howtothings.co.uk
A few tips on how to secure a MyBB forum - Printable Version

+- howtothings.co.uk (https://www.howtothings.co.uk)
+-- Forum: Computing (https://www.howtothings.co.uk/forumdisplay.php?fid=4)
+--- Forum: Website Development, Implementation and General Webmaster Support (https://www.howtothings.co.uk/forumdisplay.php?fid=9)
+--- Thread: A few tips on how to secure a MyBB forum (/showthread.php?tid=2682)



A few tips on how to secure a MyBB forum - Mark - 19-11-2014

A few tips on how to secure a MyBB forum



1) Rename the default admin directory.

Edit the configuration file:

Quote:inc\config.php


and change 'admin' to something else.

Quote:$config['admin_dir'] = 'admin';


You can see a tutorial here:

http://www.howtothings.co.uk/thread-374.html





2) Hide the Version Number

Displaying which MyBB version you're running is similar to saying "I'm running this specific version, which contains these specific vulnerabilities".



To hide it go to:

Admin CP > Configuration > General Configuration > Show Version Numbers > Off.





3) Disallow HTML in Posts

MyBB does not allow it by default. Unless you are absolutely certain that you want to use it it should be disabled on all forums.



To do this quickly, run the following SQL query. Replace mybb_ with your own table prefix.



Code:
UPDATE `mybb_forums` SET `allowhtml` = '0';




4) Check CHMOD Permissions

Files and folders should only have the permissions required by MyBB to run. There is no recommended set of permissions specifically but these are a good guideline:



644 inc/config.php inc/settings.php
666 inc/languages/english/*.php
644 inc/languages/english/admin/*.php

755 cache/ cache/themes/

755 uploads/ uploads/avatars/

755 admin/backups/





5) Protect directories using .htaccess



the /inc/ and other directory's shouldn't be accessible to the public because they contains sensitive information such as database configurations and settings.



Assuming you're using an Apache web server you can block access using a .htaccess file with the contents:



Code:
deny from all


and upload it to the following directories:

Code:
/inc
{admincpdir}/inc
{admincpdir}/modules


You can test it's working by going to http://yoursite.com/inc/



If you receive a 403 error then everything is working as planned and is inaccessible to the real world.





6) Protect files using .htaccess



Put these in your main .htaccess file in the public_html folder.



<files global.php> 

Order deny,allow

deny from all

</files>



<files sfs_log.php> 

Order deny,allow

deny from all

</files>





8) Stop anyone browsing folders without an index.



Put this in your main .htaccess file in the public_html folder.

Code:
Options -Indexes




9) Redirect the old /admin directory back to website home page (/)



Put this in your main .htaccess file in the public_html folder.

Code:
redirect /admin /




10) "Block" access from certain countries using CloudFlare.

In CloudFlare go to Dashboards > Threat Control



Steps:

1. Scroll down to Add custom rule.

2. Start typing in the country name and then select the country.

3. Click on the "Block" button.



CloudFlare's country block currently only serves up a challenge page to visitors from the countries you decide to block. A human visitor could still enter your site from that country by passing the challenge page, so a country block is not a full block.

If you fully want to block visitors from that country, then you would have to put rules on your server to block the country fully using something like .htaccess



This is a good starting list of countries to block.

Code:
Albania
Algeria
Antigua and Barbuda
Argentina
Azerbaijan
Bangladesh
Belarus
Belgium
Bolivia
Bosnia
Brazil
Bulgaria
Cambodia
Chile
China
Columbia
Congo
Czeck Republic
Ecuador
Egypt
Estonia
Finland
Georgia
Germany
Ghana
Greece
Hong Kong
Hungary
Iceland
Indonesia
Iran
Iran, Republic of
Iraq
Israel
Japan
Jordon
Kenya
Khazastan
Korea
Latvia
Lithuania
Macedonia
Malaysia
Malta
Mauritius
Mexico
Mongolia
Morocco
Pakistan
Palestine
Panama
Peru
Phillipines
Poland
Romania
Russia
Saudi Arabia
Serbia
Singapore
Slovakia
Slovenia
Sri Lanka
Taiwan
Tajikstan
Thailand
Tunisia
Turkey
Ukraine
Venezuala
Viet Nam