Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > vBulletin 3 Articles

Reply
 
Thread Tools
Ultimate Guide to securing your Forums
veenuisthebest's Avatar
veenuisthebest
Join Date: Mar 2008
Posts: 1,416

100% BCA, 33.33% CA

India
Show Printable Version Email this Page Subscription
veenuisthebest veenuisthebest is offline 10-17-2008, 10:00 PM

Securing your forums from Hackers:-

1. Always Keep your vbulletin updated to the latest version taking special care of security fixes.

2. Use the Rename admincp directory feature in config.php

3. Keep your following directories .htaccess protected. Most users can do this via Password Protect Directories option in cPanel.

admincp/
modcp/
includes/
install/

Even vbulletin.com has protected the above directories.

4. Edit your config.php to make yourself an undeletable user.

5. Keep your vbulletin superadmin, FTP/SFTP and .htaccess username/password distinct and unique. You can use the Random Password Generation feature in cPanel or let sites like http://www.goodpassword.com/ generate them for you.

6. Make sure you have your vbulletin PHP files chmod 0644 and NEVER 0777.

7. Keep your forum as much clean as you can. Stay away from mods that you think won't benefit your community much. The lesser the mods, the more secure you are.

8. After uninstalling mods/hacks from vborg, do not forget to Remove the files that you uploaded with the hack.

9.Never allow HTML in posts, PM's and sigs.

10. You should NEVER upload the contents of do_not_upload folder like tools.php from the downloaded vb zip on your server. If ever you need to upload them, delete them immediately after use.

11. Never save a backup of your database under public_html as that would make your database downloadable to the world.

12. Keep your PC periodically tested against viruses, malwares and trojans.

13. For official vb staff's always updated tips and tricks to make your forums more and more secure, visit this thread.
http://www.vbulletin.com/forum/showthread.php?t=194701


Securing your forums from Spammers:-

I think this thread by the official vb staff will be enough for taking care of our spam problems.
http://www.vbulletin.com/forum/showthread.php?t=275800

Some points to highlight:-


1. Use Recaptcha and Add an Extra question to the Registration to prevent bot registrations.

2. There's no harm in getting an Akismet Personal Key and enabling the option in admincp->vbulletin options->Spam Management. You may set the Spam Scanning Post Threshold to 2 or 3.

3. List of email domains to Ban

4. You can ban usernames containing words like sale, offer etc. in User Registration Options->Illegal Usernames

5. I would largely recommend this mod from Andy Huang (vb staff) that Detects Spam based on Keywords Weight. It works perfect on my latest 3.7.3.PL1 board and believe it or not, I could see the human spammer (from who's online ofcourse) getting an error message while creating a thread and leaving the board frustrated.

Hope you find it useful, will keep it updated.

Source: http://tech6.com/f51/ultimate-guide-...r-forums-t319/

P.S.: Please do not copy this guide.
Reply With Quote
  #12  
Old 09-11-2009, 03:26 PM
veenuisthebest's Avatar
veenuisthebest veenuisthebest is offline
 
Join Date: Mar 2008
Location: India
Posts: 1,416
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

bluej,

For .htaccess password protecting directories, if you are unable to do it via cpanel you'll have to manually do it. Just make a simple google search, you'll get it.

About db backup files - when you connect to FTP, the top folder you'll see would probably be public_html or htdocs or httpdocs or html. Always save your backups above THIS top folder. Simple as that.
Reply With Quote
  #13  
Old 10-17-2009, 11:04 AM
MaXeL3G3ND MaXeL3G3ND is offline
 
Join Date: Dec 2007
Location: ::1
Posts: 19
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Nice guide :-)
Reply With Quote
  #14  
Old 10-20-2009, 06:54 PM
Weetabix Weetabix is offline
 
Join Date: Feb 2007
Posts: 50
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Will this apply to vB4, maybe with a few more dirs?
Reply With Quote
  #15  
Old 11-03-2009, 06:48 AM
pitzerwm pitzerwm is offline
 
Join Date: Aug 2007
Location: WA state
Posts: 89
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I guess, I am a newbie too. I know what the cpanel is but I can't find the password directories "place" Some more detailed direction please.

--------------- Added [DATE]1257238460[/DATE] at [TIME]1257238460[/TIME] ---------------

My experience. I just upgraded from 3.6.8 to 3.8.4. In the past I was using Recaptcha and do get the occasional spammer, used "One Touch" to ban him and his IP. Reading somewhere here, someone said that the question was better, so I did that, and promptly got about 20 spammers. I installed more mods recommended here, but I think going back to Recaptcha worked the best. I have a small forum, 1500 a day, I feel sorry for you guys with big ones with a lot of traffic.
Reply With Quote
  #16  
Old 12-30-2009, 10:36 PM
Skydiver10's Avatar
Skydiver10 Skydiver10 is offline
 
Join Date: Sep 2009
Location: SoCal
Posts: 98
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi, nice article, my forums were hacked 2 months ago and I had done none of this.

After I deleted the malicious code that was injected by a hacker into my main forums page, I quickly added a .htaccess and .htpasswd files to my admincp directory on my host. Since then I have had no problems.

After finding your article today, I added a .htaccess and .htpasswd files to the modcp, includes, and install directories.

After checking the file permission through my ftp client I find that all of my php files are set at 705.

One question that has been burning in my mind is, all of my .php files are set to 705.....should I change them all to 644, and if I change them to 644 will this effect any of my members while they are posting and using the forum? I do have a handful of mods installed.

Also, if I change them all to 644, what are the exact files, every single php file in every directory of the VB forums upload?

If I have the four directories admincp, modcp, includes, and install, now with .htaccess and .htpasswd, why should I change the file permissions in those four directories if they are password protected? Is this for extra added security in case the password is hacked?

Thanks again for this article! :up:
Looking forward to your response.....thank you!
Reply With Quote
  #17  
Old 01-06-2010, 12:59 PM
Skydiver10's Avatar
Skydiver10 Skydiver10 is offline
 
Join Date: Sep 2009
Location: SoCal
Posts: 98
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just wondering if this thread is being monitored. I need answers on chmoding my files.

Does every single php file for my forums get changed to 644?

Any help would be greatly appreciated.....
Reply With Quote
  #18  
Old 09-16-2011, 06:13 AM
patrixon78 patrixon78 is offline
 
Join Date: Sep 2011
Location: Glasgow Scotland
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

yes, every single one of them my friend
Reply With Quote
  #19  
Old 05-14-2013, 05:38 PM
Enthusify's Avatar
Enthusify Enthusify is offline
 
Join Date: Feb 2012
Location: Santa Monica, CA
Posts: 158
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just came across this article. Very helpful! Thanks.

Will be implementing this on our sites now.
Reply With Quote
  #20  
Old 06-08-2013, 04:08 PM
dayottejr dayottejr is offline
 
Join Date: Jun 2013
Location: USA
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I just finished implementing my vBulletin install (conversion from phpBB3) and I was searching for a way to secure VB4 and came across this thread. It was very helpful! Thank You for sharing this info.

I just finished implementing this on my site. :up: This was easy to follow.
Reply With Quote
  #21  
Old 03-01-2014, 10:33 AM
johnmat johnmat is offline
 
Join Date: Feb 2012
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

where is config.php file located in vBulletin 4.x Forum ?
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:09 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07590 seconds
  • Memory Usage 2,301KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (11)post_thanks_box
  • (2)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete