13

9th Sep 2024

1 min read

13

Reason for Writing: I want to gather information for a friend who is a professional in the behavioral sciences.
Epistemic Status: Less than 2 hours googling how to build a forum, and a couple youtube videos

Requirements:

Aesthetic
Inexpensive
Private
Easily Setup

The goal is to create a small, private forum for discussions.

I've looked into discourse, not sure if that's the best option.

Personal Blog

13

Building an Inexpensive, Aesthetic, Private Forum

New Answer

New Comment

5 Answers sorted by
top scoring

Said Achmiz

Sep 10, 2024

120

MyBB (or similar) with a custom theme.

Aesthetic: lots of themes available, and making your own seems easy.

Inexpensive: can’t beat “free” for the software, and cheap hosting that supports PHP+MySQL is plentiful.

Private: trivial to set up basically arbitrary access controls, as with any half-decent forum software.

Easily set up: standard PHP+MySQL stuff.

(I strongly anti-recommend Discourse as a forum platform.)

[-]Viliam2mo20

Some webhosting companies already provide the entire combination of PHP + database + forum, for the price of webhosting. (At least this was the situation a decade ago.) Then you just set the access rights to "only registered and approved users can read and write" and you're ready.

2Said Achmiz2mo

That’s true, but I’m not aware of one that does this combo and is good (uses a good forum software, is reliable, etc.). Are you?

2Viliam2mo

No. But I would advise against setting up the software for yourself (unless this is the type of thing you also do for a job), because it can be more work than initially expected, especially if you need to keep updating it afterwards. Also, if you use a standardized solution, there are standardized exploits out there, so unless you set it up carefully and update regularly, you probably should expect it to get hacked sooner or later. Basically, remember the situation when one person practically took down Less Wrong, and it had to be reprogrammed from scratch, because updating the original Reddit codebase would be too much work? Similar thing can happen when you use a free solution, and defending against it can turn out to be too much work. I don't know how big a target is the "friend who is a professional in the behavioral sciences", but sometimes it just takes one crazy person with too much free time. So, in my opinion, if it's not a big deal, use some cheap and simple solution that can (and will) be thrown away later. If it is important, I am afraid that you will need a paid solution (or you will pay with your own time, more than you expected).

2Said Achmiz2mo

I don’t agree with most of this. I agree with this part: Yes, if you are not a “tech person” / programmer / engineer of some sort / otherwise have experience with software, you should not set this sort of thing up yourself. You should find/hire someone to do it for you. That is not difficult. I disagree with the rest of what you say. Choosing a free solution that is well-maintained is better than rolling your own. A standardized solution plus standardized exploits plus standardized mitigations to those exploits is better than a custom solution. First of all, as I recall, that wasn’t an “exploit” in the usual “software vulnerability” sense. Perhaps someone from the LW team who was around back then can better describe the details, but as I understand it, it was a design flaw in the “if someone does this bad thing, we have no good tools to catch them and/or prevent someone from doing it” sense. There is no reason whatsoever why a custom solution can’t have arbitrarily many such design flaws, and such an “exploit” in no way relies on having access to the source code or… anything like that. And—again, to my recollection—old Less Wrong was never “hacked”. But more importantly, the reason why any of this was a problem at all is that old LW used the old Reddit codebase—that is, one which had been deprecated and was no longer maintained. Indeed, it is a bad idea to choose such a platform, if you do not have a dedicated engineer to service it! This is why you should choose something popular and well-maintained. For example, I linked MyBB in my earlier comment. It is updated regularly, and the developers clearly take security very seriously. I don’t know how much money you’d have to spend to get this degree of protection in a custom solution, but it sure ain’t a small number. When you speak of standardized exploits to standardized solutions, I expect that you have Wordpress in mind, which is infamous for its exploitability (although I am unsure to what extent that rep

2habryka2mo

This all roughly matches my model. Yeah, the core issue was that there was basically no protection against people just automatically creating thousands of accounts and using them to downvote whoever they disliked. In-general, bot issues are one of the top reasons for websites that accept user submissions either need to have a strict manual review phase, or be continuously updated with defenses.

2Said Achmiz2mo

Indeed. And what you’ll generally find is that mature, widely-used platforms tend to have many and varied tools for dealing with this sort of thing, whereas if you build custom software, you end up having to handle many more edge cases, attack types, etc., than you’d expected (because it’s very hard to think of all such possibilities in advance), and the project just balloons massively due to this. (For example, Simple Machines Forum—which runs Data Secrets Lox, and which I, on the whole, do not recommend—has all sorts of options for gating user registration behind verification emails / manual moderator approval / captcha / verification questions / etc.; it has moderation tools, including settings that let you enforce per-post approval, on a per-subforum basis; it has a karma system; it has built-in GDPR compliance features; and all of this before you consider all the optional modifications that are available… and SMF is not even one of the better platforms in this category! How much development work would it take a small team to get a discussion forum platform to this state? How much work would it take even to just build the core functionality plus the moderation/security/anti-spam tools…?)

rsaarelm

Sep 11, 2024

Everyone who participates probably isn't a github-using programmer, but if they were, a stupid five-minute solution might be to just set up a private github project and use its issue tracker for forum threads.

kave

Sep 11, 2024

I don't know what "private" means to you, but if you just mean you can control who joins, I think google groups are a good choice for 2 - 4.

Zulip, Discord and Slack are all options as well, though they all (to differing degrees) encourage shorter, chattier posts.

[-]Said Achmiz2mo20

Zulip, Discord and Slack are all options as well

However, these are all very bad for searchability, archiving, multimedia content, and creation of permanent content of any sort.

2kave2mo

IMO, pro Slack instances are wonderful for searching & good for many different kinds of media, though not mixed media (i.e. you can upload videos, photos, pdfs (and search over them all, including with speech recognition!) but inserting photos into a message is annoying). I'm not really familiar with Zulip or Discord. (Also, I'm not sure with pro Slack instances really qualify for (2) anymore)

lemonhope

Sep 10, 2024

I have used a number of discourse forums and they just feel bad/wrong but I cannot explain why. I would also vote for more of an old-fashioned php BB with a nice theme. Those are always great, even though all my intuitions tell me they seem like they should suck. Shows how little I know.

Eg https://github.com/phpbb/phpbb

Also has styles: https://www.phpbb.com/customise/db/styles/board_styles-12?sid=6245508b90fd3410be19888406fae215

Basically I'm repeating what Said said

Ben Pace