1. 45

I didn’t want Disqus injecting ads and scripts into my site, so I made my own and documented it here.

  1. 9

    I’ve been looking into https://commento.io/ , but I’m not sure if I want to bother with comments at all or not.

    What’s your plan for anti-spam?

    1. 3

      Shouldn’t get too much because it’s custom, so people have to manually spam it. I have a rate limit of one post per 2 minutes, which prevents brute force spam, a comment minimum of 20 characters, and no website link or HTML allowed for link spam. I’ve gotten 100 or so comments since I put it up, and none were link spam or anything you’d see on WordPress. Just a few people sending junk strings through.

      So at the moment I’m just reviewing them all once a day and seeing if there’s anything I need to delete, but it’s been a lot less spammy than WP ever was even with anti-spam plugins.

      1. 11

        Spam tools are smart. They know to try to add more than 20 characters into a <textarea> and figure that the name-field has no limits. So, expect your site to be “crawled” some day, which is done a lot. Any <form> found is scrutinized intelligently. The 2-minute cooldown of your blog would turn this spam-offensive into a DoS on your behalf.

        I try to avoid captchas as much as possible and strive to include at least one field with a strict input policy instead. I never had problems there. If that is not possible, consider adding a simple captcha, which can serve as a “strict input field”.

        To give an example, the question “What feels wet on your skin when you go outside and it is present?” has the obvious answer “rain”. No current AI would be able to answer this simple question, and we are far from solving it through AI.

        Captchas as classification problems is just a means for Google to train their NN’s. Please mention that if you ever write an article about captchas, as this is a fundamental problem and skewed the entire captcha-landscape. There are much simpler and less annoying captcha methods. Oh, and they don’t track you. ;)

        1. 12

          I would be really curious to see a modern spam tool. Maybe I should infiltrate a spam gang or something.

          From my experience with MediaWiki, it seems like they are very easily extensible with any custom form filling logic and the cost of setting up a targeted attack is quite low.

          At the time of events, the wiki I ran wasn’t super popular, maybe a hundred visitors a day or so. The old reCAPTCHA became useless against automated attacks, so I made a simple QuestyCaptcha plugin with a small number of options, like “what OSI layer a router operates on?”. To my surprise, it was broken. We’ve been facing a targeted attack, and to make it economically viable, the spam machine had to be easily configurable for that. But, QuestyCaptcha is a popular MW module and someone probably made a spam plugin that makes it as easy as adding question-answer pairs in the config.

          I wrote a custom domain-specific captcha that asked the user to enter the broadcast address of a random network, with prefix length range that makes it trivial to do a mental calculation. That is easy to break without any AI of course, but it requires actually writing some code specially for one site. For a while, things finally went quiet. But then it was broken too.

          We gave up and added Akismet, which had an absurdly large false positive rate and made the wiki nearly impossible to edit, so we gave up on that too and switched to manual account registration. Unsurprisingly, the wiki died.

          The successor uses github plus pull requests plus automatic deployment to readthedocs, and the activity there is higher than it’s ever been on the wiki, but it still feels like a spectacular defeat of Web 2.0

          1. 2

            I’ll also add that some use humans in the process. Mechanical Turks, folks that solve them to access “free” sites with illegal content, etc. They have piles of people solving piles of CAPTCHA’s free or dirt cheap.

            1. 4

              There are even services that provide an API for solving capthcas, listing average response time and number of workers online. If an API for programmatic exploitation of humans is not the cyberpunk antiutopia science fiction writers warned us about, I don’t know what it is. ;)

          2. 3

            The 2-minute cooldown of your blog would turn this spam-offensive into a DoS on your behalf.

            What do you mean here?

            1. 1

              Some sites(HN maybe?) have a cooldown period before anyone can respond to a given comment. Sounds like your limiting process is per user so it shouldn’t result in a DoS.

          3. 2

            Interesting. After my experience with Wordpress and MediaWiki, I started to think of comment spam as an intractable problem unless you have a lot of resources to throw at it. Maybe I should give comments a try again.

            1. 1

              I personally think it’s only a problem if your blog gets popular. So anyone should weigh their odds. Otherwise, simplistic captcha is relatively easy to implement. For example there’s a python captcha lib I once used to generate a set of 1000 images from strings. If anyone trained an AI on it, my plan was to just regenerate the images on a schedule. No one ever tried.

              If I did it again I would require a verified email to post comments; deter spam and build an email list for referral marketing. Why not? Everyone else does.

          4. 2

            I’d never heard of commento before, but I just checked it out and decided to move my blog’s comments over to it. It was really easy to migrate from Disqus. It took like 10 minutes total. I already like it much, much better than Disqus.

          5. 8

            My commenting solution is:

            Mail me at martin@arp242.net or create a GitHub issue for feedback, questions, etc.

            Seems to work fairly well. People email me, anyway.

            Stuff also ends up on Lobsters, HN, Reddit, etc, which I link if the discussions are worthwhile.

            Personally I’m not too keen on the “comments on everything” model. I much prefer high-effort commentary/discussion, rather than “quick comments”. I also prefer to integrate valid/reasonable feedback in the article itself, rather than having it sit in a comment at the bottom.

            1. 6

              That doesn’t achieve the same goal though. Comment systems allow readers to interact with the author and other readers. E-mailing the author only allows interaction with the author.

              1. 1

                You can do that with the GitHub comments and Lobsters/HN/Reddit discussions. There’s also stuff like https://utteranc.es to integrate GitHub comments directly on a (static) website.

              2. 5

                Agreed. I’ll probably end up doing something like that.

                Nice article here, btw: https://arp242.net/censorship.html

              3. 3

                Wow, I love your site, its beautiful and extremely well designed. Will definitely influence my own personal site, thanks :)

                1. 3

                  This was an avenue I never considered. Currently I am trying to use webmentions, so I’ve stopped looking at commenting systems but this could be a great way to have a private system.

                  As far as anti-spam measures are concerned, maybe a persistent question form could work unless you are targetted personally. Thanks for the walkthrough!

                  1. 3

                    Great work! This is how a comment section should look like. It reminds me of the (g)olden days where you didn’t have to sell your soul, link your social media or do three email-validations to post a comment.

                    In a way, these centralized comment-tools (Disqus,…) inhibit the free flow of information by forcing you to link your comment to your online identity in some way. There are unpopular opinions in any field and they will be silenced that way.

                    By running your own comment section, anonimity is truly given and you can still fully control it.

                    1. 2

                      Yeah. The problems that come along with anonymity are present too, unfortunately.

                    2. 3

                      https://utteranc.es is fantastic, although I don’t personally use it. I get all the critique I need from posting on Lobsters & HN.

                      1. 1

                        I might switch to that if this becomes too annoying to maintain.

                      2. 3

                        I briefly migrated all my comments over to Disqus… until I looked at my site on a browser window without adblocker installed. I could see dozens of scripts injected into the site and even worse - truly egregious buzzfeed-esque ads embedded between all the comments. I decided it immediately had to go.

                        I’ve had the exact same experience. Disqus ads take up more than half the screen and some of them are borderline scam. When I noticed this, I also removed Disqus, except I did not add comments back.

                        The interesting thing is that if Disqus would have not been as greedy on showing pages of ads or had some ways to display only relevant ads / opt out of ads I don’t want to see on my site, I might have let it stay.

                        Thanks a lot for sharing this setup!

                        1. 3

                          I use https://github.com/posativ/isso for my blog. It’s a separate server that uses an sqlite database for comments. You need to add a JS url to your page, that points to the local server and you’re done. It handles moderation and spam too. Pretty cool.

                          1. 1

                            I think this was top of my shortlist (not in front of me to confirm right now). Its a shame Javascript is mandatory but that’s probably true for all solutions out there these days.

                          2. 2

                            May comments-as-a-service rot in hell. There’s nothing scarier than trusting a company to keep parts of your website alive forever – good comments are worth keeping.

                            I wrote up an article about my experiences with my own comment system (on my static blog site) a while back:


                            Most of my article talks about what I discovered about how comment systems end up being used, rather than implementation details, however.

                            My backend is shell + CGI, not a JS framework. No SQL database either. Just some files and static page generation scripts. *chants from book of unix*

                            1. 2

                              This is good, thanks!

                              I’ve been making static sites for a long time now. I wrote my first just as a fun game to see how far I could push the static site concept. Could I, for instance, write a site that does book reviews? Allows a user to make book recommendations? All without any back-end at all?

                              I could, and that was cool. I did a couple of other fun project sites. My latest was a riff on using AirTable as a blogging backend. There would be some magic to get the AirTable entries to the same folder as the site. It might be a lambda or a cron job. That wasn’t important. The important thing was that there was no back-and-forth. You could run the site from a USB drive.

                              And that’s where I stopped. I wanted to add commenting, but commenting, to me, seemed much more of a back-and-forth activity. You make a comment, you reply, you edit your comment, and so on. It had much more of a dynamic feel to it. This wasn’t something I could pack up on a USB drive and give to somebody.

                              I still think there may be some document-driven, delayed, offline way of doing comments, maybe using LocalStorage, I just haven’t played around with it any more. I appreciate the chance to see how somebody else has solved it.

                                1. 2

                                  @floppydiskette Maybe I was writing stupid/badly form comments or you turned it off because spam? but I got ‘Comment failed to submit.’ for every comment I tried.

                                  1. 4

                                    Yes, I disabled and added a very long wait period for now because it became very popular on Reddit and I don’t feel like dealing with the deluge of garbage right now.

                                  2. 2

                                    This is pretty great and I agree with the author that Disqus sucks. However, they (and similar services) do provide solutions that this and other roll-your-own services miss.

                                    The first is spam protection. Anything on the internet is going to be spammed to hell and back, especially if there is no authentication. Spam is cheap and will overwhelm any attempt at manual moderation. It doesn’t matter how small and obscure the page is - it will get spammed.

                                    Trolling. Anonymous comments are dangerous. Maybe for technical articles they might be OK for a limited audience but anything political (or even not) will attract trolls. Trolls don’t need a reason, they see any writable space as their personal playground.

                                    XSS protection. Security headers are supposed to help here but a proper commenting system filters out malicious text before it hits the database.

                                    It’s a sad fact that anything exposed on the Internet today needs to include these things right from the start. You can be sure that Disqus handles all sorts of terrible traffic every day.

                                    I don’t want to dump on the link though. It is a great tutorial and a useful start.

                                    1. 4

                                      Yeah. Regarding XSS and database protection, I’m using parameterized statements and displaying the output as textContent on an element, so not worried there. Unless someone specifically writes a script to spam my site, I don’t foresee regular bot spam being an issue, especially with rate limiting. Trolling however, is a huge issue. This can be combated with moderation, but that might be more upkeep than I’m willing to put into it.

                                      1. 2

                                        Looking again, I think you are right: there doesn’t appear to be any issues with XSS.

                                      2. 1

                                        [deleting duplicate comment]

                                      3. 1

                                        Thanks for sharing. I’m in the process of figuring out a move of my blog from Ikiwiki to (probably) hakyll, which doesn’t have built in comment support, but they are important to me. I’ve out your thing into my melting pot.

                                        1. 1

                                          This is a great article! I’ve been using Webmention to handle replies/interactions to my posts on https://www.jvt.me. It’s awesome because it allows my personal site to own the interactions, I can use a hosted Webmention service like https://webmention.io and client-side render the webmentions so it’s all done on my static site too.

                                          It requires a little extra HTML markup when someone is sending a reply (for a richer webmention experience) but I feel works well.

                                          If you want to reduce the barrier, you can use an anonymous webmention service like Comment Parade

                                          1. 1

                                            “Comments disabled.”

                                            Whaat!? I gotta write and submit a comment to out? Oh well. Here it is again:

                                            Looks similar to the simple one Bruce Schneier had on Movable Type on his blog. Originally, it just required a name, email address, and optional web site. After lots of spam, they added a field where you just type in one word. The moderator said it cut back on automated spam significantly. Here’s what it looks like in case you want to experiment with any of those features:


                                            Note: Comment field is on the bottom of the page.

                                            1. 2

                                              Heh, sorry, that post got way too popular and full of trolls for me to keep up with. Haven’t had a single problem with automated spam, but I’d probably have to implement moderation to prevent trolling. The opposite of what you suggest, a honey pot where an invisible field won’t let you submit if it’s filled out, is also effective.

                                              1. 1

                                                I figured. It’s all good. The hidden field was another idea we discussed. I don’t have any data on it, though.

                                            2. 1

                                              this is how comments on a personal site should be imo, well done