Administrating MyBB - good practices - Printable Version
+- MyBB Community Forums (http://community.mybb.com)
+-- Forum: Resources (/forum-8.html)
+--- Forum: Tutorials (/forum-38.html)
+--- Thread: Administrating MyBB - good practices (/thread-9991.html)
Administrating MyBB - good practices - Peter - 06-23-2006 01:16 PM
While the flow of MyBB exploits has gotten significantly smaller late, there are still boards that are vulnerable to the latest exploits. Even though we provide patches for every exploit, new exploits are still being found. To counter the misuse of MyBB vulnerabilities, the MyBB group encourages all MyBB users to change the URL of the admin control panel. By default, this is /admin, but with some small and easy adjustments, this directory can be changed to a different directory, which is very hard for hackers to find and therefore gain access to.
Change the admin control panel directory
There are a few steps that you will need to take before the directory is successfully changed. To follow these instructions, you will need a text editor and an FTP client (such as SmartFTP).
Using an FTP client, download [mybbroot]/inc/config.php from your server, whereby [mybbroot] is the folder you have installed MyBB in. Then, open that file using any text editor (Notepad will do just fine if you do not have a professional code editor installed).
In the file you just opened, look for the following code:
Then, replace it with this:
Whereby you do not enter "newdir", but a custom directory of your own. Try to make the new directory name include both letters and numbers (for example "no629" is a great name), for maximum safety. Now, save the file.
Using your FTP client, upload the file to the location where it came from ([mybbroot]/inc/). Make sure to choose "overwrite", so the old file gets overwritten with the new configuration. When that is done, MyBB will have automatically changed all links to the admin panel for you, but it has not changed the actual directory yet.
Still in your FTP client, change the directory of the "admin" folder to the name you just specified in the file. Depending on your FTP client, you can either right-click the directory and select "change name" or do this via the client menu.
Once you have completed all previous steps, go to your MyBB installation. Click the "admin panel" link on the main page and see if it still loads correctly. If it does, you have successfully changed your admin panel directory. You can check this by looking in the address bar of the browser, where the new directory will be displayed.
Upgrade to latest MyBB version
If you have not yet upgraded all of your boards to the latest MyBB version, please do so as soon as possible. You can always obtain the latest MyBB version from the MyBB website. You are encouraged to watch the MyBB community board for announcements about patches and new version as well. Full patching instructions will be provided in announcements.
Remove the version number from the ACP
Some hackers search the internet for MyBB boards of a specific version number. If you remove the version number from the ACP, your board is less likely to be found by a hacker. This does not, however, make your board immune to hacking! To switch off the version number in the ACP, log in to the ACP, go to Board Settings -> Change -> General Configuration. Set "Show Version Numbers" to "Off" and the version number will no longer be displayed.
Reminder: back-up your database regularly
In the unlucky case that a hacker does find a way to exploit your MyBB and removes and/or changes valuable data, it is best to have a database back-up ready, to restore as many of the board's threads, posts and other data as you can.
Minor edit from MattR.
RE: Administrating MyBB - good practices - DrPoodle - 06-23-2006 02:14 PM
Done, done, and done!
I always make backups at least once every 2 days, and I upgrade to the latest version of MyBB as soon as it comes out, but I haven't changed my Admin directory till now...
Thanks for this Peter, very informative!
RE: Administrating MyBB - good practices - destroyer - 06-23-2006 02:49 PM
I changed it a few days ago.
RE: Administrating MyBB - good practices - Protoman - 06-23-2006 03:07 PM
Thanks for the info, though I do a lot of these already!
But it is a good guide for newbies.
RE: Administrating MyBB - good practices - Justin S. - 06-26-2006 03:58 PM
Another good hint would be to disable the display of your MyBB version number. If you do this, it prevents hackers from attacking your forum because of a vulnerability in a previous version. To do this, go to Board Settings -> Change -> General Configuration in your Admin CP. Set "Show Version Numbers" to Off.
RE: Administrating MyBB - good practices - Martin M. - 06-26-2006 04:47 PM
If you really wanna be sure that people cannot see the current version number.
go to admin/adminfunctions.php
errr, wrong name of file
RE: Administrating MyBB - good practices - Galen - 06-26-2006 06:03 PM
I've said it before and I'll say it again. Take a screen cap of your board's copyright. Open the screen cap and crop it down so that it's just a pic of the copyright. Now, replace the default text copyright with that image. This prevents script kiddies from finding your site by googling "Powered by MyBB" but it still leaves the copyright in tact for all to see.
I should note that I have not gotten an official answer on whether or not it's "Ok" to do this. I would think so, though, and unless Chris or someone else with MyBB Group specifically says "don't do that" then I'm going to keep doing it and I recommend that the rest of you do it as well.
RE: Administrating MyBB - good practices - Dale Hay - 06-27-2006 12:42 AM
I used to backup by a cron job script. Used to be wonderful... don't have it anymore though.
RE: Administrating MyBB - good practices - Galen - 06-27-2006 07:33 AM
Another good idea is to never use the default database prefix (mybb_). The scripts used by script kiddies to make database changes assume that the default prefix is in use.
RE: Administrating MyBB - good practices - Ryan Ashbrook - 06-27-2006 08:27 AM
Galen Wrote:I've said it before and I'll say it again. Take a screen cap of your board's copyright. Open the screen cap and crop it down so that it's just a pic of the copyright. Now, replace the default text copyright with that image. This prevents script kiddies from finding your site by googling "Powered by MyBB" but it still leaves the copyright in tact for all to see.
If we haven't said anything by now, then I'm pretty sure it's ok.