1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Six Methods to Protect Your MyBB Forums

Discussion in 'Forum Management' started by Guthix121, Feb 10, 2009.

  1. #1
    Six Methods to Protect Your MyBB Forums
    A tutorial brought to you by MyBB Studios.

    MyBB is a very secure software. The files are all carefully coded to keep out hackers and viruses. However, there are still ways that your forums could be hacked. Most of them can be prevented, though.

    PS: Except for the first method below, the other five steps can be used for any forum software really. I recommend you use them if you are using any other software as well.

    Rename Your Admin Directory
    Everyone on the support forums just can't stress this enough! It is very important that you rename your admin directory. How does somebody hack an admin area if they do not know where the files are located? It's very simple, actually.

    To do this, enter your web host's control panel and go to the File Manager. Alternatively, you can use an FTP program like FileZilla. Find the directory called 'admin', and simply rename it to something else (it is suggested to rename it to something cryptic, like 87y2ut).

    Then, find the config.php file in the 'inc' directory. Look for the following code:

    Change the text in red to the new name of your admin directory.

    .HTAccess Protect Your Admin Directory
    Renaming the admin directory is just step 1 of 3 different processes you can use to rename your directory. The following code snippet will check for somebody's IP address. If their IP address does not match the one that you specify, they will be redirected to your index.

    To do this, create a .htaccess file in your admin directory. Add the following code:

    Change the green to your IP address (using the format specified), and the red to the domain you wish to redirect other people.

    If you have multiple administrators, use the following code instead:

    Change the green to each of the IP addresses, and the red to the domain you wish to redirect other people.

    Password Protect Your Admin Directory
    This is the simplest method of protecting your admin directory. This adds an additional requirement to getting access to the admin directory. Now, people will need an administrative account, correct user password, AND the directory password.

    If you use DirectAdmin, go to 'Password Protected Directories' directories. Then, click on 'Find a Directory to Password Protect'. Go to your MyBB root folder, and click 'Protect' next to your admin directory.
    Then, follow the instructions on the screen to set up a password.

    If you use cPanel, go to 'Password Protect Directories' under Security. Then, click on the icons to open up directories until you find the admin directory. Then, click on it.

    You will be given the option to set up individual user accounts, which might be a good idea to be able to manage who gets access and who doesn't.

    NOTE: If an administrator on your board who had access gets fired, quits, or retires, I suggest you change the password. For this reason I prefer the cPanel method of different users, because you can then simply delete their access privileges.

    Deny External Access to the Config File
    Sometimes, plain old permissions isn't enough. This is an .htaccess method that will give anybody who tries to access the config file a 403 error. Your MyBB Forums will still be able to run normally, however. This will protect it from external access only.

    Create an .htaccess file in your 'inc' directory, and add the following code:
    Keep Your Passwords Strong!
    The number 1 cause of hacking attempts going well is bad passwords on the administrator's behalf. It is not hard to make a good password. If you are that lazy, I will generate one for you!

    In fact, since a phishing attempt has been made on my account at Digital Point, I keep all of my passwords for important accounts (like PayPal) so complicated that even I don't know them! I actually have to take out a slip of paper and type it in every single time I want to log in. That's how important it is.

    Your passwords should be cryptic, contain uppercase and lowercase letters, numbers, and symbols. It should also be at least 16 characters, maybe more. In fact, according to Blogussion, a simple ten character password can take up to 580 million years to decode! Now isn't that the kind of protection you would want?

    Remember to Update
    New versions are posted for a reason. While they do fix a lot of bugs, a bunch of times they patch up an important security exploit. Especially now that this exploit is announced to the public, why would you want to keep your forum vulnerable? MyBB has a nifty way of reminding you within your ACP when new updates are available.

    When I say update, I also mean plugins. Plugins can server as a little back door to a huge mansion called MyBB. If you keep this door unlocked, who knows what can get in?


    That's all for now. In addition to the above, these habits are recommended for everyone:
    • Change your password often. If a hacker somehow finds out your password, image how they'll feel after they learn you recently changed it!

    • Remove the version numbers. If you do not update your software for whatever reasons, think of version numbers as billboard signs saying 'MY FORUM IS NOT UP TO DATE! HACK ME!!!' Not a message you want to send to hackers.

      To disable version numbers, go to 'General Configuration' under 'Board Settings' in your Admin CP. Find 'Show Version Numbers' and set it to 'Off'.

    • Make sure only necessary files have writable permissions. Even though your Admin CP says that you should have your config.php file CHMOD 777, I really don't see why... This is a very stupid thing to do, and can risk your entire board.
    • Make and download backups regularly. MyBB already has a feature in it's task manager that already makes backups for you. All you need to do is download them to your computer. I personally download backups once every two weeks, or less if there is a burst of activity. It all depends on how big your forums are. Sometimes once a week isn't going to cut it.

      I don't know why it hasn't been made yet, but somebody should make a plugin that emails you backups of your forums every X amount of days (Hint Hint ;))
    Six Methods to Protect Your MyBB Forums - Copyright © 2009 MyBB Studios, all rights reserved.

    Disclaimer: Any methods here are only advice. They reduce the chances of your forum getting hacked, they do not eliminate it. MyBB Studios is not responsible for any damages or such caused by directly or indirectly using any methods on this tutorial. Anything you do is done at your own risk.
    Guthix121, Feb 10, 2009 IP
  2. davidmethew

    davidmethew Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    nice tips but I am using Fluxbb it works good for me...

    As forum should have much basic functions for posts and administration so Fluxbb works fine for me.
    davidmethew, Feb 12, 2009 IP
  3. speedy81

    speedy81 Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    Thank you for the tips. It helps. I didn't know about this "Remove the version numbers".
    speedy81, Feb 13, 2009 IP
  4. JuniorGen

    JuniorGen Greenhorn

    Likes Received:
    Best Answers:
    Trophy Points:
    Great tips. I have a mybb forum. I don't know about mybb security so I try to find the ways to protect my forum from hacker's attacks. I just do rename admin directory and hide the admin link.
    JuniorGen, Nov 21, 2012 IP
  5. IG2010

    IG2010 Well-Known Member

    Likes Received:
    Best Answers:
    Trophy Points:
    Thank you for these tips, will look to work out some of these securities in my project
    IG2010, Dec 4, 2012 IP