Activity Stream
48,167 MEMBERS
6900 ONLINE
besthostingforums On YouTube Subscribe to our Newsletter besthostingforums On Twitter besthostingforums On Facebook besthostingforums On facebook groups

Results 1 to 2 of 2
  1.     
    #1
    Member

    Post MyBB ? Forum security and what to do when hacked

    How to secure your forum

    Strong passwords

    Your password should contain lowercase and uppercase letters, numbers, and symbols. This means it?ll be much harder to guess or crack. You shouldn?t use actual words in a password, but a random mixture of letters, numbers and symbols. For example, p455w0rd123 is not secure, whereas G6ga5^&ha@6D3 is secure and will be a lot harder to guess or crack. If a dictionary list is used to bruteforce a login, having full words in your password could mean there?s a match; if the password is random characters, this won?t be possible. A 10 character password has 3,700,000,000,000,000 possible combinations, would take a human 580,000,000 years, or a computer 59 years, to crack. You can read more about that here.
    Check your CHMOD permissions

    As a general rule, all files should be CHMOD to 644, and all folders should be CHMOD to 755. If files or folders are given extra permissions, it may be a security risk. There are, however, some files and folders that need different CHMOD permissions to enable them to work.


    • Required ? ./inc/settings.php ? 666
    • Required ? ./inc/config.php ? 666 (install) 444 (after installation)
    • Required ? ./cache/ ? 777
    • Required ? ./cache/themes/ ? 777
    • Required ? ./uploads/ ? 777
    • Required ? ./uploads/avatars/ ? 777
    • Optional ? ./admin/backups/ ? 777
    • Optional ? ./inc/languages/*language*/*all files*/ ? 666
    • Optional ? ./inc/languages/*language*/admin/*all files*/ ? 666


    Protect your config.php file

    When you install your forum, ./inc/config.php needs to be CHMOD to 666 so that the database details can be written to it. However, once you?ve installed, this isn?t necessary, and having this file CHMOD to 666 can be a security risk. Once you?ve installed, you can CHMOD config.php to 444. Note that sometimes it will need to be CHMOD to 666 for an upgrade script to be run, however, if this CHMOD is necessary and your file is not set as such, the upgrader will tell you.
    You can also use a .htaccess rewrite rule to block direct access to the config.php file. To do this, create a file called .htaccess in your ./inc/ folder, and put this code in it:
    <files config.php>
    Order deny,allow
    deny from all
    </files>
    Now, whenever someone goes to yoursite.com/inc/config.php, instead of a blank page, they?ll get a 403 Forbidden error.
    Make regular backups

    Database backups are essential. Files, plugins and themes can be replaced if they get lost, but a database cannot. Make sure you make regular backups, and save them on your own computer or USB stick. Don?t rely solely on the MyBB backup directory for your backups, found at ./admin/backups/; if all of your files get deleted, these backups will get deleted too. Aim to download a backup to your computer every week, or when you make some major changes or additions to your forum, and check that it is complete by uploading it to a localhost installation.
    Use another account as your admin account

    If someone is trying to hack your forum, they?ll automatically target the admin account, to try and get ACP access. A hacker will know that the admin user will have a coloured username and show on the forum team page, and it?s easy to stop this. First, register a new account. Then, create a new usergroup, and give it ACP access, give the username the same style as normal registered members, and put the new user into that group; this will be the account you use to administrate your forum. Now, remove the ACP access from the standard administrator usergroup. You can now still use your usual account to post, and it will look like you are an admin, but you won?t have any ACP access, so any hacker that hacks your account will see that it was a waste of time. Plus, they could never find the user that does have ACP access, as that member would have a username in the style of a normal user.
    Rename your admin directory and hide ACP link

    MyBB gives you the ability to rename the ?admin? folder to something else. Although this is a weak form of security, it can still at least slow down a hacker; if they don?t know what your admin directory is called, they can?t try to login to it. To change this, look at line 26 of ./inc/config.php:
    $config['admin_dir'] = 'admin';
    Change the value of this variable, from admin, to whatever you want your admin directory to be called, and then rename the actual ./admin/ folder to the same value. The, instead of going to yoursite.com/admin/index.php, you would go to yoursite.com/newname/index.php
    Along with this, MyBB gives you the ability to remove the link to the ACP from the welcomeblock. After all, what?s the point in renaming the admin directory for security purposes if someone can login as your account as normal and just click the link in the welcomeblock?? To do this, look at line 36 of ./inc/config.php:
    $config['hide_admin_links'] = 0;
    Then, change this to:
    $config['hide_admin_links'] = 1;
    Now, the link to the ACP will be removed from your welcomeblock, so you will have to manually type your admin directory when you want to open it, but this means that a hacker won?t know where it is if you rename the directory.
    Disallow HTML in posts

    In the settings for each forum, there is the ability to allow HTML to be posted. It is advised that you disallow this unless it is absolutely necessary. Although MyBB attempts to block any malicious scripts being parsed, there is still a chance that someone could post malicious HTML. If you have HTML allowed in all forums and would like to turn it off, run this query in phpMyAdmin:
    UPDATE `mybb_forums` SET `allowhtml` = '0';
    Then, you need to go to ACP > Tools & Maintenance > Cache Manager > forums > Rebuild Cache. Now, HTML will be disallowed in all forums.
    Hide your version number

    If you show your version numbers in your forum?s footer, you are advertising to hackers what version you?re using, and if your MyBB version is out-of-date, showing that you are on an older version is almost asking them to hack you. To turn off the version number, go to ACP > Configuration > General Configuration > Show Version Numbers > Off. Now, the version number won?t show.
    Keep up-to-date with upgrades

    Whenever an upgrade is released, you should upgrade to it as soon as you can. Upgrades are usually maintenance (bugs), security, or feature releases. If there is a security release, you should upgrade to make sure you won?t get hacked via the exploit that?s being patched. You should use the Version Check feature in your ACP regularly, and you should also subscribe to the MyBB Mailing List to be emailed on new updates.
    Once you?ve done this, your forum should be as secure as possible. However, a hacker may still somehow find a way in, and if that happens, you need to know what to look for, and what steps to take.
    What to do if you get hacked

    Upgrade to most recent release

    Upgrading to the most recent release won?t solve the results of you being hacked, but it will make sure your forum is secure.
    Reset passwords

    Once you are able to, you should immediately change your forum password, and also the password to your database. This is to make sure that the hacker can?t just login to anything again; new passwords mean they?re back to where they were before. If you change your database password you will need to update it in ./inc/config.php too.
    Check for new users

    Check all new users registered after the time the hacker gained access to the forum; there may be a chance one of them has been added to a group with ModCP or ACP access, or they may have even created a new usergroup for a user. If you see anything like this, delete it.
    Reupload all files

    Download the MyBB package, and upload all of the MyBB files, except ./inc/settings.php. This will make sure that all of your files are clean, and there isn?t any malicious code in any of them. Make a note of any file changes you have made before doing this, though, so you can make them again after. This process will also make sure you have all the most recent files; you may have missed an important file in a security upgrade which contained the exploit that was used to hack you.
    Check your CHMOD permissions

    As above, check your CHMOD permissions after you have reuploaded the files. Make sure you?re not giving files or folders extra permissions that they don?t need.
    Delete settings.php

    Head to your ./inc/ folder and download your copy of settings.php? and then delete it from your server. It will be generated again, with the correct values from the database, and then we?ll know it?s a clean copy of the file, with no malicious code. You may need to click around on the forum a bit to get it to regenerate; the downloaded file is there so you can upload it again should it fail to regenerate automatically.
    Rebuild config.php

    You can manually remake your config.php to make sure it?s clean. Use this code to rebuild the file, and enter in your database details. Also make sure you change any other settings you need to, for example, the admin directory, hiding ACP links, or super admins.
    Check your templates for malicious code

    A common result of being hacked is having malicious code added to your templates, meaning it?s executed whenever a page is loaded. A common place for code to be added is the header, headerinclude, index, and footer template, as these templates are loaded the most. Check all templates, however, that aren?t default (have their name in green) and remove any code that isn?t supposed to be there. It?s usually in <script> tags and is usually a load of random numbers and letters. This should be removed as soon as possible.
    88power88 Reviewed by 88power88 on . MyBB ? Forum security and what to do when hacked How to secure your forum Strong passwords Your password should contain lowercase and uppercase letters, numbers, and symbols. This means it?ll be much harder to guess or crack. You shouldn?t use actual words in a password, but a random mixture of letters, numbers and symbols. For example, p455w0rd123 is not secure, whereas G6ga5^&ha@6D3 is secure and will be a lot harder to guess or crack. If a dictionary list is used to bruteforce a login, having full words in your password could mean Rating: 5

  2.   Sponsored Links

  3.     
    #2
    Member
    Website's:
    MwMaster.co
    Very helpful.. thanks for sharing

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [Selling] MyBB Forum - Web Discussion Forum
    By xLili in forum Completed Transactions
    Replies: 2
    Last Post: 21st Aug 2011, 10:48 AM
  2. Robert X. Cringley (Security Expert) Credit Card Hacked!
    By iMpeL in forum News & Current Events
    Replies: 4
    Last Post: 29th May 2011, 06:47 AM
  3. How to convert VB 3.8.x forum to MyBB 1.6? PLZ HELP
    By gfxguru in forum Webmaster Discussion
    Replies: 0
    Last Post: 23rd Apr 2011, 02:02 PM
  4. MyBB Release 1.6.3 and 1.4.16 - Security Update
    By ElNino in forum Web Application/Script Support
    Replies: 1
    Last Post: 18th Apr 2011, 09:13 PM
  5. [Selling] New Looks + myBB + Ethical Hacking & IT Security forum- PR2
    By nishant.soni in forum Completed Transactions
    Replies: 13
    Last Post: 10th Jul 2010, 09:04 AM

Tags for this Thread

BE SOCIAL