MyBB Tutorials
MyBB Security Tutorial and Guidelines
Submitted by Blowjob, 23-01-2015, 07:21 AM, Thread ID: 631
Thread Closed
Original Post: http://mybbgroup.com/mybb-security-tutor...uidelines/
MyBB security tutorial to protect your MyBB forum.
Forum security is always a top priority, its very important to protect your forum from MyBB security threats and avoid hackers and exploits. MyBB is a very secure forum, but just like all forum software, its not 100% perfect but its always improving. MyBB security should be your first concern when maintaining your forum, this is a MyBB security tutorial with some guidelines to help increase security on your forum (this is not about stopping spam and bots, for that see the MyBB spam prevention guide).
Please note that this MyBB security tutorial is not meant to scare you into thinking MyBB is vulnerable to hacking, but raise awareness to help further increase MyBB security on your forum.
UPGRADE TO THE LATEST MYBB FORUM UPDATE
This is extremely important for fixing MyBB security vulnerabilities and closing MyBB exploit holes. every MyBB update is a more secure and stable version than the previous. Check the MyBB blog for the latest updates, or subscribe to their mailing list.
CHANGE THE ?ADMIN DIRECTORY
By default the admin CP is at example.com/admin or example.com/forum/admin, this is a potential MyBB security issue since MyBB users will know where the admin directory is. You can change this, to do so heres how.
1. Use your web hosts file manager (or an FTP program) and navigate to your forums root installation.
2. Rename the ?admin directory to something else. If you want a secure admin directory, use this strong password generator to generate a new name for you.
3. Go in the inc directory and edit the config.php file, find (should be on line 26):
Change admin to your new admin directory, should be `mynewadmindirectoryhere. Save changes.
HIDE ADMIN CP LINKS
Also in the config.php file is an option to hide the Admin CP links, good for MyBB security and for after changing your admin URL directory in case if your administrator account gets compromised. Find:
Change the ?0 to ?1, make sure you remember where your admin directory is.
BACKUP YOUR FORUM REGULARLY AND OFTEN
This is really important for MyBB security, either in case your forum gets compromised or your forums files are corrupted and beyond repair. In Admin CP > Tools & Maintenance > Database Backups is where you can run a New Backup of your forums database. In Task Manager theres a task called Weekly Backups (disabled by default) to run backing up your database automatically for you. Enable this task, I prefer to run it daily though for extra MyBB security. These backups are stored on your server and you can download them anytime you want, make sure you chmod the backups directory to 777 inside your admin directory.
Also dont forget to backup your forum directory using FTP, or if you use cPanel use the cPanel Backup option for your forum.
USE A STRONG PASSWORD FOR YOUR ADMINISTRATOR ACCOUNT
Be smart, dont use ?password123 for your forum administrator account password. Be creative and use a strong password of at least 6 characters. A mix of uppercase, lowercase characters are better for MyBB security, if you have other administrators or moderators on your forum, be sure to advise them to do the same.
~ http://passwordsgenerator.net/
DISALLOW HTML ON FORUM
By default it is disallowed, and I recommend you keep it that way unless you know your members very well. Allowing HTML opens MyBB security vulnerabilities on your forum.
HIDE MYBB VERSION NUMBER
This can be changed in Admin CP > Configuration > General Configuration under Show Version Numbers, this is also disallowed by default which is good. If this was on, hackers with malicious intent could view these versions and find MyBB security exploits for them. Thats why its better to keep MyBB version numbers off.
CHANGE THE MYBB DATABASE TABLE PREFIX
By default its ?mybb_ which is not good for MyBB security risks if its well known. To protect your forum database and increase MyBB security on your forum, you should change this as soon as possible. If youre installing a new copy of MyBB, you can do this on the Database Configuration step in Table Prefix (see here), an example of a change would be ?newprefix_. If you already installed MyBB, then you can rename it in phpMyAdmin. Afterward go into inc/config.php in your forums root installation and find:
Change mybb_ to your new database prefix.
Note: Make sure to do a database backup before attempting to change the database prefix.
RUN FILE VERIFICATION OCCASIONALLY FOR MYBB SECURITY CHECKS
If you notice something not right or functioning properly like its supposed to, you should run File Verification in Admin CP > Tools & Maintenance. This tool will check for valid MyBB files upon installation, it will return missing or corrupted files if any. Use this knowledge to replace any forum files if needed, you should be able to do this easily with a forum directory backup.
Other methods: (Why? Because this is how people either hackers or admins can get you're database TRUST ME! I HAVE DONE THIS TO HACKED FORUMS BEFORE*) Remove Backup DB from the AdminCP completely > *AdminCP Directory*> Modules > Tools > backupdb.php > Edit to whatever you want in my case I made it this:
:noh:
Log errors but make sure to deny access to those log files!
Then when you have a bug, read the error log and try to fix it!
You can enable error logging Here> AdminCP> Server and Optimization Options> Use Error Handling > On < Error Logging Medium > Log errors < Error Type Medium > Hide Errors and Warnings < Error Logging Location > (error log, change it from error.log to something like error.log.name.log then block access from it with .htaccess by using this code:
)
MyBB security tutorial to protect your MyBB forum.
Forum security is always a top priority, its very important to protect your forum from MyBB security threats and avoid hackers and exploits. MyBB is a very secure forum, but just like all forum software, its not 100% perfect but its always improving. MyBB security should be your first concern when maintaining your forum, this is a MyBB security tutorial with some guidelines to help increase security on your forum (this is not about stopping spam and bots, for that see the MyBB spam prevention guide).
Please note that this MyBB security tutorial is not meant to scare you into thinking MyBB is vulnerable to hacking, but raise awareness to help further increase MyBB security on your forum.
MyBB security guidelines
UPGRADE TO THE LATEST MYBB FORUM UPDATE
This is extremely important for fixing MyBB security vulnerabilities and closing MyBB exploit holes. every MyBB update is a more secure and stable version than the previous. Check the MyBB blog for the latest updates, or subscribe to their mailing list.
CHANGE THE ?ADMIN DIRECTORY
By default the admin CP is at example.com/admin or example.com/forum/admin, this is a potential MyBB security issue since MyBB users will know where the admin directory is. You can change this, to do so heres how.
1. Use your web hosts file manager (or an FTP program) and navigate to your forums root installation.
2. Rename the ?admin directory to something else. If you want a secure admin directory, use this strong password generator to generate a new name for you.
3. Go in the inc directory and edit the config.php file, find (should be on line 26):
Code:
$config['admin_dir'] = 'admin';
Change admin to your new admin directory, should be `mynewadmindirectoryhere. Save changes.
HIDE ADMIN CP LINKS
Also in the config.php file is an option to hide the Admin CP links, good for MyBB security and for after changing your admin URL directory in case if your administrator account gets compromised. Find:
Code:
$config['hide_admin_links'] = 0;
Change the ?0 to ?1, make sure you remember where your admin directory is.
BACKUP YOUR FORUM REGULARLY AND OFTEN
This is really important for MyBB security, either in case your forum gets compromised or your forums files are corrupted and beyond repair. In Admin CP > Tools & Maintenance > Database Backups is where you can run a New Backup of your forums database. In Task Manager theres a task called Weekly Backups (disabled by default) to run backing up your database automatically for you. Enable this task, I prefer to run it daily though for extra MyBB security. These backups are stored on your server and you can download them anytime you want, make sure you chmod the backups directory to 777 inside your admin directory.
Also dont forget to backup your forum directory using FTP, or if you use cPanel use the cPanel Backup option for your forum.
USE A STRONG PASSWORD FOR YOUR ADMINISTRATOR ACCOUNT
Be smart, dont use ?password123 for your forum administrator account password. Be creative and use a strong password of at least 6 characters. A mix of uppercase, lowercase characters are better for MyBB security, if you have other administrators or moderators on your forum, be sure to advise them to do the same.
~ http://passwordsgenerator.net/
DISALLOW HTML ON FORUM
By default it is disallowed, and I recommend you keep it that way unless you know your members very well. Allowing HTML opens MyBB security vulnerabilities on your forum.
HIDE MYBB VERSION NUMBER
This can be changed in Admin CP > Configuration > General Configuration under Show Version Numbers, this is also disallowed by default which is good. If this was on, hackers with malicious intent could view these versions and find MyBB security exploits for them. Thats why its better to keep MyBB version numbers off.
CHANGE THE MYBB DATABASE TABLE PREFIX
By default its ?mybb_ which is not good for MyBB security risks if its well known. To protect your forum database and increase MyBB security on your forum, you should change this as soon as possible. If youre installing a new copy of MyBB, you can do this on the Database Configuration step in Table Prefix (see here), an example of a change would be ?newprefix_. If you already installed MyBB, then you can rename it in phpMyAdmin. Afterward go into inc/config.php in your forums root installation and find:
Code:
$config['database']['table_prefix'] = 'mybb_';
Change mybb_ to your new database prefix.
Note: Make sure to do a database backup before attempting to change the database prefix.
RUN FILE VERIFICATION OCCASIONALLY FOR MYBB SECURITY CHECKS
If you notice something not right or functioning properly like its supposed to, you should run File Verification in Admin CP > Tools & Maintenance. This tool will check for valid MyBB files upon installation, it will return missing or corrupted files if any. Use this knowledge to replace any forum files if needed, you should be able to do this easily with a forum directory backup.
Other methods: (Why? Because this is how people either hackers or admins can get you're database TRUST ME! I HAVE DONE THIS TO HACKED FORUMS BEFORE*) Remove Backup DB from the AdminCP completely > *AdminCP Directory*> Modules > Tools > backupdb.php > Edit to whatever you want in my case I made it this:
Code:
<img src="http://i.imgur.com/JBP8DSI.png">
<img src="http://i.imgur.com/rTAe3m4.png">
<img src="http://i.imgur.com/wNqK5oG.png">
<img src="http://i.imgur.com/joFfM6D.png">
<img src="http://i.imgur.com/6lMaN0E.png">
<img src="http://i.imgur.com/whvCwKf.png">
<img src="http://i.imgur.com/V9jNuKb.png">
<img src="http://i.imgur.com/USg7yxk.png">
<img src="http://i.imgur.com/96pC506.png">
<img src="http://i.imgur.com/jYX6vc3.png">
Log errors but make sure to deny access to those log files!
Then when you have a bug, read the error log and try to fix it!
You can enable error logging Here> AdminCP> Server and Optimization Options> Use Error Handling > On < Error Logging Medium > Log errors < Error Type Medium > Hide Errors and Warnings < Error Logging Location > (error log, change it from error.log to something like error.log.name.log then block access from it with .htaccess by using this code:
Code:
<Files ./error.log.name.log>
Order Allow,Deny
Deny from all
</Files>
RE: MyBB Security Tutorial and Guidelines
26-01-2015, 07:53 PM
#2 "Change mybb_ to your new database prefix."
Wow, really?
Just get http://www.mybbsecurity.net/attachment.php?aid=11 and upload to the root directory, then visit the file (if you get a SQL error, then you're fine). Now visit the config.php file and see if it's updated, if it is, you can then remove the .php file you uploaded.
Wow, really?
Just get http://www.mybbsecurity.net/attachment.php?aid=11 and upload to the root directory, then visit the file (if you get a SQL error, then you're fine). Now visit the config.php file and see if it's updated, if it is, you can then remove the .php file you uploaded.
RE: MyBB Security Tutorial and Guidelines
26-01-2015, 07:53 PMKewl Wrote: "Change mybb_ to your new database prefix."
Wow, really?
Just get http://www.mybbsecurity.net/attachment.php?aid=11 and upload to the root directory, then visit the file (if you get a SQL error, then you're fine). Now visit the config.php file and see if it's updated, if it is, you can then remove the .php file you uploaded.
:fp: Yes I do know that. But you can also do it manually via phpMyAdmin
RE: MyBB Security Tutorial and Guidelines
31-01-2015, 08:26 AM
#4 tl;dr
But no really thanks for making that.
But no really thanks for making that.
RE: MyBB Security Tutorial and Guidelines
01-02-2015, 10:29 AMVstrech Wrote: nice tut I am really looking for my web
I might be able to help :yus:
RE: MyBB Security Tutorial and Guidelines
02-02-2015, 11:12 PM
#6 Thanks for this, could help me out!
RE: MyBB Security Tutorial and Guidelines
RE: MyBB Security Tutorial and Guidelines
03-02-2015, 01:38 AM
#8 Are vulnerabilities that rampant in myBB? I'm debating between SMF/IPB/MyBB/Xenforo and I was planning on using it because it's free.
RE: MyBB Security Tutorial and Guidelines
03-02-2015, 01:38 AMmaloon Wrote: Are vulnerabilities that rampant in myBB? I'm debating between SMF/IPB/MyBB/Xenforo and I was planning on using it because it's free.
not exactly... MyBB is just gonna get destroyed with vunu because its the most popular. Use SMF if you want.
RE: MyBB Security Tutorial and Guidelines
03-02-2015, 01:46 AM
#10 Does SMF have a large plugin/theme repository? Mostly using it for a minecraft server, so just something pretty looking and easy to use works for me.
Users browsing this thread: 1 Guest(s)