I just got a new VPS (managed) and am on a rampage to make it ultra secure. How can I make vbulletin as secure as possible. I run on cPanel/WHM BTW. These are the steps I am going to take.

I want to move admincp, modcp, and even install (if possible) to a different site on the server (can access the same MySQL, but impossible to access via forum domain).
Only allow XX IP to those directories (or that entire domain)
Finally require a login/password for those directory/domain.

How easy is it to have the admincp/modcp/install live in a different domain (/home/adminsite instead of /home/forums).

What do you guys name your admin/modcp I can't think of what I should name them. :D

To quote myself (http://www.vbulletin-fans.com/showthread.php?t=17799)

Installed vBulletin? Upgraded vBulletin? Running vBulletin?

Here are a few tips to keep that install clean http://www.vbulletin-fans.com/images/smilies/smile.gif

You can remove the install/ directory

You can check to see if your includes/ directory has a config.php.new (if so, remove it!) Make sure you keep the required config.php file

Have any old styles you no longer use? Check their images/ directory and perhaps it is time to remove those obsolete image files.

Go to the Admin Control Panel and then maintenance and click on the diagnostics, from there you can run file diagnostics to see if any old renamed files from vBulletin are lying around. You can remove those if they're not from the same version. Note: If they report they're not the same version make sure you replace it with the files from the current version, maybe your FTP upload went bad.

If you have impex installed you can uninstall that too again

Of course, always backup before you make any changes, just in case you delete the wrong files! We don't want that.

And finally: Upgrade to the latest stable release, currently 3.5.4, it fixes bugs, security issues and helps you get the best priority support http://www.vbulletin-fans.com/images/smilies/smile.gif

Good luck, let me know if you also have any tips

You could name your admincp / modcp:

mystaff / mymods
forumstaff / staff
staff / moderators
backend / modsend
private / staff
adminz / modz
control / panel

there are simple things you can use that make it clear what it is but harder to guess.

htaccess those dirs will help a lot :)

Add the admins as undeletable users in the config.php helps

Thanks Floris. How about having the Admin/modcp's on a different domain for even further security? is that possible?

Wouldn't telling you how we secure it and our directories kind of make it less secure? ;)

If people don't tell how to secure something then everything wouldn't be secure. :D

.htaccess passworded
.htaccess IP Deny anyone not on my network
Admin/Mod Folders renamed
Admincp/Modcp still there with a false script that logs people trying to connect.

If I told you, it wouldn't be secure now would it :p

I do not restrict IP's to a certain range as I use many different computers with different public IP ranges.

I have renamed the default folder names though. That's all I do. If someone wants to hack my site, go ahead- I backup daily. If this were for my business, than I would implement much more stringent security methods.

Wouldn't telling you how we secure it and our directories kind of make it less secure? ;)

Exactly, people should keep how they secure their forums to themselves.

.htaccess passworded
.htaccess IP Deny anyone not on my network
Admin/Mod Folders renamed
Admincp/Modcp still there with a false script that logs people trying to connect.
When I was running my forum, this is how I did it (except renaming the directories). I didn't see the need to because if the IPs didn't validate, it showed a 404 error.

Exactly, people should keep how they secure their forums to themselves.

Yep. You'll have to pay me to tell you how sucure myne is. :D

I have a secure password, and differnt admincp/modcp directorys. Thats about it. :p

.htaccess passworded
.htaccess IP Deny anyone not on my network
Admin/Mod Folders renamed
Admincp/Modcp still there with a false script that logs people trying to connect.Hi IDN: How do you do this? Am interested in finding out a little more about doing that.