’t let perfect be the enemy of the good” in an effort to pull me out of the weeds and remind me of the big picture. Stop making it so complicated, keep it simple and just get on with it.
My suggestions for getting on with it:
Get the reply by mail system working.
Don’t add a bunch of categories or tags. Add only one public “Welcome” category for everyone coming from any of the FB groups.
Add three groups one for each FB group.
Invite your existing FB staff/mods to their respective groups. You are an excellent writing so craft the appropriate welcome messages for each group and the automatically created staff group/category.
Send the appropriate notices on FB issuing the invites mentioned above. Note: The invites are group specific and some users may get more than one invite if they staff/mod in more than one FB group.
Handle all of the structure discussions as a Staff group on Discourse.
Some of your FB staff/mods will not come right away. That is OK just build it and encourage them to come on in as you work to get away from FB. Build it and they will come…or not.
At some point relative soon after doing the above open invite your FB members using the invite process and another set of well written messages (FB and discourse). Not every FB user will come right away. Continue to nudge… Build it and they will come…or not.
Just “post something” on you discourse instance.
Regarding your videos and documents:
If you have not done so already get a YouTube channel going with all the videos. It will be laborious to create topics/posts in discourse for each video but once done you can index organize things very nicely.
The documents may bet best placed elsewhere for now. There are numerous options. My preference would be serving them from a static website like Hugo.
In pains me, and maybe others, to see you struggle with getting your Discourse community going. You have folks here on Meta that care about your success. You and your staff/mods can always ask for help here.
I think that’s what he’s saying. I’ve been helping self hosters since 2017, some of whom have been very irresponsible (like upgrading nothing for years). Since I make a good part of my living supporting self hosters, I of course have a different opinion.
The only problem I’ve seen with security was with an admin who was doing stuff like hiding elements with css in a theme component and then charging to “fix” it. He also did a Post.destroy_all at the rails console and, well, destroyed a lot of posts. (I managed to restore at least most of them from a backup.) I’m not aware of anyone having a database stolen (except by someone who was paid to have access to the database).
Discourse does a remarkable job at security. Running wordpress is much more dangerous than running discourse. I don’t think anyone should do that.
I’m not saying that self-hosting Discourse requires deep expertise in computer security as such. But when I read something like this:
that does raise a red flag for me.
Not because there’s anything wrong with getting help, but because it suggests a setup where ongoing access and responsibility depend on one specific person’s availability. In that situation, a hosted solution is often a better fit. You still wouldn’t need to log into the server yourself, but you’d have a reliable party to fall back on, rather than relying on goodwill, spare time, or on that one person being available when something goes wrong. In much the same way that you can’t rely on Facebook as a long-term guarantee, we’ve seen entire communities fail simply because the one person holding the keys stopped answering the phone.
In practice, it’s precisely at the moment something breaks and that person becomes unavailable that people end up coming to us (or to Jay, or to CDCK), though perhaps I’m just preaching to my own choir here.
But I might be deviating from the actual subject here. I think @philh says it better than I could ever have
Baby steps. It doesn’t have to be perfect immediately. Actually, nobody knows what “perfect” is for your specific community. You and your community will figure it out along the way. And if you get hindered by the lack of knowledge about how to do something, or maybe even about what possibilities there are, meta is the perfect place to ask, and I am not aware of any other product with such a great community that people can rely on.
Or maybe it just means that I haven’t done it yet because I’ve spent all my « Discourse » time rummaging around the admin interface and hanging out in meta, that I’m still recovering from an accident earlier this year that has added to my already-existing executive function challenges (hi ADHD) and that these last few weeks I’ve been barely keeping my head out of water with my return to work, sick cat and life in general. And that there is a higher barrier to « doing something for the first time » than you might think, which has little to do with the actual content of the thing to be done.
Same reason I didn’t do the install myself: I could have figured it out, but I’m a) at a stage in my life and b) in present circumstances where I’m being strategic about what I spend my energy on.
For me this whole thread is deviating from the topic and has been for a bit. I posted about what I find is making my experience as a new Discourse admin more difficult than I think it could be, and (no hard feelings to the people in question) I feel as if I’m being put on the grill regarding my community management and technical expertise and skills.
No need to justify yourself. I only wanted to point out something that might be getting in your way.
Having been part of this community for the past 13 years, I don’t think that’s what’s happening here. More often, when someone asks for help, people naturally start offering both what to do and how to do it, even if only one of those was asked for. And when advice comes in that wasn’t explicitly requested, it’s very easy for it to feel more personal or evaluative than it was intended to be.
Hi there, I have much less experience than most of you here, but I did build from scratch (with some tech help from a colleague, since it is self hosted) a Discourse community. And I could’t be happier, but it is true that I always followed precisely this
Step by step I have been implementing new stuff, but only when needed. And I always found help here in Meta, can’t count the times this forum saved my 4$$
Totally true.
My community just became 3 years old (although I started learning Discourse a year earlier), and now it would be much more complicated to adjust everything if I had to change the platform.
For this I found very useful including a newbies tutorial where I explain to new members how to adjust the notifications in their profile, along with other basic things like how to post, search, react and fill the bio. Exactly because of this
Great advice
Thank you for sharing @stephtara, I hope it all turns out for the best and you end up sharing your awesome Discourse here too (btw: I am a total catlover and an ex-vet, so would LOVE to get to know your commmunity better).
I feel you! I am in a similar situation, probably about 2 weeks behind you in my Discourse journey. I have a similar background with online systems (except I’m a software developer).
Your post scares me a little because I’m about to start looking in earnest at Discourse and I’m struggling to find the time. Looks like I will not be able to do it piecemeal, like I hoped.
Anyway, I just thought I’d just say I’m with you and will help where I can!
Thanks for stopping by! Are you also migrating an existing community from Facebook? Over the last days I have come to realise it is a key element in my issues, that might have been a bit of a blind spot until now. I’m planning on putting together what I’ve understood regarding the Facebook migration question as soon as I have an hour or two to sit down and write.
aw, sorry about that. But yeah, time is definitely needed. I guess it does depend on your “community building scenario”, though. I think that if I was starting a community “from scratch” (I might, actually, I have ideas! I would be charging along already with what I have set up.)
No, I am not migrating a community from Facebook. Instead, I’m building one from scratch. Still, I’m somewhat bewildered by the array of options available. Will not get into it in earnest until after the holidays.
Discourse does have a lot of options but it’s not that hard to go through them methodically.
One improvement might be to have not only a description of each site setting but also a link to documentation. Sometimes the description is inadequate except as a reminder when you already know. Having said that, it’s easy enough to search for the information, or ask here.
The “30-minute installation” page links to selected forum topics. That’s probably the best place to add further links to documentation.
Everybody will have a different focus and it’ll be hard to cater for everyone. I came from Mailman so found the way Discourse approaches emails a bit haphazard, but I realised it’s good enough and haven’t had any real problems.
If you want a community-editable cat database (I’m not sure that’s exactly what you do want) then try out MediaWiki plus Cargo (or SMW) and Page Forms.
Agreed. It would be a big project, but it’d be nice for each site setting (or at least ones where a brief description doesn’t quite cut it) to link to a doc page section that explains what it does and how it interacts with any other relevant settings.
I think something like that is already part of the redesign process. The learn more link on the config page for the about page, for example, links to the documentation topic here on meta.
I think a link per group of site settings about the same area may work better than for every single setting. For a single setting, search will hopefully show you the related documentation topic anyway.
), I would like to reassure you that the security of my setup does not rest on my shoulders 
with 
