[simonw]

One tip I've picked up from experience: avoid projects that have user accounts.

If your project has user accounts, you'll get users who you have to take responsibility for. Then it's not a side-project any more, it's a part-time job.

These days I much prefer side projects which have no user accounts at all (like https://www.niche-museums.com/) or that are open source tools where the end user installs and uses the software without me having any involvement at all (like https://github.com/simonw/shot-scraper)

[floucky]

Especially if these users can share content, then you need to do moderation and hooo boy, you don't want to do that.

[AlchemistCamp]

I ran a blog for over a decade, with comments open. A typical post would get 10 to 30 real comments and tons of spam that got filtered out.

Why was this such a disastrous choice? I enjoyed having the site and with the exception of a couple of heated arguments in the comments, and spam, it was never a concern at all. Even the spam was very minor inconvenience since the filters caught pretty much all of it.

Many of my friends walso ran blogs in the late 2000s to early 2010s and the majority were smaller and had zero arguments in the comments and less spam as well. Just a comment or two on the occasional post.

[yifanl]

Aren't you implicitly betting on yourself not to succeed though? There's some cutoff of eyeballs where moderation becomes painful, and it's a pretty steep pain.

[AlchemistCamp]

My goal was never to get a Tim Ferriss-sized audience. It was primarily for personal expression at the beginning and then gradually grew over time.

The blog was the 2nd largest in its niche and lead to me making a TON of friends, one of whom I was later best man for at his wedding. I also ended up getting sweat equity in a business and learning a ton due to that blog. Moderating comments was little to no burden and even if its traffic were 10x more, moderation would still have been a trivial task.

It was a huge success in terms of ROI from my perspective. Having accounts and user-generated content on that site wasn't "betting on myself not to succeed". It enriched my life.

[AlchemistCamp]

Unless you're living in a place that really heavily regulates the web, I don't think you need to fear having user accounts in hobby projects.

I've built dozens if not hundreds of hobby projects that had accounts. This includes a blog I ran from 2005-2017, flash games in 2010-2011, an ear-trainer for recognizing relative pitches, a couple of apps that do things with photos, half a dozen language learning apps and all kinds of other little projects. In aggregate, having user accounts brought essentially zero concerns other beyond spam management.

Taking payment is a much bigger deal, but even that is something that millions of people do online and the majority haven't even set up a business entity.

[cryptos]

It is pretty easy to run into truble with user accounts due to privacy regulations like Europe's GDPR. This stuff is definitly not fun in a side project.

[AlchemistCamp]

The EU is definitely one of the more difficult, less free places for building online. I haven't heard of them coming down on small side projects, though. It would be crazy, given the goals of fostering more of an entrepreneurial tech scene, but I guess it's possible.

Even in China, which is definitely hard mode for established businesses, many hobby projects stay informal and aren't really cracked down on. My first tech job was at a startup in Beijing 11 years ago and we went through some serious hassle to get an ICP and initially just targeted the foreign market due to the lower compliance overhead. That said, none of my personal sites or games were ever blocked, as far as I know of. I knew some friends that built apps on WeChat and got fairly far before formalizing.

[throw_aw2]

For a small project, I would simply ignore the GDPR. The likelihood of getting fined for a tiny project is too small vs. killing it by overcomplicating it.

[bigiain]

Where I can, I'll sidestep GDPR (and CCPA and Australian Privacy Act and whatever) problems by explicitly avoiding collecting data that might fall foul of that.

Make "user accounts" effectively anonymous. Don't collect email addresses or phone numbers or names. Just use cookies with GUIDs or autogenerated username like the default Reddit ones (without allowing people to put their own name or other PII in). Maybe let the user keep refreshing until they get a random username they don't hate, but it'll end up being something like "Abrasive-teapot-86" and never $walletName or $emailAddress. If you need to let people move accounts between devices/browsers, let them grab their GUID and call it "secret account key" and tell them never to share it. Also let them know there's no such thing as "resetting their password" and to store that secret account key if they want to be able to recover a "lost" account.

You can't _always_ get away with that. But if you can, it saves a lot of headaches.

[myrryr]

Oh my god, I just want to say thank you for shot scraper. I've moved over to Playwright, and one of the things I was doing with the old testing system was using it for the documentation.

Now I can do that with Playwright! - Thank you so much.

[kirso]

This. Here is a great post on it from a fellow indie-hacker: https://casparwre.de/blog/launching-a-product-without-a-logi...

He built https://keepthescore.co/ precisely with this in mind.

[moron4hire]

Hear, hear. My last side project was meant to be a library, but people liked the demo I built for it so much they kept pressuring me to start a hosted service. In another age, I would have been ecstatic. But nowadays, I love my job. I have a family to take care of. I don't need--as you said--a part time job. I just want to make things that are fun for me.

[samh748]

Your Niche Museum site is wonderful!! Definitely shows how a small side project can still have good value. Niche, yes, but niche-value!

[ehnto]

You also have the added security and legal responsibilities, and you are likely not getting remunerated in a way that will let you protect yourself.

One of my projects was a "squarespace" style page builder. Right away, there were nefarious users. The block editor meant that bots weren't really an issue, they couldn't figure out how to use it, but turns out humans aren't that great either. My country doesn't have safe harbor laws, so I took it offline.

Thinking now, I could put that builder back into service and just have it spit out an HTML/CSS bundle for people to self host.

[yurivish]

That's really interesting! Could you say more about the job-like aspects of having users? Do you have advice on infrastructure that could be built to make the job easier?

I'm currently working on my first-ever side project with user accounts, and now I'm wondering what I'm in for. :-)

[simonw]

For me it's about the moral responsibility. If people are trusting your site with their data, you have an obligation to keep it running, and to keep it secure. This is a big responsibility! Especially since over the long-term the vast majority of projects eventually cease to exist.

[ehnto]

In addition to user PII responsibilities, you may also be responsible for user generated content depending on where you live. Both real users and bots will inevitably submit nefarious material on your servers.

[exdsq]

Not OP but if you have user accounts you suddenly have legal responsibilities (in Europe) to follow GDPR rules etc…

[ThunderSizzle]

The easy solution there is to just ban European users if it's just a hobby project and your concerned about that. Probably not the solution that GDPR would prefer.

[aquarin]

And if your users are Europeans?

[kybernetikos]

That's not as easy a solution as it appears - the GDPR isn't the only piece of personal data legislation in the world. If your strategy is to keep track of all the places that place responsibilities on you for collecting personal data and reject users from those locations then, you need to be looking at every state in the USA (Californian citizens have a consitutional right to privacy), and many countries across the world have various data protection laws.

[patoroco]

Oh, it’s a great tip. As many of us, I’ve started a lot of projects, invested in creating auth processes, to suddenly get bored from the project and abandon it. Result: 0 users. 1 failure.

[rsanek]

>you'll get users who you have to take responsibility for

Why's that? Can't you just provide the service as-is? I have a project that has user accounts and when people ask me for features or support, I either don't respond or say that it's not my focus.

[mertnesvat]

Well said! I also learnt user moderation hell with painful way but for mobile projects If it's very necessary there's a possibility of using Anonymous logins with Firebase or Amazon AppSync as well.

[severak_cz]

Or just stay small to have manageable user base.

I have created https://kyselo.eu/ which is social network for refugees of now-defunct Soup.io.

[bliteben]

cool project because it encourages you to get out and do things, and maybe things you didn't know much about before!

[asadawadia]

how do you limit bad actors? How do you do rate limit per user?

[rmrf100]

nice tips, Thanks.