How to secure your Xenforo forum

by theezy - 30-01-2015, 09:12 AM
Closed Account
Posts:
215
Joined:
Jan 2015
Likes:
9
Credits:
122
Reputation:
7
2 Years of Service
#1
OP
Posted: 30-01-2015, 09:12 AM
This tutorial will show you how to secure your XF forum.
Please don't forget to like if you think it's a good topic.
EVERY TIPS is important for the security of your XenForo forum

1) Always get the last version of xenforo

2) Put a .htaccess file inside your library folder to protect it and put in the htaccess:

Code:
<Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
Order allow,deny
Deny from all
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>

3) If you're the owner of the website please use different passwords for your :

# FTP
# Forum Login
# Cpanel Access

If you want to generate a password try this website :

Code:
http://strongpasswordgenerator.com/


And if you want to see how strong is your password go on this website :

Code:
https://howsecureismypassword.net/

4) Put a .htaccess file on your root directory normally there is already one (a htaccess.txt) rename it by .htaccess if not, create one and inside put :

Code:
#THIS IS NOT ON THE DEFAULT XF HTACCESS PLEASE A IT
Options -Indexes

#NO NEED TO ADD THIS IF YOU ARE ALREADY USING THE XF HTACCESS DEFAULT FILE
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
   RewriteEngine On

   #    If you are having problems with the rewrite rules, remove the "#" from the
   #    line that begins "RewriteBase" below. You will also have to change the path
   #    of the rewrite to reflect the path to your XenForo installation.
   #RewriteBase /xenforo

   #    This line may be needed to enable WebDAV editing with PHP as a CGI.
   #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

   RewriteCond %{REQUEST_FILENAME} -f [OR]
   RewriteCond %{REQUEST_FILENAME} -l [OR]
   RewriteCond %{REQUEST_FILENAME} -d
   RewriteRule ^.*$ - [NC,L]
   RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
   RewriteRule ^.*$ index.php [NC,L]
</IfModule>

#THIS IS NOT ON THE DEFAULT XF HTACCESS PLEASE A IT
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

#THIS IS NOT ON THE DEFAULT XF HTACCESS PLEASE A IT
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://yourwebsite.com.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://yourwebsite.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yourwebsite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yourwebsite.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ yourwebsite.com [R,NC]


Please modify : http://yourwebsite.com and yourwebsite.com to your website link.

5) DELETE your "install" folder

6) Look up if your Xenforo files are on Chmoder 0644 (some on 0755) and never on 0777

7) Try not install no important add-ons, put add-ons which are importants for the community. Or create your own code to do what you want instead of using add-ons.

8) Never authorise HTML in the posts/messages

9) Always scan your PC against virus etc ...

10) If you suspect an attack from hackers change your pass of you forum/ftp/cpanel account

11) Regularly do backups of your forum on your PC

12) For DDOS protection see more here :

Code:
http://www.cloudflare.com/

Or here:

Code:
http://www.incapsula.com/

13) If you want MySQL injection protection see more here :

Code:
http://www.crawltrack.fr/crawlprotect/
The last reply on this thread is older than a month. Please do not unnecessarily bump it.
Register an account or login to reply
Create an account
Create a free account today and start posting right away. It only takes a few seconds.
Login
Log into an existing account.
1 Guest(s)