Hello,
I have a forums of 20,000 members and it got hacked recently. Somehow, the individual got access to the admin panel.
Note, our stuff are highly secured.
Anyway's, We are restoring back the site and I want to know if tehre is a way to restore EVERYONE's password, so even if the database gets leaked, people won't do anything.
(2014-01-15, 05:38 PM)Destroy666 Wrote: [ -> ]Restore or reset? Because if you restore, the passwords will be the same, so I see no logic.
If reset, try this: http://mods.mybb.com/view/force-password-change
Thanks. Also are there any other options so the people even if they decrypt the database, they won't be able to access to any accounts?
The best way would be to generate a new loginkey for every user account (Because that is what is needed to log in/hijack a session). You should do that in addition to forcing users to change their passwords.
If the database has been taken then there is nothing that you can do to stop them from decrypting the taken passwords (Except that it will take a fair bit of time).
And if you think that your database was taken then tell your users that it happened (preferably via email so that inactive accounts also see it) so they can change their passwords elsewhere (Because with 20k members, lots of those will use the same password elsewhere).
(2014-01-17, 01:51 AM)Cameron:D Wrote: [ -> ]The best way would be to generate a new loginkey for every user account (Because that is what is needed to log in/hijack a session). You should do that in addition to forcing users to change their passwords.
If the database has been taken then there is nothing that you can do to stop them from decrypting the taken passwords (Except that it will take a fair bit of time).
And if you think that your database was taken then tell your users that it happened (preferably via email so that inactive accounts also see it) so they can change their passwords elsewhere (Because with 20k members, lots of those will use the same password elsewhere).
Okay thanks. Extremely helpful.
Change the “admin” directory
By default the admin CP is at example.com/admin or example.com/forum/admin, this is a potential MyBB security issue since MyBB users will know where the admin directory is. You can change this, to do so here’s how.
1. Use your web host’s file manager (or an FTP program) and navigate to your forum’s root installation.
2. Rename the “admin” directory to something else. If you want a secure admin directory, use this strong password generator to generate a new name for you.
3. Go in the inc directory and edit the config.php file, find (should be on line 26):
$config['admin_dir'] = 'admin';
Change admin to your new admin directory, should be ‘mynewadmindirectoryhere’. Save changes.
Hide admin CP links
Also in the config.php file is an option to hide the Admin CP links, good for MyBB security and for after changing your admin URL directory in case if your administrator account gets compromised. Find:
$config['hide_admin_links'] = 0;
Change the “0″ to “1″, make sure you remember where your admin directory is.
Backup your forum regularly and often
This is really important for MyBB security, either in case your forum gets compromised or your forum’s files are corrupted and beyond repair. In Admin CP > Tools & Maintenance > Database Backups is where you can run a New Backup of your forum’s database. In Task Manager there’s a task called Weekly Backups (disabled by default) to run backing up your database automatically for you. Enable this task, I prefer to run it daily though for extra MyBB security. These backups are stored on your server and you can download them anytime you want, make sure you chmod the backups directory to 777 inside your admin directory.
Also don’t forget to backup your forum directory using FTP, or if you use cPanel use the cPanel Backup option for your forum.
Use a strong password for your administrator account
Be smart, don’t use “password123″ for your forum administrator account password. Be creative and use a strong password of at least 6 characters. A mix of uppercase, lowercase characters are better for MyBB security, if you have other administrators or moderators on your forum, be sure to advise them to do the same.
Disallow HTML on forum
By default it is disallowed, and I recommend you keep it that way unless you know your members very well. Allowing HTML opens MyBB security vulnerabilities on your forum.
Hide MyBB version number
This can be changed in Admin CP > Configuration > General Configuration under Show Version Numbers, this is also disallowed by default which is good. If this was on, hackers with malicious intent could view these versions and find MyBB security exploits for them. That’s why it’s better to keep MyBB version numbers off.
Change the MyBB database table prefix
By default it’s “mybb_” which is not good for MyBB security risks if it’s well known. To protect your forum database and increase MyBB security on your forum, you should change this as soon as possible. If you’re installing a new copy of MyBB, you can do this on the Database Configuration step in Table Prefix (see here), an example of a change would be “newprefix_”. If you already installed MyBB, then you can rename it in phpMyAdmin. Afterward go into inc/config.php in your forum’s root installation and find:
$config['database']['table_prefix'] = 'mybb_';
Change mybb to your new database prefix.
Note: Make sure to do a database backup before attempting to change the database prefix.
Run File Verification occasionally for MyBB security checks
If you notice something not right or functioning properly like it’s supposed to, you should run File Verification in Admin CP > Tools & Maintenance. This tool will check for valid MyBB files upon installation, it will return missing or corrupted files if any. Use this knowledge to replace any forum files if needed, you should be able to do this easily with a forum directory backup.
and Prediction u change it so ur password files are md5 salt not md5 as this will make it harder for them to decrypt it