Well reading in alot of the topics in support and stuff about protection against hackers and such. The main advice is to .htaccess your admin folder, I was wondering if anyone could tell me what this is/means and how to do it. Thanks in advance
.
Actually, hackers do not usually look for the most obvious of places to get in. That would just be too obvious.
Referring to an older exploit in the phpBB 2 series, I can tell you this. One major hole which people complained about for at least 5 or 6 releases was one dealing with avatars. As you know, many forums allow you to just have people upload their own avatars to the server, while others forced you to use avatars on remote sites. For the longest time people using phpBB were forced to use the latter method due to a security hole in the avatar uploading script. The problem with their script was that being as outdated as it was, it never was smart enough to check the file extension of the script being uploaded. As a result this is what happened. As you may know upload folders in many scripts usually have global permissions of 777 meaning anyone can do anything to the files without restriction. So they were uploading harmful files using the avatar script and running them after they uploaded which basically gave them access to the server.
So as you can see, they could have hacked the administration area without even having access to it because of their scripts. What my point is that putting the admin folder behind a password is a good idea, but it wouldn't necessarily prevent a hacker from running the admin controls if there is an exploit elsewhere. Personally speaking, a security issue that could be addressed is a timed cookie in the administration area so that admin's are not always automatically logged in. There are other things that could be done as well, but this is just an example.
My point with all this is that being smart about what permissions you give out is the key. My rule of thumb is to:
1. NEVER, give any access other than view to Guests
2. NEVER, allow users to upload anything other than image files (this includes not allowing Flash, unless you trust these users in which case they should have their own usergroup)
3. Always create backups - should anything ever go wrong you will be glad you had these
4. Always keep your software updated. This may sound like the stupidist thing in the world, but I guarantee you there are too many who don't do this already. Sometimes it with software for a website, or even Windows or even an anti-virus/firewall program. The people who develop these products don't release updates just because they like to show us those kindergarten math skills, they are usually releasing updates for a reason. If they didn't develop updates they could just as easily develop a product and leave forever.