Where in Discourse can users publicly share PII?

Documentation Site Management
,
1

:bookmark: This guide identifies all the places where users might publicly or inadvertently share personally identifiable information (PII) through their own actions in Discourse, and how administrators can restrict or manage these options.

:person_raising_hand: Required user level: Administrator

Users have multiple ways to voluntarily share information about themselves in Discourse, both intentionally and accidentally. Understanding these areas helps administrators implement appropriate safeguards and educate users about privacy best practices.

Summary

Unlike data that Discourse stores automatically (IP addresses, emails, authentication credentials), this guide covers places where users actively choose to share information. Users can share PII through their profile information, in posts and messages, through custom fields, user status, and other community features. Many of these features can be disabled or restricted by site administrators to reduce the risk of accidental PII exposure.

Where users can publicly share PII

Users can share personally identifiable information in multiple areas throughout Discourse:

  • Username - Publicly visible across the site on all posts and interactions
  • Name - Optional display name that can appear alongside the username
  • Profile (about me) - Biographical information section on user profiles
  • Location - Optional location field visible on user cards and profiles
  • Posts - Including topics, replies, personal messages, chat messages, and comments
  • Custom fields - Additional fields defined by site administrators (such as “occupation” or “company”)
  • User status - Temporary status messages like “away”, “working from home”, etc.
  • Tags - A user trying really hard to share information might create a tag such as my-name-is-jenny-call-me-at-867-5309

:information_source: Many of these features can be disabled or restricted by site administrators.

:warning: Personal messages are not end-to-end encrypted. Site administrators can access PM content, and moderators may have access depending on your site configuration.

Profile-based PII exposure

Username

The username is publicly visible across the site and appears on all posts, topics, and user interactions. Users choose their username during registration.

Administrator options:

  • You cannot disable usernames (they’re required for Discourse)
  • Set min_username_length and max_username_length to control username format
  • Set username_change_period to allow a grace period where users can change their own username in case they did not understand the implications of their choice when they were signing up for an account. The default value is 3 days. After the username change period has expired, users must request a username change from the site Admin, who can change the username from the user Admin profile.

Name

The “name” field (sometimes referred to as “full name”) is an optional field that can display alongside the username.

Administrator options:

  • Disable name display with the enable_names site setting
  • Control name requirements with the full_name_requirement setting
  • Use prioritize_username_in_ux to emphasize usernames over names throughout the interface

Profile “about me”

Users can add biographical information to their profile, which is publicly visible by default.

Administrator options:

  • Enable hide_user_profiles_from_public to disable user cards, user profiles, and the user directory for anonymous users
  • Enable allow_users_to_hide_profile to let users choose to hide their own profiles
  • Set default_hide_profile to true to hide all new user profiles by default

Location

Users can optionally specify their location, which appears on their user card and profile.

Administrator options:

  • This field cannot be individually disabled; it is always available as an optional field for users. However, hiding profiles (see above) will prevent public access
  • Educate users about privacy implications of sharing location data

Custom fields

Administrators can create custom user fields that appear during signup and on user profiles. These fields might inadvertently collect PII.

Administrator options:

  • Carefully review all custom user fields for PII collection
  • Only create custom fields that are necessary for your community
  • Consider making sensitive fields optional rather than required
  • Use the “Show on public profile” option judiciously

User status

The user status feature allows users to set a temporary status message (like “away” or “working from home”) with an emoji and optional expiration time.

Administrator options:

  • User status is disabled by default and managed with the enable_user_status site setting
  • If enabled, educate users about not including PII in status messages

Content-based PII exposure

Posts and replies

Users can include PII in any content they post, including:

Administrator options:

  • Use AI Triage or the watched_words feature to flag or block specific patterns (phone numbers, addresses, etc.)
  • Administrators and moderators can quickly intervene to edit or remove any PII in content through built-in staff actions: editing, deleting, and reviewing the queue for flagged or held content.
  • Use the edit_history_visible_to_public setting to globally control who can see edit history after PII removal or the Hide Revision button in the edit composer for one-off PII removals.

Topics

Topic titles are publicly visible (unless in a private category) and may inadvertently contain PII.

Administrator options:

  • Use staff actions to quickly edit topic titles that contain PII
  • Consider making sensitive discussion areas private categories

Chat messages

If the Discourse Chat plugin is enabled, users can share PII in chat channels and direct messages.

Administrator options:

  • Carefully configure which groups have access to chat

Tag-based PII exposure

Users with appropriate permissions can create tags. In extreme cases, a user might create a tag that contains PII.

Example: A user trying really hard to share their phone number might create a tag such as my-name-is-jenny-call-me-at-867-5309

Administrator options:

  • Restrict tag creation to trusted user levels with the Create tag allowed groups setting

Last edited by @MarkDoerr 2025-12-11T16:33:19Z

Check documentPerform check on document:
2 Likes