MyBB Community Forums

Full Version: Six Methods to Protect Your MyBB Forums
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8 9 10
Six Methods to Protect Your MyBB Forums

MyBB is a very secure software. The files are all carefully coded to keep out hackers and viruses. However, there are still ways that your forums could be hacked. Forums are most commonly hacked because of laziness or careless practices on the part of the administrator, rather than the actual software.

PS: Except for the first method below, the other five steps can be used for any forum software really. I recommend you use them if you are using any other software as well.

Rename Your Admin Directory
Everyone on the support forums just can't stress this enough! It is very important that you rename your admin directory. How does somebody hack an admin area if they do not know where the files are located? It's very simple to change it, too.

To do this, enter your web host's control panel and go to the File Manager. Alternatively, you can use an FTP program like FileZilla. Find the directory called 'admin', and simply rename it to something else (it is suggested to rename it to something cryptic, like 87y2ut).

Then, find the config.php file in the 'inc' directory. Look for the following code:

Quote:/**
* Admin CP directory
* For security reasons, it is recommended you
* rename your Admin CP directory. You then need
* to adjust the value below to point to the
* new directory.
*/

$config['admin_dir'] = 'admin';

Change the text in red to the new name of your admin directory.

.htaccess Protect Your Admin Directory
Renaming the admin directory is just step 1 of 3 different processes you can use to rename your directory. The following code snippet will check for somebody's IP address. If their IP address does not match the one that you specify, they will be redirected to your index.

To do this, create a .htaccess file in your admin directory. Add the following code:

Quote:RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^12\.345\.678\.9
RewriteRule .* http://www.mybbwebhost.com [R=301,L]

Change the green to your IP address (using the format specified), and the red to the domain you wish to redirect other people.

If you have multiple administrators, use the following code instead:

Quote:ErrorDocument 403 http://www.mybbwebhost.com
Order deny,allow
Deny from all
Allow from 123.45.67.899
Allow from 998.76.54.321

Change the green to each of the IP addresses, and the red to the domain you wish to redirect other people.

Password Protect Your Admin Directory
This is the simplest method of protecting your admin directory. This adds an additional requirement to getting access to the admin directory. Now, people will need an administrative account, correct user password, AND the directory password.

If you use DirectAdmin, go to 'Password Protected Directories' directories. Then, click on 'Find a Directory to Password Protect'. Go to your MyBB root folder, and click 'Protect' next to your admin directory.

Then, follow the instructions on the screen to set up a password.

If you use cPanel, go to 'Password Protect Directories' under Security. Then, click on the icons to open up directories until you find the admin directory. Then, click on it.

You will be given the option to set up individual user accounts, which might be a good idea to be able to manage who gets access and who doesn't.

NOTE: If an administrator on your board who had access gets fired, quits, or retires, I suggest you change the password. For this reason I prefer the cPanel method of different users, because you can then simply delete their access privileges.

Deny External Access to the Config File
Sometimes, plain old permissions isn't enough. This is an .htaccess method that will give anybody who tries to access the config file a 403 error. Your MyBB Forums will still be able to run normally, however. This will protect it from external access only.

Create an .htaccess file in your 'inc' directory, and add the following code:
Quote:# Protect the config.php file
<files config.php>
Order deny,allow
deny from all
</files>

Keep Your Passwords Strong!
The number 1 cause of hacking attempts going well is bad passwords on the administrator's behalf. It is not hard to make a good password.

In fact, since a phishing attempt has been made on my account at Digital Point, I keep all of my passwords for important accounts (like PayPal) so complicated that even I don't know them! I actually have to take out a slip of paper and type it in every single time I want to log in. That's how important it is.

Your passwords should be cryptic, contain uppercase and lowercase letters, numbers, and symbols. It should also be at least 16 characters, maybe more. In fact, according to Blogussion, a simple ten character password can take up to 580 million years to decode! Now isn't that the kind of protection you would want?

Remember to Update
New versions are posted for a reason. While they do fix a lot of bugs, a bunch of times they patch up an important security exploit. Especially now that this exploit is announced to the public, why would you want to keep your forum vulnerable? MyBB has a nifty way of reminding you within your ACP when new updates are available.

When I say update, I also mean plugins. Plugins can serve as a little back door to a huge mansion called MyBB. If you keep this door unlocked, anybody can walk right in.

-------------------

That's all for now. In addition to the above, these habits are recommended for everyone:
  • Change your password often. You won't know if somebody finds out your password until its too late. The best thing to do is to change it constantly, and to use different passwords for different services.
  • Remove the version numbers. If you do not update your software for whatever reasons, think of version numbers as billboard signs saying 'MY FORUM IS NOT UP TO DATE! HACK ME!!!' Not a message you want to send to hackers.

    To disable version numbers, go to 'General Configuration' under 'Board Settings' in your Admin CP. Find 'Show Version Numbers' and set it to 'Off'.
  • Don't just upload every plugin under the sun. Specifically if they are not from the MyBB Mod's site (MyBB does a security screening of all plugins submitted). Anybody can upload a plugin to the Internet, and plugins are an easy way to create a backdoor into your forum or infect it with malicious code. Make sure that you are using a plugin from a reputable author, and it never hurts to quickly scroll through the code to make sure there's nothing malicious. Finding a reference to "659gyh56y4.badhackers.ru/mybbexploit/" is usually not a good sign.
  • Make sure only necessary files have writable permissions. Even though your Admin CP says that you should have your config.php file CHMOD 777, I really don't see why... This is a very stupid thing to do, and can risk your entire board.
  • Make and download backups regularly. MyBB already has a feature in it's task manager that already makes backups for you. All you need to do is download them to your computer. I personally download backups once every two weeks, or less if there is a burst of activity. It all depends on how big your forums are. Sometimes once a week isn't going to cut it.

    I don't know why it hasn't been made yet, but somebody should make a plugin that emails you backups of your forums every X amount of days (Hint Hint Wink)
------------------------
Six Methods to Protect Your MyBB Forums - Copyright © 2009-2013 MyBBWebHost, all rights reserved.

Disclaimer: Any methods here are only advice. They only reduce the chances of your forum getting hacked, they do not eliminate it. MyBBWebHost and I are not responsible for any damages or such caused by directly or indirectly using any methods on this tutorial. Anything you do is done at your own risk.
Thanks, very good jobSmile
Just bumping this cause I feel it's very important. By the way, feel free to share your own methods of securing your MyBB installation here as well! Smile
Nice tutorial but the only one I wont be using is the .htaccess Admin IP one because I have a dynamic IP sometimes i reset my router for reasons therefore I would need to find out my IP then change the code but apart from that I will be using all of those also I use Nickmans Admin+ an extra password for your admin area, pretty nifty. If they got access to an admin account they would also have to enter the admin area password before being let in, nice!
Thank you so much Zash
its really useful.
# Protect the config.php file
<files config.php>
Order deny,allow
deny from all
</files>

Is it possible to deny access to 2 or multiple files and how?
thanks!! good job
(2009-05-14, 01:29 PM)kan3 Wrote: [ -> ]
# Protect the config.php file
<files config.php>
Order deny,allow
deny from all
</files>

Is it possible to deny access to 2 or multiple files and how?
Yes it is. I don't know if there's a simpler way, but you can simply go:
<files yourfilename.php>
Order deny,allow
deny from all
</files>
<files yourfilename.php>
Order deny,allow
deny from all
</files>
and so on...
helpful! will this stop SQL injection attacks?
the only problem i see with this is all you have to do is hover over the "admin" link once you've gained access to an admin account. is there a way to hide it from the link? like the link goes to one thing and then redirects to the real admin cp?
Pages: 1 2 3 4 5 6 7 8 9 10