MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Secure Your Forums (Full Tutorial)
Full Version: Secure Your Forums (Full Tutorial)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3

Marks-Mans

2012-07-15, 11:28 AM
Hello All Mybb Users,

I Am Actually Using Mybb

First Of All I Will Tell You Some Steps To Secure Your Forums

1.Make Sure That Your /inc/ Folder Is Secured With Extra Username & Password With Htaccess

2.Change Your Admin Directory Path & Secure With Htaccess With Extras User And Pass Also

Go To Inc Foder Then ----------> Config.php
Edit It You Will Find
$config['admin_dir'] = 'admin';
And You Can Change it For Example
$config['admin_dir'] = 'admin1';

Then Your Admincp Path Will Be 
example.com/admin1

3.Disable Anonymous Ftp And Use Normal Ftp And Make Sure To Use Strong Password
Check your Cpanel And Make Sure That You password is Strong

For Some People That Dont use Cpanel In There Vps , Add Extra user & pass For PhpMyadmin By Using Htaccess & Make Sure That It have User And Pass By Default & Configured Properly
And Passwords Should Be Strong And not Like Each Others


4.Make Sure You Dont Use Anouncement Plugins And Those Other Plugins For Sitemap And Others to keep your Forum Clean And Protected
Less Plugins = More Protection
Dont Use Tabs And Mytabs Plugins
Dont Use Google Seo Plugins


5.For Protecting Against Injections Use Php-Firewall

Get It From Here 
http://www.php-firewall.info/

Upload Files And To Install Edit Global.php

And Add


define('PHP_FIREWALL_REQUEST_URI', strip_tags( $_SERVER['REQUEST_URI'] ) );
define('PHP_FIREWALL_ACTIVATION', true );
if ( is_file( @dirname(__FILE__).'/php-firewall/firewall.php' ) )
    include_once( @dirname(__FILE__).'/php-firewall/firewall.php' );

If You Need Any Help Please Reply Down And I Will Help You

Nathan Malcolm

2012-07-15, 11:50 AM
(2012-07-15, 11:28 AM)Marks-Mans Wrote: [ -> ]1.Make Sure That Your /inc/ Folder Is Secured With Extra Username & Password With Htaccess

There's no need to add http basic auth when you can simply deny access to the directory completely. It never needs to be directly accessed.

http://www.mybbsecurity.net/topic-protec...-directory

(2012-07-15, 11:28 AM)Marks-Mans Wrote: [ -> ]2.Change Your Admin Directory Path & Secure With Htaccess With Extras User And Pass Also

Go To Inc Foder Then ----------> Config.php
Edit It You Will Find 
$config['admin_dir'] = 'admin';
And You Can Change it For Example
$config['admin_dir'] = 'admin1';

Then Your Admincp Path Will Be 
example.com/admin1

Note you need to actually rename the admin directory to that value for it to work correctly.

(2012-07-15, 11:28 AM)Marks-Mans Wrote: [ -> ]3.Disable Anonymous Ftp And Use Normal Ftp And Make Sure To Use Strong Password
Check your Cpanel And Make Sure That You password is Strong

I'd advise you use SFTP if your host provides it as it's much more secure than FTP.

(2012-07-15, 11:28 AM)Marks-Mans Wrote: [ -> ][b][size=medium]4.Make Sure You Dont Use Anouncement Plugins And Those Other Plugins For Sitemap And Others to keep your Forum Clean And Protected
Less Plugins = More Protection
Dont Use Tabs And Mytabs Plugins
Dont Use Google Seo Plugins

Any specific reason why? The Google SEO plugin and MyTabs are perfectly safe to use. The MyTabs plugin did have a vulnerability about a year ago but there are no issues with it now.

Marks-Mans

2012-07-15, 11:56 AM
Actualy My Tutorial Is Perfect As You See Plugins Is Door For Hackers To get Into Your Forum & Have UnAuthorized Access

Inc Folder Must be Protected With Htaccess With Extra User & Pass
Because Many Hackers Can Get Unauthorized Access & Full Control
To Your Config By Bypassing Mybb Default Security

Vernier

2012-07-15, 11:57 AM
(2012-07-15, 11:56 AM)Marks-Mans Wrote: [ -> ]Actualy My Tutorial Is Perfect As You See Plugins Is Door For Hackers To get Into Your Forum & Have UnAuthorized Access

Not if there secure. If plugins were that much of a threat, why would MyBB have the mods site?

Nathan Malcolm

2012-07-15, 12:07 PM
(2012-07-15, 11:56 AM)Marks-Mans Wrote: [ -> ]Actualy My Tutorial Is Perfect As You See Plugins Is Door For Hackers To get Into Your Forum & Have UnAuthorized Access

Your tutorial is not perfect. Security is a process not a product. You have made some good points but it's far from perfect.

Plugins are not always a door for hackers. The software is just a big a risk as the plugins you use. It only takes one plugin to destroy your forum, it completely depends on how careful the developer was when developing it. Saying don't install x plugin because it may be a risk isn't useful because there might be a vulnerability within MyBB instead.

With any software you use you run the risk of exploitation. You might as well say don't use any software at all because it's potentially a risk.

(2012-07-15, 11:56 AM)Marks-Mans Wrote: [ -> ]Inc Folder Must be Protected With Htaccess With Extra User & Pass
Because Many Hackers Can Get Unauthorized Access & Full Control
To Your Config By Bypassing Mybb Default Security

As I stated above, simply blocking access to that directory at webserver level will suffice. There's no need for authentication as not even the administrator will need to access it.

Snickers

2012-07-15, 02:59 PM
Why So Many Capitalized Words In Your Posts It Gets Very Annoying. Plus, you would probably type much faster if you didn't have to hit shift at the beginning of every word. I've never understood why people do that.

pavemen

2012-07-15, 03:33 PM
if you are going to spam your "tutorial" all over the forum here, at least be sure it is a good tutorial. Points 2 and 3 are good, but the rest is either unnecessary or just plain wrong.

Charlie Hadden

2012-07-15, 03:44 PM
(2012-07-15, 11:56 AM)Marks-Mans Wrote: [ -> ]Actualy My Tutorial Is Perfect As You See Plugins Is Door For Hackers To get Into Your Forum & Have UnAuthorized Access

Inc Folder Must be Protected With Htaccess With Extra User & Pass
Because Many Hackers Can Get Unauthorized Access & Full Control
To Your Config By Bypassing Mybb Default Security

So much to learn. :')

pavemen

2012-07-15, 03:59 PM
and if you are going to password protect any folder with htaccess/htpasswd it should be your admin folder. the inc folder can just be set to deny all via htaccess

Marks-Mans

2012-07-15, 06:25 PM
(2012-07-15, 03:59 PM)pavemen Wrote: [ -> ]and if you are going to password protect any folder with htaccess/htpasswd it should be your admin folder. the inc folder can just be set to deny all via htaccess

Actually Just Add Extra User And Pass Via Htaccess To Admin & Inc Folder

Not Neccessary To Add deny all via htaccess
Pages: 1 2 3
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Secure Your Forums (Full Tutorial)