MyBB Tutorials
MyBB Security Enhancement Guide
Submitted by JrLemonsHD, 08-01-2017, 01:50 PM, Thread ID: 27469
Thread Closed
08-01-2017, 01:50 PM
#1 This post was last modified: 08-01-2017, 02:01 PM by JrLemonsHD
MyBB is probably the #1 most used open source and free to use forum software available to the public. This means not only does it get plenty of extremely useful support and plugins but a MASSIVE group of people constantly finding and abusing exploits within the MyBB system's security. You the forum administrator have the responsibility of securing your users information as best possible. Below I've combined a useful assortment of guides, plugins, and web configurations to secure your forum user and administrationsystems.
Main Points:
Keep your forums updated!
MyBB and Plugins usually update often keeping them updated gives you the latest features along with more security against mainstream exploits.
Check before you install plugins!
Plugins have the potential to bring down your whole forum if they are insecure. Search Engines are your best friend so make sure you check for any advisories regarding a plugins security. Using cracked or nulled plugins are always a risk, just keep that in mind.
Use secure and unique passwords!
Ensure your administrative passwords are unique, complex, and secure!
jre8RE_-38D912 This is a good unique and complex password!
A password vault such as Dashlane and Lastpass usually have generators and autowriting so you don't even have to know the password!
Deny access to directories!
The are a number of directories in MyBB that contain files that users don't need to access. It's a good idea to secure these from public viewing. Creating an .htaccess in those directories containing: deny from all. Will secure them from public use. Also adding: Options -Indexes to the root of MyBB is recommended.
{root}/inc
{root}/install (Typically deleted or removed)
{root}/{admincpdir}/inc
{root}/{admincpdir}/modules
Change the Administrative Control Panel Directory
Open {root}/inc/config.php
Edit $config['admin_dir'] to the new directory, then rename the actual directory.
This option isn't extremely valuable unless you enable the hiding of admin links, you can do this by setting $config['hide_admin_links'] to true!
Change default information!
Use a different mysql database prefix then the default one, this makes it harder for scriptkiddies but not decent exploiters.
Use your posting account without admincp access and have a hidden user account that is more secure for AdminCP access.
Lock down the AdminCP
You should probably add an .htpasswd block or a .htaccess ip whitelist to the AdminCP
Add an AdminCP Pin(Just Google: 'MyBB AdminCP Pin')
Remove the MyBB AdminCP Backup System
If someone does break in they can easily dump your SQL information using the built in backup system, its a good idea to disable this if you don't use it!
Simply goto: {root}/{admincpdir}/modules/tools/backupdp.php
Add the following after <?php
die('Backups Disabled'); (Comment it out if you wish to make a quick backup)
Encrypt MyBB Cookies
MyBB sucks at some security points, the encrypts cookies and prevents loginkey abuse: https://github.com/ATofighi/MyBB-Secure-Encrypt-Cookies
Encrypt passwords using Bcrypt(Its more secure)
Follow this guide: https://community.mybb.com/thread-189672.html
Main Points:
Keep your forums updated!
MyBB and Plugins usually update often keeping them updated gives you the latest features along with more security against mainstream exploits.
Check before you install plugins!
Plugins have the potential to bring down your whole forum if they are insecure. Search Engines are your best friend so make sure you check for any advisories regarding a plugins security. Using cracked or nulled plugins are always a risk, just keep that in mind.
Use secure and unique passwords!
Ensure your administrative passwords are unique, complex, and secure!
jre8RE_-38D912 This is a good unique and complex password!
A password vault such as Dashlane and Lastpass usually have generators and autowriting so you don't even have to know the password!
Deny access to directories!
The are a number of directories in MyBB that contain files that users don't need to access. It's a good idea to secure these from public viewing. Creating an .htaccess in those directories containing: deny from all. Will secure them from public use. Also adding: Options -Indexes to the root of MyBB is recommended.
{root}/inc
{root}/install (Typically deleted or removed)
{root}/{admincpdir}/inc
{root}/{admincpdir}/modules
Change the Administrative Control Panel Directory
Open {root}/inc/config.php
Edit $config['admin_dir'] to the new directory, then rename the actual directory.
This option isn't extremely valuable unless you enable the hiding of admin links, you can do this by setting $config['hide_admin_links'] to true!
Change default information!
Use a different mysql database prefix then the default one, this makes it harder for scriptkiddies but not decent exploiters.
Use your posting account without admincp access and have a hidden user account that is more secure for AdminCP access.
Lock down the AdminCP
You should probably add an .htpasswd block or a .htaccess ip whitelist to the AdminCP
Add an AdminCP Pin(Just Google: 'MyBB AdminCP Pin')
Remove the MyBB AdminCP Backup System
If someone does break in they can easily dump your SQL information using the built in backup system, its a good idea to disable this if you don't use it!
Simply goto: {root}/{admincpdir}/modules/tools/backupdp.php
Add the following after <?php
die('Backups Disabled'); (Comment it out if you wish to make a quick backup)
Encrypt MyBB Cookies
MyBB sucks at some security points, the encrypts cookies and prevents loginkey abuse: https://github.com/ATofighi/MyBB-Secure-Encrypt-Cookies
Encrypt passwords using Bcrypt(Its more secure)
Follow this guide: https://community.mybb.com/thread-189672.html
Users browsing this thread: 2 Guest(s)