How to turn off forum except for staff

My forum was attacked and spammed with posts that we don’t want visible. How can the forum be disabled except for staff to clean it up?

You can’t “turn off” the forum and it magically still be useable by anyone.

You could consider bulk unlisting of all topics until you get chance to delete the spam, then relist everything that remains?:

You can set the forum to be read only except for staff. Read Only Modes in Discourse


@pfaffman that doesn’t solve the “visible” part though :eyes:


I’d simply change all of the category permissions to staff only. With a nice explainer somewhere (of course).

You might like to do a data explorer query to record your existing permissions first, and if your forum is large/complex maybe do it all from the Rails console as a bulk action.

That would achieve what you need. And you could reveal content as it is cleaned up, category by category.


I was considering a similar issue recently -

Would the steps be


OH. I missed that.

In that case, what you’d need to do is change DNS so that it no longer points to the forum and have the admins configure their /etc/hosts (Or equivalent) to point to the correct IP address. But that’s not really a Discourse thing, that’s a sysadmin hack.


Thanks. There were few enough categories for this to be doable by hand (if somewhat annoying).

I don’t think this would work, as they could simply log back in:


I did have second thoughts about that bit afterwards. Do you think disabling local logins would be a suitable alternative/additional step? (And/or any SSO)

You’d need to turn off any OAuth methods too of course, but yes that could work nicely. Just be careful you don’t log off yourself (e.g. restore the site) inadvertently.

Although in that case you can simply turn logins back on from the console. Are you planning this for meta :stuck_out_tongue_winking_eye:?


Ha, no, nothing like that. Mainly just curiosity. :slight_smile: It seems like a useful plan to have in case of any emergencies. Though if there are too many steps then something else might be easier.

I’ll edit in the extra step above. :+1:

Thinking about it, logging everyone out and then disabling logins may make staff write only unnecessary?

1 Like

I’ve actually just tested this for something else, and enabling ‘read-only’ from the backup page prevented my test user from logging in to the site:

1 Like