Six Methods to Protect Your MyBB Forums
Thank you.
So, after installation what are the file and folder which should be chmod setting?
I have read that this one gives conflicts on some js file @ xecko.

Deny External Access to the Config File
Sometimes, plain old permissions isn't enough. This is an .htaccess method that will give anybody who tries to access the config file a 403 error. Your MyBB Forums will still be able to run normally, however. This will protect it from external access only.

Create an .htaccess file in your 'inc' directory, and add the following code:
# Protect the config.php file
<files config.php>
Order deny,allow
deny from all
Although I enjoyed and benefited from your overall Tutorial, I have to disagree with the uber-strong password advice, because as you say, you have to write them down and then carry a piece of paper with you.
This means that if you are ever mugged or lose your wallet or whatever, not only do you lose access to your sites (unless you have multiple copies, also multiplying the chance of them being stolen), you also just gave access to whoever has them now.

You personally may be very careful not to carry anything that would tell the mugger what sites the PW's are for, but most people would have the Username/website listed with it, and most people that use Uber-PW's write the PW's on a post-it and stick it on the monitor or in the top desk drawer anyway. So while it may work for you, most would lose security if they tried it.

If you look around, you will find several good articles that have recently been written on Best Practices for password security, and they pretty much all agree that it has to be able to be remembered by the user, or it isn't secure.
Yes, you can use the password manager programs, but then you are limited to where you can log in from, and if you have breach on one of those devices, you may lose ALL your details in one fell swoop.
(with keyloggers and other monitoring software being common, for both computers and smartphones, even an uber-PW won't keep you safe from all attacks, and since writing it down opens up a wide attack vector, it greatly reduces the actual security.)

The current recommend Best Practice seems to be a long random string of words that is easy to remember, but has nothing to do with your life. Adding some un-related numbers and symbols increases it exponentially.

Also, you have to remember that a lot of people are logging in via a mobile device, where entering a long random string of Upper and lower and Alt characters is a major pain, and thus they are likely to shorten such a string.
A series of words with just a Cap at the beginning and maybe a few symbols/numbers salted in it is easy to remember and type, but practically impossible to hack.

On latest myBB install, which will have some sensitive patient/client data on it, I have it set to require 8 characters, including a number and a non-word/non-numeric character ([email protected]#$%^&*()<>?,./;':"[]{} etc).
(I have always hated upper-case rules! Wink

One of the most important things is not to re-use the same PW across multiple sites, because if you are using it at one that gets hacked, they now have your access info for all the others, which may be more important.
I good method for this would be to use the same base password as discussed above, and then modify it for each site, maybe taking the 2nd-4th characters of the site URL and adding them in the middle of your base PW, or something like that. Then you can still remember it, even though it is different for each site.

Most people don't get hacked, and they look at uber-PWs with fear and hatred because they are a pain to enter, not to mention remember or store or write down, and so they use the 25 most common PW's and hope they don't get hacked.
Those that have been hacked and lost business, lost websites, lost accounts, lost money and lost loads of time put higher value on security, but you have to find some middle ground for the average user. (or even the average Admin...)

I have implemented some of your other suggestions and tips, so I thank you for them! Smile

Hi there,

fantastic tutorial, thanks heaps!

I would be very grateful if you could point me to some tutorial or other place of information about how to determine the most restrictive CHMOD settings for all relevant / important MyBB files that still allows MyBB and any plugins one may use to run properly.


Mariku, I've already provided you with a resource which states the best CHMOD settings for MyBB.
No longer involved in the MyBB project.
Thankfully received! :-)

Will be using that as my starting point to get deeper into CHMOD.


This user has been denied support. This user has been denied support.
Thanks bro gonna try this out Smile
When denying external access to the config file by creating the .htaccess file, the user is presented with a page that tells the user to email the administrator. Is there anyway to present a different error page? Or at least perhaps hide the email address?
(2012-04-19, 10:40 AM)winds Wrote: When denying external access to the config file by creating the .htaccess file, the user is presented with a page that tells the user to email the administrator. Is there anyway to present a different error page? Or at least perhaps hide the email address?

It should be providing a 403 error. You can change the error pages in your host's control panel.
Need web hosting? Try MyBBWebHost!
#1 for Running MyBB Communities
The world's only premium web host dedicated to MyBB forums.

The one thing I generally do is enable this:
* Hide all Admin CP links
* If you wish to hide all Admin CP links
* on the front end of the board after
* renaming your Admin CP directory, set this
* to 1.

on the inc/config.php file

as well as the long admin link. that way if they try to gain access to my account they still need to know the link before being able to do anything to the admin side of things.

Forum Jump:

Users browsing this thread: 1 Guest(s)