Your users deserve better than Disqus
Occasionally readers of this site will contact us to lament our lack of a commenting system. The message usually goes like this: “I love the site but I wish you had a comments section”. Some readers even recommend a solution: “you should get Disqus” they say. We are considering adding a comments system to PerlTricks.com, but it probably won’t be Disqus. This article explains why.
What is Disqus?
Disqus solves a lot of problems for the site owner: it has a good spam filter, provides notifications, authentication, a management interface and it looks good. Some users like it too: Disqus notifies users when their comment is replied to for example. For these reasons, when many site owners are facing the prospect of developing their own solution, the ease of installing Disqus makes it a natural choice. Disqus developers seem to have anticipated the typical doubts; concerned about your comments being stored by a third party? No problem, you can download them at any time. For site owners with time or cost pressures, Disqus is a compelling pitch.
Security is a concern. Disqus’ popularity makes it an inviting target for hackers as a repeatable exploit will be effective against potentially millions of websites. Exploits for Disqus are regularly discovered, just last month a remote code execution exploit was found in the Wordpress Disqus plugin that left an estimated 1.4 million sites vulnerable. In December 2013, a hack was published that allows a malicious user to obtain the email address of any Disqus user. As a site owner, you have a responsibility to treat your users well; yet a security hole in Disqus could lead to a hacker posting malicious code on your website, that attacks users as they visit the site (XSS attacks). Morality aside, who knows what the legal costs for the site owner could be if an attack was successful?
Most of the features that Disqus provides are easily obtainable elsewhere; need to prevent XSS content? Use HTML::Entities to HTML encode all outgoing comment text. Want to prevent spam? Add a CAPTCHA for new users posting comments. Want a decent-looking comments section? Copy the Disqus style (ha-ha). The problem is that these features are not tied up in one neat package - a developer will have to assemble the disparate components into a solution. That’s called software development.
As a technologist, I see many parallels between Disqus and PHP; they’re both so easy to set up but deep-down you know that using them will cost you later. History shows that humans consistently underestimate risk and in that regard, Disqus is no different. Site owners, don’t let the short-term convenience of Disqus get the better of you, your users deserve better. But what do you think? Let us know in the comments section below*.