How To Make My Forums More Secure

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Steve Machol
    Former Customer Support Manager
    • Jul 2000
    • 154488

    How To Make My Forums More Secure

    Here's some things you can do to increase the level of security for your forums:
    1. Always upgrade to the latest stable version.
    2. Do not install any unofficial hacks or plugins as they are not written or reviewed by our developers.
    3. Password protect your Administrator and Moderator Control Panels directories as well as the install and includes directories using .htaccess/.htpassword http://www.javascriptkit.com/howto/htaccess3.shtml
    4. Make sure the tools.php (vB3) file is NOWHERE on your website.
    5. Remove the ImpEx files if you had used this import system.
    6. If you have phpMyAdmin make sure it's password protected.
    7. If you suspect a hacking attempt, ask your host to change the login password for your web account.
    8. Make sure all the Admin and Mod passwords are secure. Change them if you have any doubts. And use hard to guess passwords.
    9. NEVER allow HTML in posts, PMs or in sigs.
    10. Make absolutely sure there are no viruses, trojans or keylogger spyware on your PC. Any of these could steal your password and other personal info.
    11. Do NOT upload the directory called do_not_upload/
    12. Use a different password for each forum you sign up with. Use a different password for your forum as you do for the .htaccess directory password.
    13. Update the config.php file and set yourself as undeletable user so they can't touch your admin account.
    14. Do Not Upload config.php.new when upgrading your forums.


    Note your forums are only as secure as the passwords you use and the server it is on. If the server is accessed then there's nothing vB can do to prevent potential security violations.
    Last edited by Colin F; Wed 9 Jul '08, 6:57am.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73927

    #2
    If you are on a shared hosting server, make sure all your vBulletin PHP files are chmod 644

    Code:
    cd [I]/path/to/your/vbulletin[/I]
    chmod -R 644 *.php
    This will protect your files if another account on the server is compromised.

    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • Colin F
      Senior Member
      • May 2004
      • 17689

      #3
      If you imported data from another software using ImpEx, make sure to remove the /impex/ folder when you're done.
      Best Regards
      Colin Frei

      Please don't contact me per PM.

      Comment

      • Basscat
        Member
        • Jan 2005
        • 70
        • 3.8.x

        #4
        Renaming Admincp and Modcp Folders For Additional Security

        Every hacker knows the default paths to the vbulletin admincp and modcp control panels. www.yoursite.com/forum/admincp or www.yoursite.com/forum/modcp By knowing these paths, hackers by pass going through the forums first before attempting to hack into your admincp or modcp.

        If you rename the admincp and modcp folders, they will have to hack your log in for the forums first before they are able to find these folders. You can rename these folders anything you like. Here are a couple of examples: www.yoursite.com/forum/firstcp and www.yoursite.com/forum/secondcp

        Rename these two folders on your ftp site and change your config.php file to match the names of the new folders.

        If you rename your admincp and modcp folders, you MUST change the names of the these in the config.php file to match what you renamed them.

        Tip: If you are upgrading your forums make sure you don't forget to rename the directories again!

        Comment

        • Jinovich
          Senior Member
          • Feb 2005
          • 232
          • 3.5.x

          #5
          how to secure your forums

          If you have and the other admins have a unique IP address you can edit the .htaccess file in your admincp directory with.

          order allow,deny allow from <your IP>
          allow from <admin2's IP>
          deny from all

          This way the directory should not load for anyone whose IP doesnt match this list.

          Comment

          • Floris
            Senior Member
            • Dec 2001
            • 37767

            #6
            Always upgrade to the latest stable version.

            If there are any known bugs or security issues in older versions than the latest stable and recommended release you run the risk of being exploited. The latest release that we recommend to install and mention as stable is the release with all these bugs and security issues fixed.

            It is recommended to keep an eye on your admin control panel as we will announce in the top if there's a new version out. Or check out our announcement forums for any release- or security announcements.

            Link > vBulletin Announcements

            Link > Manual on Upgrading vBulletin

            Once upgraded walk through the security advisories in this thread again to make sure you are still secure.

            Tip: Even if your owned license has expired you can still download the security patches for free from our security center.

            Tip: If you are upgrading your forums we always recommend to make a backup of the MySQL database. Please do so, but don't store it inside your public_html/ directory for the whole world to download it. Move it outside the public directory or download it to your hard drive (offline).

            Comment

            • Floris
              Senior Member
              • Dec 2001
              • 37767

              #7
              Think twice before giving members a staff position

              Pick your staff members wisely. You give them access to more commands which allows them to harm your site.

              Once they are a moderator they can ruin the mood on your site, they can mass delete posts if they have the permission and they can edit the posts of existing members. Super moderators can do this in every forum.

              Super Moderators and Moderators have access to the modcp/ directory, but not the admincp/ directory.

              If you give someone Administrator access on your forum you basically give them full access to your site (except for FTP). They can download your database or delete forums and usergroups, delete threads and posts or change settings, etc. So check your admin permissions on a per admin user. And think twice before you give someone admin access to your forum.

              Link > Administrator Permissions

              Tip: I don't recommend to give other admins access to the phpmyadmin or ftp or control panel of your site, and especially not to the members area on vbulletin.com (Because giving someone else access to your members area means they can take over your vbulletin account; Also note that the vbulletin staff will never ask you for your customer password in full)

              Tip: For added security check the control panel log history and set up password history so important usergroups are more secure by having to change their password once in a while. And request them to use a hard to guess password.

              Comment

              • Andy Huang
                Senior Member
                • Feb 2004
                • 4602

                #8
                Addition to staff permissions on the &quot;How To Make My Forums More Secure&quot; Thread

                Do not give anyone plugin / product management access. Giving people access to code plugins on your live production system is like asking to be hacked because they can interupt any standard vBulletin process.
                Best Regards,
                Andy Huang

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...