MyBB Community Forums

Full Version: [Tutorial] How to Help Secure your Forums from being Hacked/DDOSED
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4
Many of you come here time to time and say your site gets hacked.

There are two general ways to hack a forum.

- Upload a shell using the attachment feature or use XSS to get admin login

- The Hacker will purchase hosting on the same server as you and upload a shell and use SYMLINK Exploit to pull your data base names and passwords.

There is a very cheap and easy way to prevent this.

First of all, Purchase a Small VPS.

If you want to install cPanel (That will cost you 14.95$/month), you want a VPS with at least 1GB Ram.

If you don't use cPanel get a VPS with approximately 256 - 512mb Ram (384mB is perfect), and install MYSQL and Apache.

Now go to your PHP.ini file and under disable_functions just copy and paste this

Quote:exec,popen,pclose,php_eval,safe_dir,zend,g lob,root,ftok,posix_access,egy_perl,symlink, ini_restore, shell_exec, passthru, error_log, ini_alter, dl, openlog, syslog, readlink, symlink, link, leak, popen, escapeshellcmd,proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, escapeshellarg, pcntl_exec, exec, passthru, popen, wscript,apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec,system, xmlrpc_entity_decode

What disabling all those functions are:
- It disables the common Symlink method to access Databases and PHP Config files.
- Disables functions that booters/shells use
- Disables any method that a regular site would not use, and functions commonly used by hacking scripts.

I recommend updating MYSQL to the latest version and PHP to 5.3.x, Recompile Apache and restart Apache.

Now to secure your System, disable SSH so no one can Hack you, or change your SSH port and make it so only your IP can connect to your SSH port.

Finally, to hide your Systems real IP, use CloudFlare.

After you add your site to CloudFlare, delete all the Records except A and CNAME

So it looks like this,

[Image: WUU7G.png]

This prevents people / Hackers / kids that want to ddos from using a CloudFlare Resolver to get your real IP.

Proof (I used a cloudFlare resolver on that domain), it does now show any server IP's.

[Image: KpYi5.png]


Using this tutorial basically eliminates 90% chance of anyone hacking your site, although the only method left would be XSS, which I do not know how to block as I do not know anything about XSS.

hope this helped.

The reason why I leave the 10% chance of your site being hacked is because Hackers get smarter and develop new methods every day.

I am not responsible if your site still gets hacked.


Also you should always rename your AdmincP Directory, you can find a tutorial on the Internet on how to do that.

My site is and I did everything on this guide to it.


Also I recommend using an external SMTP Server so no one can read your mail headers and get your servers IP. Name Cheap has 1 year free SMTP Servers, you should go check them out
Problem is that eval is in that list. MyBB uses eval in the template system.
I run a myBB forum and a vB forum on my VPS and eval has not caused any issues.
I can't see how that's possible. Maybe the eval disable is more selective (safe/everything). I'll have to try it on my VPS and see if my forum explodes.

Out of curiosity, if you use PHP-FPM, did you restart the service (when you added the list to your own system)?
Yes I did, I disabled all that, updated PHP and MYSQL, even before I installed myBB on my forums.

Everything works fine with the disable_functions list I provided.
Well. Then I apologize for raining on your parade in other threads. Wink
I really don't agree with your choice of words. "Completely" is very specific. I can think of 20 methods off the top of my head to hack a forum, and none of the above posted are included. Security is a process, not a product. The above might help to some degree, but it won't prevent your forum from being hacked.
I have changed the title of the Topic with a better choice of words now.

(2012-12-03, 12:22 AM)Nathan Malcolm Wrote: [ -> ]I can think of 20 methods off the top of my head to hack a forum, and none of the above posted are included. Security is a process, not a product. The above might help to some degree, but it won't prevent your forum from being hacked.

Yeah, but this tutorial eliminates the common ways of getting hacked.

- If no one else can get hosting on your server, then they can't use any shell to gain access to your files as they can not upload anything. (Which is how most forums get hacked anyways [Especially the ones advertised at HF])

- They can't bruteforce SSH/yourlogin since you disabled it and only the owner can access it via console.

- They don't know your servers REAL IP, so they couldn't use a Putty client and try to bruteforce a login to your VPS

The only way they could hack you now is by exploiting myBB, which should be pretty hard.

Even if they use the upload attachment feature, and successfully upload a shell, it will most likely not work as we have disabled the main Symlink functions, but there are shells out there that still bypass it, their hard to find though.
Keep Your MYBB installation upto date.

You can read more about securing mybb forum @
Well I made this change, and MyBB is still working. I am not sure how the eval block isn't stopping everything, but whatever.
Pages: 1 2 3 4