Security Thread, Get/Post your tips here!

[litewarez]

Just bumping this thread back up so you can all check it once again!!!

This aint one of them "It wont happen to me" shit! look around you.. alot of people have got hacked so please read and implement ideas from this thread!

[hatem20]

Really Important Tips .. Are these tips for Forums only (VB..) or others scripts like WordPress and DataLife Engine ?

Thanks LW.

[J4ck]

Not save passwords + keyscrambler
if ur freak about security and paranoid encrypt ur os with truecrypt
get vpn if you can
if your coding your own website make sure u parse proper all user input/output so theres no chance of sql injection, post injection xss etc...
have separate mails for different stuff, different passwords on everything

[litewarez]

Really Important Tips .. Are these tips for Forums only (VB..) or others scripts like WordPress and DataLife Engine ?

Thanks LW.

These tips are general daily life tips for every webmasters! if you read threw them you would of seen that lol

[Nemesis]

Main one that obv has been posted b4. Don't use the same pass for more then 2 sites.

[Profit]

Not sure if this was stated before but for vBulletin webmasters:

- Change the location of your admin and mod directories. Make it something like yoursite.com/area51/adminx / modx, etc..

- Remove ALL admin login links from your site. This includes the admin and mod links in the footer, edit user profile in the members profile section, remove the forum options section in the topic display area, but leave the rest of the options as they only redirect to the basic login page.

- Never share your mod or admin link with anyone who asks. Give it to a staff member and establish a type of code he can say when he needs it again. This way if he was ever hacked and you ask him a question and he cannot answer, you will know its not him.

This is definitely a handy little trick.

Also password protect the admin directory.

EDIT: Seen it in the original post. I just explained it a little bit more.

[barcodenation]

http://www.vbulletin.com/forum/showt...n-and-security

[info move]

Great post, here's something I would add:

- On vBulletin, rename and move your config.php file

Code: 

http://www.vbulletin.org/forum/showthread.php?t=198856

- While you should move your admin panel, also set up a fake one that is just a login screen, and get it to report any login attempts to you.
- If you're new to a vps then install CSF Firewall, it's not the best, but by far the easiest to use and learn. Also, follow the guides it has on it
- Don't delete the Install directory! Delete all the important files in it, except maybe a few useless text files, and an index.html so that they can't see the files. It get's the hackers hopes up
- If you're on a vps, don't use the root account, make a new account with root privileges named something more genuine
- Once again, for a vps, disable /cpanel and preferably move the cPanel port
- Disable any file extensions you don't use, this could help deter scripts, and you can do this through .htaccess

Hope this helps some people

[litewarez]

Updated with some more tips and a cleaner thread layout !, Please proceed to post your tips if you have any new ones

[desiboy]

hi, some one please point me to a guide to prevent xss attacks in forms by filtering, etc.
thanks.

btw theres a xss vulnerability on tizag.com itself