Getting Started
This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide to site or vBulletin security. It is, however, a great place to get started.
General Guidelines
The first step in making sure that your site stays safe and secure is choosing good, strong passwords for everything that would allow someone to gain access to your site. These include account information for: AdminCP , FTP/SSH, MySQL, etc.
As an example: people using cPanel to manage their website should never use their cPanel login info to manage their vBulletin database. If someone was able to access your vBulletin configuration file, they would then have FTP/cPanel access to your site.
If youre not sure how to create and manage good passwords, we would recommend looking into something like Keepass (http://keepass.info/)
All of your sites sensitive information should use a different username and password, to limit the scope of damage as much as possible.
If available, you should always use SSH/SFTP over regular FTP, as to not broadcast your cPanel info over the internet in clear text.
Protecting Sensitive Areas
Whether youve just finished installing vBulletin, or if youve been running it for forever, you should be restricting access to any potentially sensitive areas. This includes general access to the AdminCP and ModCP folders, as well as your install directory.
In general, your install directory shouldnt remain on the webserver. If for some reason you need to keep it there, make sure the area is IP address or username/password protected with an htaccess file or NT Auth authorization. Many webhosts will have ways to enable Directory Protection from within their own control panels. If they do not, most webhosts will be happy to help you create these protections since it increases their own server security.
Your password protection for each directory should be unique and not shared with anything else you use for the site server. Both a custom username and password should be used.
Keeping the software up to date
The biggest thing you can do after protecting sensitive areas is to make sure youre always running the latest version of the software. You should always be on the latest stable version for your product line, be it vBulletin 3.8.x, vBulletin 4.2.x, or vBulletin 5.0.x (at the time of writing). Running the latest stable version is always recommended, and will generally be the least likely to be exploited.
Third-party addons
There are a lot of great third party addons and modifications for vBulletin. However, before going to install them, you should review the code if you can to make sure nothing looks fishy. If youre unable to, make sure you read though the authors previous work and history to make sure that if theyve had security issues theyre quick to patch them. You should always run the third party addons latest release to ensure that your site is safe.
.
Help, Ive been hacked
If youve already been exploited, we would suggest taking a look at this guide on helping to clean up your site.
Best practices for securing your vBulletin site.
Collapse
X
Collapse
-
Best practices for securing your vBulletin site.
Last edited by Zachery; Mon 9 Sep '13, 12:06pm.Tags: None👍 3-
#1HighDefSeeds commentedTue 21 Jan '14, 2:35pmEditing a commentgood security basics... cheers!
-
#2Princeton commentedFri 31 Jan '14, 6:54amEditing a commenttwo-factor authentication option like https://www.duosecurity.com/ would be a great feature
-
#3Brad Padgett commentedWed 23 Jul '14, 10:44pmEditing a commentGreat work. This article is something to be proud of.
Posting comments is disabled. -
Related Topics
Collapse
-
by kellymI was very dismayed today to find my vBulletin 5.0.4 has been hacked. I work in the IT industry and my server infrastructure is definitely secure, in fact it runs on a dedicated BSD Unix host server using...
-
Channel: Support Issues & Questions
-