I am opening a site, and I am hoping to do it with MyBB. However, first I need to know something.
Say you have 2 MyBB forums running on the same server and domain (example: one at
www.domainname.com/forums and the other at
www.domainname.com/forums2). This is a setup similar to what we are going to have. Except in our case, it'll go up to about domainname.com/forum11. And the ownership of said forums will be changing Each of those forums will have different administrators and moderators, different databases.
Given the above possibility, is it possible for any of the forums to somehow hack the server or another forum from the admin position? What about add viruses to the site? And if the answer to either of those is 'yes', how can this be prevented? The admins of the other forums don't have Database or server side access.
If you don't allow them to install custom plugins / execute custom PHP code, you should be fine. With custom code they have the rights of the webserver, and the webserver has the right to read config.php files, which gives you database passwords.
Easier and more secure to create new accounts with subdomains for each forum.
forum1.domain.com
forum2.domain.com
Security also depends on your host and how they have their environment setup. And websites don't get viruses.
But them having the password to their own MySQL domain doesn't help them that much, right? I mean, can you just go to any phpMyAdmin, give in the password and username, and go to town? Also, there's the addition that each forum will (duh) have its own MySQL Database.
Whoops, ninja'd. So okay. Subdomains. How secure is that?
About the viruses... I mean like inserting a code in the template that gives the comp a virus.
It does help to have them as seperate databases but if they are on the same account then the filesystem will have the same user. If they penetrate one forum they can easily exploit them both..at least as directories. As subdomains with their own accounts they have to penetrate the server at a deeper level. It's more secure trust me. Mysql penetration would require elevated privileges. It's difficult to accomplish that.
Quote:About the viruses... I mean like inserting a code in the template that gives the comp a virus.
Well then your site is compromised in some way.
Contact your host if you can. They should be able to tell you what's the most secure setup.
The site doesn't exist yet.
I'm just clearing everything up before it starts. Each forum will have its own Username, Password, and Database, and be on its own subdomain; the subdomain forum admins will not have FTP or similar access. The possibility of a MySQL penetration is low-nonexistent?
Anything else I should worry about security-wise?
You shouldn't worry at all if you're using MyBB.
Another option you can use is my
MyBB Multiforums Mod which is free and lets you host forums with you.subdomain URLs on your site.
This system is very secure as well as it is especially made to give access to forum admins so they can run a forum while still keeping site and server security very locked down. It also lets you force ads on all the forums easily or create a new admin user on any forum at any time if you need to. The mod is meant to be used on free forum hosting websites but you can easily customize it so that only a set number of forums are created. This way too you don't need to make a new forum / account for each user as all the forums share the same files but in such a way that everything is isolated and one forum cannot do harm to another.
Just something to consider.
BMR777
Err... One more question. I heard about how the ability to create BBCodes with MyBB could make you vulnerable to a PHP injection... Is this fixed or is it still a danger?
All known exploits are fixed in current version. Of course this doesn't protect you from anything found in the future. You must stay updated. Keep this in mind if you are going to be installing many copies that you will have to update each one.