MyBB Community Forums

Hi,

What is the best practice for administrating MyBB ? My first priority in security area is to setup SSL for user and admin login.

Regarding admin login, I am wondering whether it is recommended to disable admin login. By disabling admin login, that means I can only do admin stuff locally on my development machine. After all admin stuff is done on my dev. machine, then I will need to upload the php and db to the production server.

Is this too overkill ?

You can read this sticky
http://community.mybboard.net/showthread.php?tid=9991

If you rename your admin directory, and remove the links to the admin area from the front end, then anybody who hacks your account won't be able to find the admin directory.

Also see the following:
http://mybbgames.com/2007/05/21/ten-ways...m-in-mybb/
http://mybbgames.com/2007/04/13/10-ways-...uard-mybb/

I did the fixes suggested in this thread. I also disabled admin cp access from the MyBB menus by changing the hide_admin_links variable to "1" in inc/config.php. I then set up a browser link to my newly named admin folder via https (SSL).

One last item I'd like to do in securing my site, is adding the .htaccess files that are appropriate to the various directories. I'm talking about just the basic form of .htaccess security, such as:

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

However, which directories should get this file, and which shouldn't. I don't know which directories need to be able to be read directly in order for users to use the site, and which directories they don't need to have access to.

My guess is this is covered somewhere, but I couldn't find it in my searches on security and .htaccess.

For even more security for admincp add an htpasswd protection.

http://www.htaccesstools.com/htpasswd-generator/