Securing your vBulletin Installation

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73981

    [Tutorial] Securing your vBulletin Installation

    After installing your software, you will want to secure it and restrict access to both the AdminCP and ModCP directories. In the past, you would need to rely on the web server or obfuscation to do this. vBulletin 5 has modern security methods built in.

    Multi-Factor Authentication (Recommended)


    You can require Multifactor Authentication for Administrator and Moderator accounts. Multi-Factor Authentication works with a third-party app (i.e. Google Authenticator) that provides a one-time use passcode based on a unique key provided during setup. This will be requested before they can access any functionality that needs heightened security. In order to turn this on, you need to edit the /core/includes/config.php file.

    First we need to enable MFA
    Find this code:
    Code:
    //$config['Security']['mfa_enabled'] = true;
    Change it to this:
    Code:
    $config['Security']['mfa_enabled'] = true;
    Second, we need to force this option.
    Find this code:
    Code:
    //$config['Security']['mfa_force_cp'] = false;
    Change it to this:
    Code:
    $config['Security']['mfa_force_cp'] = true;
    Note: You can leave the option to Force MFA off but this will make your site less secure if some staff members do not opt-in.


    Configuring the Users.
    After the user logs in, they will need to visit their User Settings page and select the new Two-Factor Authentication tab on that page. Here, they will be asked for their password. After they enter their password, they will be provided with a QR Code that contains their key. Using their phone, they can scan this code into their chosen Authentication App to set up your site. Scan the code in additional devices to set up more than one. Also provided is a text representation of the code in case they want it for backup or they need to set up additional devices later.

    Once they have set up their devices, they can accept the code and this feature will be enabled on their account.

    IP Restriction


    In addition Multi-Factor Authentication, you can restrict access to the AdminCP and ModCP by IP Address. This is more restrictive because you will need to edit the config.php file every time an IP Address changes. It is also easier to spoof since attackers can masquarade as your IP Address. To enable this look for the following lines in the /core/includes/config.php file:
    Code:
    $config['Security']['AdminIP'] = '';
    
    $config['Security']['ModIP'] = '';
    You will place the IPv4 addresses that you want to allow between the single quotes ('') to the right of the equal (=) sign. You can list multiple IP addresses separated by a comma (,).

    Deleting the AdminCP Directory (Not applicable from vB5.5.6 onwards).


    In the root of your vBulletin installation there is a admincp sub-directory. You can delete this directory for a cleaner installation. In current installations, this sub-directory is empty in a default installation so you will not lose any functionality. It is simply there for backwards compatibility and redirection. If you delete this sub-directory, you will also need to edit your .htaccess or web.config file.

    In .htaccess find:
    Code:
        # Because admincp is an actual directory.
        RewriteRule ^(admincp/)$ index.php?routestring=$1 [L,QSA]
    Change it to:
    Code:
        # Because admincp is an actual directory.
        # RewriteRule ^(admincp/)$ index.php?routestring=$1 [L,QSA]
    In web.config find:
    Code:
    <rule name="Admincp" stopProcessing="true">
        <match url="^(admincp/)$" ignoreCase="false" />
        <action type="Rewrite" url="index.php?routestring={R:1}" />
    </rule>
    Change it to:
    Code:
    <!-- <rule name="Admincp" stopProcessing="true">
        <match url="^(admincp/)$" ignoreCase="false" />
        <action type="Rewrite" url="index.php?routestring={R:1}" />
    </rule> -->
    Last edited by Trevor Hannant; Wed 15 Jan '20, 9:50am.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

Related Topics

Collapse

Working...