Hi, I just started my 14-day free trial and I like what I see. I have a question about security:
I used to use a “Simple Machines” forum, linked to my website, but it proved to be a massive security risk, as spammers would use the forum as a back door to access my site and then crash my site.
I plan to use a Standard Discourse account, hosted by Discourse (do I understand that right?)
What sort of firewall exists between the Discourse forum, and my linked website?
It’s a robust system. You can’t host a Discourse site on Squarespace, it will be hosted by Discourse on their servers, thats what your paying for and will be a seperate entity.
Our physical server was hacked a few years back (99 % because of an old Confluence site). Almost everything was destroyed except of Discourse. We had like 4 spammers in the last 10 years. But we are not famous. I have seen about 2 spammers in Discourse Meta itself for the last 3 months going through all the way to posting something on the forum. I consider it built spam-proof from the ground up. I think it’s even the basic idea they started with.
If the nightmares come from integration when embedding a forum as a commenting system into another site, like WordPress [1], I can’t give you any technical explanations — but I’m using Discourse that way, and plenty of others do too, without issues.
If (and when?) you are using Discourse in a standalone way, as the majority does, your main site is just another link inside Discourse. Then, the security of that site/server comes from what happens there, of course. And the security of hosted Discourse is the headache of CDCK, not yours.
But I bet there are more self-hosted instances than CDCK’s, and again, others can give you more robust information, but I’ve never heard of cracked or hacked Discourse instances.
I don’t know if hosted forums even have that ability ↩︎
Squarespace is a hosted sitebuilder, not a place that would host a Wordpress site, but it does have provisions for embedding external sources through code blocks and embed blocks.
It’s not clear what SamM specifically means by “spammers would use the forum as a back door to access my site and then crash my site.” Spammers don’t want to crash the site, they just want to flood it with trashy ads and clickbait. If that’s what happened, then maybe Simple Machines lacked Discourse’s tools for controlling spam.
But the question “What sort of firewall exists between the Discourse forum, and my linked website?” seems like something to ask Squarespace. They do warn that injecting code can cause display issues beyond their control, but I don’t imagine an embedded forum post causing more damage than that.
This is a bit off topic, but that was a real issue with WordPress some years back. The first spam attacks worked, but because of a well known weakness, hundreds of others followed, and that server crashed. Or the same weakness was exploited by script kiddies trying to hijack the whole system, and because they were mostly just another copy-and-pasters, their poor code and lack of skills broke everything.
One reality is that only a minority of spammers work like parasites, while the majority act more like bacteria or viruses.
That is not the situation with Discourse. But I reckon such situations are behind that concern.
Indeed a lot of unknowns. Like did the forum software they used have no real Spam detection/containment features? And of course if using a site builder what features does Squarespace provide.
A full answer to this question would literally fill a book on security.
But I’m going to give you a mostly-complete answer here after clarifying some points about what happened to you:
This sounds like attackers (not “spammers” - spammers would just post spam) were able to exploit the Simple Machines forum and gain remote access to your server on which is was hosted. Crashing your site would only prevent access to it, rather than allowing them access.
Presumably this server also hosted other things or contained other data?
The best way to think about this is in terms of “blast radius”. In the event that someone gained improper admin access to your forum, they would have access to all of the data in the forum.
In particular PII, but also configuration or other API secrets. For example, if another service on your domain relied on this site for authentication, that might allow attackers to pivot to that other service.
In the worst-case scenario that an attacker got access to the backend servers (in general known as remote code execution), the blast radius would also include anything accessible by the user account under which the actual service is running. Various protections to limit that blast radius such as containerisation and running servers with non-admin credentials also help to limit that exposure.
To sum up, hosting on a managed service is safest for your site since we are responsible for system security.