Securing a forum

[Meti]

Hey there,

Lets make this one of those long threads with useful information, shall we? Please share your security tips'n tricks below and I am sure that many forum owners will appreciate your tips.

Here are mine;

- You may wish to modify the adminCP/moderatorCP folders (this may require some modifications on the configuration settings)

- I often password protect directories that control the web site, for example the adminCP & moderatorCP are being password protected, and I provide each member a private user and password.

- Make sure your file permissions are set as low as possible, try to avoid having files CHMODDED at 777, doublecheck your configuration file so it has READ permissions only.

- Use a unique password for both your administrator user and don't ever use the same password for your webhost control panel as you do for your site.

- Change your password once in a while, and never assign a user full administration permissions (be careful with who you choose as staff).

- Make sure the forum platform is fully up to date, if there are any new versions the best way would be to upgrade asap, as there may be security fixes and further bug fixes released.

Share your own tips and tricks, and I am sure this will come to good use for all of us, remember, these are good tips although a very important factor is your web host, you should pick a reliable webhost.

- Meti

[temi]

Meti,
Excellent tips, are you talking about all forums generally or one forum software specifically, some of your suggestion goes with any forum thanks that is good, here are a few tips from me.
- Do not give a member of your backroom staff more permission than they need.
- Always remove or down grade the account of a staff that left very very quickly
- Make your forum software force you and other important member of your staff to change their password regularly and they should not use the same password twice in a year.
- Backup your forum after making any important changes or hitting a posting landmark.

[Meti]

Thanks for those excellent tips Temi, I am speaking of general security for any forum platform. You hit a very good point, make sure you do at least weekly backups in order to avoid any complications. Ask your web host regarding backups, most of them do daily/weekly backups.

Meti

[temi]

Meti,
I think in addition to you hosts backup, its better if you do a database dump of your site. Hosts are usually not very fast when it comes to helping restore a site but if you have a backup on your PC you can have your forum back online within a few minutes of disaster happening of you have you own db dump on your PC

[Meti]

Meti,
I think in addition to you hosts backup, its better if you do a database dump of your site. Hosts are usually not very fast when it comes to helping restore a site but if you have a backup on your PC you can have your forum back online within a few minutes of disaster happening of you have you own db dump on your PC

Agreed. I used to have an application that automatically connected with my mySQL server and backed up my databases, stored them at my own PC. However, I had that software on my previous machine, cannot seem to find it any more.

Meti

[Shadab]

Some more tips :

1. IP Protect your AdminCP directory.

Find out your IP address (or IP range, if you have a dynamic ip address), and then restrict access to your AdminCP directory for all IPs, except your own IP address; using an .htaccess file placed in your adminCP directory.

Example : If your IP range is 122.154.*.*
Then you can use this .htaccess code to restrict the access :

Code:

order deny,allow
deny from all
allow from 122.154.

2. IP Protect your hosting control panel

If your webhost allows it, you can also request your webhost to restrict cPanel access to everybody, except from your own IP address/range. This will make it even harder to break into your control panel. This way, even if somebody knows your pass, he won't be able to login as the IP won't match.

[temi]

Nice tip shadab, rep added

[GrAveTzT]

Excellent, I was messing around with this and couldn't believe how un-secure my forum actually was.

Great article.

[leapfrog]

Thank you for the nice tips.

[bacardi]

I have noticed that in order to avoid unwanted posters posting bad things on your forums best to have your settings set so that any new members have to be approved by either the webmaster or the global moderator and this should discourage any trouble maker from trying to register only to do harm to your site!