MyBB is one of the most widely used open source, intuitive, extensible, and incredibly Forum software out there. The software is recognized for its security as well as it is the most secure among many platforms such as vBulletin, phpBB, bbPress etc.
With everything from forums to threads, posts to private messages, search to profiles, and reputation to warnings, MyBB features everything you need to run an efficient and captivating community. Through plugins and themes, you can extend MyBB’s functionality to build your community exactly as you’d like it.
Suggested Read: Complete Understanding of Web Application Security
Here we’ve setup MyBB Software locally (on Windows with the help of Xampp) which is running at http://192.168.1.3/mybb address.
MyBB is a very secure software. The files are all carefully coded to keep out hackers and viruses. However, there are still ways that your forums could be hacked. Forums are most commonly hacked because of laziness or careless practices on the part of the administrator, rather than the actual software.
In this tutorial, we’re going to teach you how to secure the MyBB Forums with 4 different ways.
- Rename Admin Directory
- .htaccess Protection
- Password Protect Admin Directory
- Deny External Access To Config File
1. Rename Admin Directory –
While there are many best practices recommended for the security of MyBB software, one highly recommend practice is to use a unique URL for MyBB admin rather than using the default URL.
To make it a little more difficult for hackers to attack your MyBB Admin area, changing the admin folder URL is always a best security practice.
To do this, you need to first rename the admin directory to something else and edit the config.php (located at /inc/config.php) and change the following code:
$config[‘admin_dir’] = ‘adminlogin’;
2. .htaccess Protection –
.htaccess is a configuration file used by the Apache web server. .htaccess rules override global settings for the directory in which the file is placed.
The below snippet will check for somebody’s IP Address. If their IP Address doesn’t match the one that you specify, they will be redirected to your index.
Create an .htaccess file under Admin Directory and add the following into it:
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^192\.168\.1\.3
RewriteRule .* http://192.168.1.3 [R=301,L]
Note: Make sure that you must write the IP Address which you want to allow for admin access (192.168.1.3) in proper format.
3. Password Protect Admin Directory –
The basic HTTP Authentication created with .htaccess and .htpasswd files works pretty well on online real server. However implementing them locally on our XAMPP server (on Windows) may be a little problematic.
If you are running MyBB Forums online, then you can easily protect your admin directory by navigating “Password Protect Directories” link under Security Tab.
This method actually adds an additional security to getting access into admin directory.
But If you running MyBB on locally on XAMPP then you need to create first .htpasswd file with the help of CMD as shown below: (/xampp/apache/bin)
Code: htpasswd.exe -c -m -b .htpasswd username password
After that you need to create an .htaccess file in your admin directory and add the following code into it:
AuthName “Secured Members Area”
AuthType Basic
AuthUserFile “C:\xampp\security\.htpasswd”
require valid-user
Note: Make sure you should move the .htpasswd file from /xampp/apache/bin directory to /xampp/security directory.
There are so many other methods available through which you can easily create an .htpasswd file online:
- https://www.web2generators.com/apache-tools/htpasswd-generator
- http://aspirine.org/htpasswd_en.html
- http://tools.dynamicdrive.com/password/
- https://www.askapache.com/online-tools/htpasswd-generator/
- http://www.htaccesstools.com/htpasswd-generator/
4. Deny External Access To Config File –
Sometimes read/write permissions are not enough to protection the config file which actually contains your database information such as username, password, database name etc.
With the help of .htaccess file, you can easily protect your config.php file which redirects to 403 Error page when someone tries to access the file directly from the browser.
Create an .htaccess file under /inc/ directory and copy-paste the following code:
<files config.php>
Order deny,allow
deny from all
</files>
The above code will block external access to config.php file.
Note: Allow and Order are deprecated in Apache 2.4. You should use Require all denied instead.
One of the most important things is not to re-use the same Password across multiple sites, because if you are using it at one that gets hacked, they now have your access info for all the others, which may be more important.
Other Key Points –
- Keep your forums as up to date as possible
- Use Strong & unique password
- Check plugins/themes before installation
- Deny access to sensitive directories like (/inc, /install etc)
- Restrict PHP to only be able to execute functions that are needed
- Top 20 Cybersecurity Career Options
- Top 5 Tips to Prevent Online Scams
- Top 10 Platforms to Learn Cybersecurity
- Top 7 Commercial Linux Distributions
- Why Do I Need a Website?
- Reinforcement Learning in Real-world Applications: The Latest Successes and Challenges
- Various Python Libraries for developing RESTful APIs
- Top 7 NodeJS Frameworks You Need To Know
- How Buying Instagram Followers Can Help Businesses Soar
- How To Find Gaps In Your Cybersecurity And How To Address Them