2012-12-25, 02:05 AM
NOTICE BEFORE READING:
This is not a guide to making your forum completely secure and untouchable but this is a guide to the many different things that one can do to tighen up security. I would also like to note that the latest version of MyBB is very secure even out of the box. Also note that i'm no expert on this, I've never even had a public MyBB forum but i'm hoping to start one soon. This is mostly about securing MyBB itself, look elsewhere for information on securing any other web applications that you are hosting
The key points
#1 Keep your forum as up to date as possible
It is very important you keep everything up to date, this includes plugins.
Make sure to manually check for updates in the Admin CP often and/or frequent the downloads section of mybb.com
#2 Check before installing plugins
Plugins have the potential to bring down your whole forum if they are insecure/intentionally backdoor-ed. Google is your friend with plugins so ensure you check through any posts/advisories on the plugin and any other sources of the plugin that could are more likely to be secure. Don't use cracked/nulled plugins. If you can understand PhP then look through the code. If the code is encrypted/obfuscated etc.. and the plugin is not commercial then be very careful. Look into the plugin author and their credibility as well. Using a plugin that is used on HF and made by labrocca for example is a much better idea then some random thing you found dumped on the net.
#3 Use secure and unique passwords
Ensure the passwords to all powerful accounts are different, unique, long and use a large array of chars.
#3 Deny access to directories
There are a number of directories in MyBB that contain files that never need to be accessed from browser. It's a good idea to deny access to these.
Directories to protect
Another way to add to security to the files is the add to/create a .htaccess file in the forum root containing
Another thing one can do is the rename the Admin Directory, to do this open
#4 Obscure, obscure, obscure
It's a great idea to make it as hard as possible for a potential attacker to get correct information on your forum.
Change the default table prefix (this can be done easily upon when installing a fresh install of MyBB in the installation wizard) This can also be done in the
Other things you can do include giving your main account (the one you post with) super mod perms and giving super-admin to another extremely secure account that has a normal usergroup as it's primary.
#5 Lock down the AdminCP
It's very important to implement extra security on the admin cp to prevent unwanted access.
Here are a few things you can do.
Add extra auth with .htpasswd
http://www.htaccesstools.com/htpasswd-generator/
http://www.htaccesstools.com/htaccess-authentication/
^ The above links can be used to generate the files needed to do this.
Once done simple place the .htpasswd and .htaccess files in the adminCP directory for some extra security. Make sure the user/pass is different to the Admin password.
Add an ip whitelist to the AdminCP
You can use .htaccess to permit only those with a certain ip to access the AdminCP, this is very secure! (It's not a very good idea to do this if you have a dynamic IP though because you might find your self locked out one day. Just put/add to a .htaccess file in the admincp root containing the following.
Add a pin to the Admin Cp
This pretty much does the same thing as .htpasswd but can look a little better. There are plenty of tutorials on this so just make a search.
Remove the backup system from the AdminCp
If someone was to gain unauthorized access to the admin cp they could easily dump all the SQL info using the built in backup feature. It's a good idea to disable this if you are not going to use it.
Simply go to
These are the key points. After this i will just put a few simple extra tips and some links for more info
http://www.mybbsecurity.net/
This tutorial has been written by Opening as a thanks for the help I have received
Mods feel free to edit/addto/stick or whatever.
(41ae19b2c0f15c84f216759e13119036)
This is not a guide to making your forum completely secure and untouchable but this is a guide to the many different things that one can do to tighen up security. I would also like to note that the latest version of MyBB is very secure even out of the box. Also note that i'm no expert on this, I've never even had a public MyBB forum but i'm hoping to start one soon. This is mostly about securing MyBB itself, look elsewhere for information on securing any other web applications that you are hosting
The key points
#1 Keep your forum as up to date as possible
It is very important you keep everything up to date, this includes plugins.
Make sure to manually check for updates in the Admin CP often and/or frequent the downloads section of mybb.com
#2 Check before installing plugins
Plugins have the potential to bring down your whole forum if they are insecure/intentionally backdoor-ed. Google is your friend with plugins so ensure you check through any posts/advisories on the plugin and any other sources of the plugin that could are more likely to be secure. Don't use cracked/nulled plugins. If you can understand PhP then look through the code. If the code is encrypted/obfuscated etc.. and the plugin is not commercial then be very careful. Look into the plugin author and their credibility as well. Using a plugin that is used on HF and made by labrocca for example is a much better idea then some random thing you found dumped on the net.
#3 Use secure and unique passwords
Ensure the passwords to all powerful accounts are different, unique, long and use a large array of chars.
*ndEyd7_-38Dne3dhy3(8ednYe}&yDp2@04(jNPKNBGgdue#3 Deny access to directories
There are a number of directories in MyBB that contain files that never need to be accessed from browser. It's a good idea to deny access to these.
Directories to protect
{root}/inc
{root}/install (whenever not needed)
{root}/{admincpdir}/inc
{root}/{admincpdir}/modulesdeny from allAnother way to add to security to the files is the add to/create a .htaccess file in the forum root containing
Options -IndexesAnother thing one can do is the rename the Admin Directory, to do this open
{root}/inc/config.php$config['admin_dir']$config['hide_admin_links']#4 Obscure, obscure, obscure
It's a great idea to make it as hard as possible for a potential attacker to get correct information on your forum.
Change the default table prefix (this can be done easily upon when installing a fresh install of MyBB in the installation wizard) This can also be done in the
config.phpOther things you can do include giving your main account (the one you post with) super mod perms and giving super-admin to another extremely secure account that has a normal usergroup as it's primary.
#5 Lock down the AdminCP
It's very important to implement extra security on the admin cp to prevent unwanted access.
Here are a few things you can do.
Add extra auth with .htpasswd
http://www.htaccesstools.com/htpasswd-generator/
http://www.htaccesstools.com/htaccess-authentication/
^ The above links can be used to generate the files needed to do this.
Once done simple place the .htpasswd and .htaccess files in the adminCP directory for some extra security. Make sure the user/pass is different to the Admin password.
Add an ip whitelist to the AdminCP
You can use .htaccess to permit only those with a certain ip to access the AdminCP, this is very secure! (It's not a very good idea to do this if you have a dynamic IP though because you might find your self locked out one day. Just put/add to a .htaccess file in the admincp root containing the following.
Order Allow,Deny
Allow from Your.static.ip.adressAdd a pin to the Admin Cp
This pretty much does the same thing as .htpasswd but can look a little better. There are plenty of tutorials on this so just make a search.
Remove the backup system from the AdminCp
If someone was to gain unauthorized access to the admin cp they could easily dump all the SQL info using the built in backup feature. It's a good idea to disable this if you are not going to use it.
Simply go to
{root}/{admincpdir}/modules/tools/backupdp.php <?phpdie('Backups Disabled');These are the key points. After this i will just put a few simple extra tips and some links for more info
- Run MyBB with a database user that is not used with anything else on your website to prevent one failure leading to another
- Restrict the database user that MyBB uses to only be able to do what it needs and nothing more
- Restrict PHP to only be able to execute functions that are needed and nothing more
- Remove any features you don't need (don't use the portal?. then remove it, don't use the calendar? then disable it etc)
- Make sure you don't have scrutinize IP enabled unless you really, really, really know what you are doing
- Search through forums/exploit DB's for potential exploits often
- If you are starting a forum from scratch change how passwords are salted and hashed for some extra obscurity in the event your DB is leaked
- If you've left anything in Areas the public can access such as a plugin zip file or a phpinfo.php then be sure to remove.
- If something is suspicious... CHECK IT OUT!
http://www.mybbsecurity.net/
This tutorial has been written by Opening as a thanks for the help I have received
Mods feel free to edit/addto/stick or whatever.
(41ae19b2c0f15c84f216759e13119036)
