Disqus 'Trusted Domains' aren't just a good idea...
While I’ve had Disqus comments setup at iLounge for a while, my own personal Disqus comments section has been mostly ignored for the past couple of years — when I went over to Blogger a couple of years ago, I traded them off for Google+ integration1 — although I never actually deleted my Disqus profile or comment history.
As a result, linking my Disqus comments back up to this new blog was a relatively simple thing. Add a few 301 redirects from the old URLs to the new, and let Disqus search through the site and update its links. That part worked fine, but when I looked at my list of Disqus Discussions on my admin control panel, I was in for a rather shocking surprise….
It turns out that somebody else had been using my Disqus shortname — probably innocently2 — for their Tumblr blog. The result was that I had about 250 extra threads in my Disqus control panel — basically one for every Tumblr post they had ever made. To add insult to injury, the domain name was NSFW and the content wasn’t even in English.
Of course, this is what Disqus’ Trusted Domains setting is for, and of course that makes sense. Unfortunately, I don’t think this setting was an option back when I first setup Disqus years ago, and I had never given much thought to setting it afterward. Needless to say, if you’re using Disqus comments, this setting is the first thing you should enable, to avoid problems like this one — or worse3.
The next trick, of course, was to remove all of these spurious threads. Granted, they were only visible in my Disqus admin panel, so they weren’t hurting anything, but it kind of bugged me to have them there on principle. Fortunately, nobody had ever commented on this person’s blog, so that left me with a couple of relatively easy options, and in fact a response on the Disqus Discuss pointed me to the possibilty of simply using the URL mapper to effectively “merge” these posts into one of my own, since they had zero comments.
Unfortunately, that was easier said than done. Being a foreign language blog, most of the URLs had extended characters, which seemed to do a good job of choking the Disqus URL mapper. So, instead, I found myself resorting to some PHP scripting into the Disqus API, which surprisingly wasn’t too difficult to accomplish — in the end I basically just iterated through all of the threads with the list
operation, picking up the ones with zero posts and using the remove
API to take them out.
It all seems to have worked fine, but it also seems that Disqus has a few different layers, and apparently it can take up to 24 hours before those changes are reflected throughout their systems. The admin control panel still showed all of the threads, yet the API isn’t listing any of them. So it appears to be cleaned up, but I’ll have to check back sometime tomorrow just to be sure.
-
Like many, I believed Google+ would be a real thing back then, and it was fun for a while. ↩
-
In all fairness, it’s merely “jdh” so it’s probably not a difficult mistake to make. In retrospect, I probably should have used something more obscure. ↩
-
In my case, the results were pretty harmless, but somebody malicious could just as easily hijack your commenting system for their own pages without this additional security measure in effect. ↩