MyBB Security Tutorial and Guidelines

by Hug - 23-01-2015, 07:21 AM
Closed Account
Posts:
2,770
Joined:
Jan 2015
Likes:
140
Credits:
1,450
Reputation:
26
2 Years of Service
#1
OP
Posted: 23-01-2015, 07:21 AM (This post was last modified: 23-01-2015, 07:22 AM by Hug.)
Original Post: http://mybbgroup.com/mybb-security-tutor...uidelines/

MyBB security tutorial to protect your MyBB forum.

Forum security is always a top priority, it’s very important to protect your forum from MyBB security threats and avoid hackers and exploits. MyBB is a very secure forum, but just like all forum software, it’s not 100% perfect but it’s always improving. MyBB security should be your first concern when maintaining your forum, this is a MyBB security tutorial with some guidelines to help increase security on your forum (this is not about stopping spam and bots, for that see the MyBB spam prevention guide).

Please note that this MyBB security tutorial is not meant to scare you into thinking MyBB is vulnerable to hacking, but raise awareness to help further increase MyBB security on your forum.

MyBB security guidelines

UPGRADE TO THE LATEST MYBB FORUM UPDATE
This is extremely important for fixing MyBB security vulnerabilities and closing MyBB exploit holes. every MyBB update is a more secure and stable version than the previous. Check the MyBB blog for the latest updates, or subscribe to their mailing list.

CHANGE THE “ADMIN” DIRECTORY

By default the admin CP is at example.com/admin or example.com/forum/admin, this is a potential MyBB security issue since MyBB users will know where the admin directory is. You can change this, to do so here’s how.


1. Use your web host’s file manager (or an FTP program) and navigate to your forum’s root installation.

2. Rename the “admin” directory to something else. If you want a secure admin directory, use this strong password generator to generate a new name for you.

3. Go in the inc directory and edit the config.php file, find (should be on line 26):
Code:
$config['admin_dir'] = 'admin';

Change admin to your new admin directory, should be `mynewadmindirectoryhere’. Save changes.

HIDE ADMIN CP LINKS

Also in the config.php file is an option to hide the Admin CP links, good for MyBB security and for after changing your admin URL directory in case if your administrator account gets compromised. Find:
Code:
$config['hide_admin_links'] = 0;

Change the “0″ to “1″, make sure you remember where your admin directory is.

BACKUP YOUR FORUM REGULARLY AND OFTEN

This is really important for MyBB security, either in case your forum gets compromised or your forum’s files are corrupted and beyond repair. In Admin CP > Tools & Maintenance > Database Backups is where you can run a New Backup of your forum’s database. In Task Manager there’s a task called Weekly Backups (disabled by default) to run backing up your database automatically for you. Enable this task, I prefer to run it daily though for extra MyBB security. These backups are stored on your server and you can download them anytime you want, make sure you chmod the backups directory to 777 inside your admin directory.

Also don’t forget to backup your forum directory using FTP, or if you use cPanel use the cPanel Backup option for your forum.

USE A STRONG PASSWORD FOR YOUR ADMINISTRATOR ACCOUNT

Be smart, don’t use “password123″ for your forum administrator account password. Be creative and use a strong password of at least 6 characters. A mix of uppercase, lowercase characters are better for MyBB security, if you have other administrators or moderators on your forum, be sure to advise them to do the same.
~ http://passwordsgenerator.net/

DISALLOW HTML ON FORUM
By default it is disallowed, and I recommend you keep it that way unless you know your members very well. Allowing HTML opens MyBB security vulnerabilities on your forum.


HIDE MYBB VERSION NUMBER
This can be changed in Admin CP > Configuration > General Configuration under Show Version Numbers, this is also disallowed by default which is good. If this was on, hackers with malicious intent could view these versions and find MyBB security exploits for them. That’s why it’s better to keep MyBB version numbers off.

CHANGE THE MYBB DATABASE TABLE PREFIX
By default it’s “mybb_” which is not good for MyBB security risks if it’s well known. To protect your forum database and increase MyBB security on your forum, you should change this as soon as possible. If you’re installing a new copy of MyBB, you can do this on the Database Configuration step in Table Prefix (see here), an example of a change would be “newprefix_”. If you already installed MyBB, then you can rename it in phpMyAdmin. Afterward go into inc/config.php in your forum’s root installation and find:
Code:
$config['database']['table_prefix'] = 'mybb_';

Change mybb_ to your new database prefix.

Note: Make sure to do a database backup before attempting to change the database prefix.

RUN FILE VERIFICATION OCCASIONALLY FOR MYBB SECURITY CHECKS

If you notice something not right or functioning properly like it’s supposed to, you should run File Verification in Admin CP > Tools & Maintenance. This tool will check for valid MyBB files upon installation, it will return missing or corrupted files if any. Use this knowledge to replace any forum files if needed, you should be able to do this easily with a forum directory backup.

Other methods: (Why? Because this is how people either hackers or admins can get you're database TRUST ME! I HAVE DONE THIS TO HACKED FORUMS BEFORE*) Remove Backup DB from the AdminCP completely > *AdminCP Directory*> Modules > Tools > backupdb.php > Edit to whatever you want in my case I made it this:
Code:
<img src="http://i.imgur.com/JBP8DSI.png">
<img src="http://i.imgur.com/rTAe3m4.png">
<img src="http://i.imgur.com/wNqK5oG.png">
<img src="http://i.imgur.com/joFfM6D.png">
<img src="http://i.imgur.com/6lMaN0E.png">
<img src="http://i.imgur.com/whvCwKf.png">
<img src="http://i.imgur.com/V9jNuKb.png">
<img src="http://i.imgur.com/USg7yxk.png">
<img src="http://i.imgur.com/96pC506.png">
<img src="http://i.imgur.com/jYX6vc3.png">
:noh:

Log errors but make sure to deny access to those log files!
Then when you have a bug, read the error log and try to fix it!
You can enable error logging Here> AdminCP> Server and Optimization Options> Use Error Handling > On < Error Logging Medium > Log errors < Error Type Medium > Hide Errors and Warnings < Error Logging Location > (error log, change it from error.log to something like error.log.name.log then block access from it with .htaccess by using this code:
Code:
<Files ./error.log.name.log>
Order Allow,Deny
Deny from all
</Files>
)
theezy.
15-02-2015, 05:18 AM
We are!
Posts:
1,044
Joined:
Jan 2015
Likes:
108
Credits:
1,914
Reputation:
25
2 Years of Service
#2
Posted: 26-01-2015, 07:53 PM
"Change mybb_ to your new database prefix."
Wow, really?

Just get http://www.mybbsecurity.net/attachment.php?aid=11 and upload to the root directory, then visit the file (if you get a SQL error, then you're fine). Now visit the config.php file and see if it's updated, if it is, you can then remove the .php file you uploaded.
Closed Account
Posts:
2,770
Joined:
Jan 2015
Likes:
140
Credits:
1,450
Reputation:
26
2 Years of Service
#3
OP
Posted: 27-01-2015, 12:42 AM
(26-01-2015, 07:53 PM)Kewl Wrote: "Change mybb_ to your new database prefix."
Wow, really?

Just get http://www.mybbsecurity.net/attachment.php?aid=11 and upload to the root directory, then visit the file (if you get a SQL error, then you're fine). Now visit the config.php file and see if it's updated, if it is, you can then remove the .php file you uploaded.

:fp: Yes I do know that. But you can also do it manually via phpMyAdmin
Lurker
Posts:
7
Joined:
Jan 2015
Likes:
0
Credits:
0
Reputation:
0
2 Years of Service
#4
Posted: 31-01-2015, 08:26 AM
tl;dr
But no really thanks for making that.
Closed Account
Posts:
2,770
Joined:
Jan 2015
Likes:
140
Credits:
1,450
Reputation:
26
2 Years of Service
#5
OP
Posted: 01-02-2015, 08:27 PM
(01-02-2015, 10:29 AM)Vstrech Wrote: nice tut I am really looking for my web

I might be able to help :yus:
أ) هو ميمي)
Angels
Posts:
1,987
Joined:
Jan 2015
Likes:
113
Credits:
440
Reputation:
90
2 Years of Service
#6
Posted: 02-02-2015, 11:12 PM
Thanks for this, could help me out!
xxx
Closed Account
Posts:
2,770
Joined:
Jan 2015
Likes:
140
Credits:
1,450
Reputation:
26
2 Years of Service
#7
OP
Posted: 03-02-2015, 12:49 AM
(02-02-2015, 11:12 PM)Syntax_Error Wrote: Thanks for this, could help me out!

No problem.
Newbie
Posts:
10
Joined:
Feb 2015
Likes:
0
Credits:
2
Reputation:
0
2 Years of Service
#8
Posted: 03-02-2015, 01:38 AM
Are vulnerabilities that rampant in myBB? I'm debating between SMF/IPB/MyBB/Xenforo and I was planning on using it because it's free.
Closed Account
Posts:
2,770
Joined:
Jan 2015
Likes:
140
Credits:
1,450
Reputation:
26
2 Years of Service
#9
OP
Posted: 03-02-2015, 01:42 AM
(03-02-2015, 01:38 AM)maloon Wrote: Are vulnerabilities that rampant in myBB? I'm debating between SMF/IPB/MyBB/Xenforo and I was planning on using it because it's free.

not exactly... MyBB is just gonna get destroyed with vunu because its the most popular. Use SMF if you want.
Newbie
Posts:
10
Joined:
Feb 2015
Likes:
0
Credits:
2
Reputation:
0
2 Years of Service
#10
Posted: 03-02-2015, 01:46 AM
Does SMF have a large plugin/theme repository? Mostly using it for a minecraft server, so just something pretty looking and easy to use works for me.
The last reply on this thread is older than a month. Please do not unnecessarily bump it.
Register an account or login to reply
Create an account
Create a free account today and start posting right away. It only takes a few seconds.
Login
Log into an existing account.
1 Guest(s)