I'm considering using either IPB or vBulletin for my forum but recently I have seen a couple of IPB forums hacked. Since vB is by far the most popular forum software I imagine it also attracts the most hackers, in the same way Microsoft Windows does. Do vBulletin forums get hacked very often ? What's the response time for fixes when vulnerabilities are discovered ? If I end up using vB, what steps do I need to take to minimize the chances my board can be hacked ?

I'm considering using either IPB or vBulletin for my forum but recently I have seen a couple of IPB forums hacked. Since vB is by far the most popular forum software I imagine it also attracts the most hackers, in the same way Microsoft Windows does. Do vBulletin forums get hacked very often ? What's the response time for fixes when vulnerabilities are discovered ? If I end up using vB, what steps do I need to take to minimize the chances my board can be hacked ?
Any site can get hacked.

It doesn't necessarily mean the hole was in the vBulletin or IPB or whatever. A badly configured server can let people in. Poor use of passwords can let people in (you'd be surpised how many admins set their password to simply "admin" for example.)

Modifying the code (eg plugins) can obviously add security vulnerabilities, depending on how secure the modified code is.

There are no known security issues with a stock installation of vBulletin. If any are discovered, patches are issued almost immediately.

So if you run a stock vB on a well managed and configured server, and use sensible passwords, you are extremely unlikely to run into any trouble.

We take security very seriously and do the best we can to ensure that vBulletin has no security holes. And when we become aware of a security issue we generally provide patches and updates within 24 hours of confirming a problem.

Unfortunately security issues are a fact of life with online software. While we work hard to avoid and eliminate security issues, we cannot guarantee that our software is completely free from bugs or security issues.

However as our record shows, we aggressively track and fix any security issues as soon as they become known to us.

Thanks for the info. I have been very impressed with the speed of response to my queries, and coupled with the fact that IPB only seems to have 1 developer compared to vB's multiple developers, I think my money will be heading vB's way.

Just came across the following link which has certainly made me wary of using 3rd party plugins.

http://www.vbulletin.com/forum/showthread.php?t=198902

That's nice to read :)

Generally, not all plugins are bad, but being critical when choosing plugins does help. There are also various tips here on further securing your forum: http://www.vbulletin.com/forum/showthread.php?t=194701

FlashChat was a case of not using best practices (in my opinion). In the bridges folder, they had about 2 dozen files, of which only 3 are required for vBulletin. If you only uploaded the vB-specific ones, you were never vulnerable.

Flashchat also was a bit different. It wasn't a case of plug in code being insecure, it was a completely unrelated third party product.

Most plugins simply involve additional php code, if you pick a well used, established plugin then it is most commonly quite secure, since it will have been picked over by many other coders who would alert someone to any issues.

vbulletin.org staff will act quickly in the event of any security issues with plugins.