Original Post: http://mybbgroup.com/mybb-security-tutor...uidelines/
MyBB security tutorial to protect your MyBB forum.
Forum security is always a top priority, it’s very important to protect your forum from MyBB security threats and avoid hackers and exploits. MyBB is a very secure forum, but just like all forum software, it’s not 100% perfect but it’s always improving. MyBB security should be your first concern when maintaining your forum, this is a MyBB security tutorial with some guidelines to help increase security on your forum (this is not about stopping spam and bots, for that see the MyBB spam prevention guide
Please note that this MyBB security tutorial is not meant to scare you into thinking MyBB is vulnerable to hacking, but raise awareness to help further increase MyBB security on your forum.
MyBB security guidelines
UPGRADE TO THE LATEST MYBB FORUM UPDATE
This is extremely important for fixing MyBB security vulnerabilities and closing MyBB exploit holes.
every MyBB update is a more secure and stable version than the previous. Check the MyBB blog
for the latest updates, or subscribe to their mailing list.
CHANGE THE “ADMIN” DIRECTORY
By default the admin CP is at example.com/admin or example.com/forum/admin, this is a potential MyBB security issue since MyBB users will know where the admin directory is. You can change this, to do so here’s how.
1. Use your web host’s file manager (or an FTP program) and navigate to your forum’s root installation.
2. Rename the “admin” directory to something else. If you want a secure admin directory, use this strong password generator to generate a new name for you.
3. Go in the inc directory and edit the config.php file, find (should be on line 26):
$config['admin_dir'] = 'admin';
Change admin to your new admin
directory, should be `mynewadmindirectoryhere
’. Save changes.
HIDE ADMIN CP LINKS
Also in the config.php
file is an option to hide the Admin CP links, good for MyBB security and for after changing your admin URL directory in case if your administrator account gets compromised. Find:
$config['hide_admin_links'] = 0;
Change the “0″ to “1″, make sure you remember where your admin directory is.
BACKUP YOUR FORUM REGULARLY AND OFTEN
This is really important for MyBB security, either in case your forum gets compromised or your forum’s files are corrupted and beyond repair. In Admin CP > Tools & Maintenance > Database Backups
is where you can run a New Backup of your forum’s database. In Task Manager there’s a task called Weekly Backups (disabled by default) to run backing up your database automatically for you. Enable this task, I prefer to run it daily though for extra MyBB security. These backups are stored on your server and you can download them anytime you want, make sure you chmod the backups directory to 777 inside your admin directory.
Also don’t forget to backup your forum directory using FTP, or if you use cPanel use the cPanel Backup option for your forum.
USE A STRONG PASSWORD FOR YOUR ADMINISTRATOR ACCOUNT
Be smart, don’t use “password123″ for your forum administrator account password. Be creative and use a strong password of at least 6 characters. A mix of uppercase, lowercase characters are better for MyBB security, if you have other administrators or moderators on your forum, be sure to advise them to do the same.
DISALLOW HTML ON FORUM
By default it is disallowed, and I recommend you keep it that way unless you know your members very well. Allowing HTML opens MyBB security vulnerabilities on your forum.
HIDE MYBB VERSION NUMBER
This can be changed in Admin CP > Configuration > General Configuration
under Show Version Numbers, this is also disallowed by default which is good. If this was on, hackers with malicious intent could view these versions and find MyBB security exploits for them. That’s why it’s better to keep MyBB version numbers off.
CHANGE THE MYBB DATABASE TABLE PREFIX
By default it’s “mybb_” which is not good for MyBB security risks if it’s well known. To protect your forum database and increase MyBB security on your forum, you should change this as soon as possible. If you’re installing a new copy of MyBB, you can do this on the Database Configuration step in Table Prefix (see here
), an example of a change would be “newprefix_”. If you already installed MyBB, then you can rename it in phpMyAdmin. Afterward go into inc/config.php in your forum’s root installation and find:
$config['database']['table_prefix'] = 'mybb_';
to your new database prefix.
Make sure to do a database backup before attempting to change the database prefix.
RUN FILE VERIFICATION OCCASIONALLY FOR MYBB SECURITY CHECKS
If you notice something not right or functioning properly like it’s supposed to, you should run File Verification in Admin CP > Tools & Maintenance
. This tool will check for valid MyBB files upon installation, it will return missing or corrupted files if any. Use this knowledge to replace any forum files if needed, you should be able to do this easily with a forum directory backup.
Other methods: (Why? Because this is how people either hackers or admins can get you're database TRUST ME! I HAVE DONE THIS TO HACKED FORUMS BEFORE*) Remove Backup DB from the AdminCP completely > *AdminCP Directory*> Modules > Tools > backupdb.php > Edit to whatever you want in my case I made it this:
Log errors but make sure to deny access to those log files!
Then when you have a bug, read the error log and try to fix it!
You can enable error logging Here> AdminCP> Server and Optimization Options> Use Error Handling > On < Error Logging Medium > Log errors < Error Type Medium > Hide Errors and Warnings < Error Logging Location > (error log, change it from error.log to something like error.log.name.log then block access from it with .htaccess by using this code:
Deny from all