What can I do to increase security on my PHP board?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Sullivan
Registered User
Posts: 14
Joined: Fri Sep 30, 2005 2:05 am

What can I do to increase security on my PHP board?

Post by Sullivan » Fri Sep 30, 2005 2:19 am

A couple of months ago my board (running phpbb 2.0.8) was hacked into and pretty much trashed, as I now understand it that was not likely the most secure release.

And as luck would have it, our host was pretty much as non-responsive as they could be and we lost everything on the site.

Since then we have moved hosts, to one that not only repsonds, but answers the phone. (Interesting concept.) And we have upgraded to 2.0.18.

I have been learning how to install Mods and was hoping there would be some suggestions of ones I can use to heighten the security of our site. (and that are compatible with 2.0.18).

There is a chance, that it was one of our members who did this so one of the things we are interested in doing is limiting their access to things.

Any and all suggestions welcome and appreciated.

User avatar
Anon
Former Team Member
Posts: 7019
Joined: Fri Jan 02, 2004 7:33 am
Location: Christchurch, New Zealand

Post by Anon » Fri Sep 30, 2005 2:24 am

I hope you mean 2.0.17, which is the latest, not 2.0.18 ;)

Anyway, there is nothing you can do to secure apart from keep secure admin passwords and keep up to date. It's actually best to install as few mods as possible, as MODs could be insecure and be hacked themselves

Sullivan
Registered User
Posts: 14
Joined: Fri Sep 30, 2005 2:05 am

Post by Sullivan » Fri Sep 30, 2005 2:28 am

:oops: Yeah... 2.0.17

da_badtz_one
Registered User
Posts: 376
Joined: Thu Jan 29, 2004 8:25 pm

Post by da_badtz_one » Fri Sep 30, 2005 3:47 am

Password protecting your admin directory would be a good option. I do it for mine since someone was able to hack into my phpBB 2.0.17 forum. :( From tha day on I've been improving all of the mods installed's security from sql injection to emailing the admin if there is another admin other than the few I have surfing the forum. ;)

That's all I can think of as for now.

LaviniaFFXI
Registered User
Posts: 4
Joined: Fri Sep 30, 2005 5:51 am

Post by LaviniaFFXI » Fri Sep 30, 2005 6:03 am

How would I go about doing this? I am somewhat green about phpBB but someone yesterday had managed to get into my admin stuff and change my domain name, site title and description.. fortunately that was all but its happened twice (second time they wrote Hacked by dcahrakos) and i don't what to know what they could or would do next...

Sullivan
Registered User
Posts: 14
Joined: Fri Sep 30, 2005 2:05 am

Post by Sullivan » Fri Sep 30, 2005 2:53 pm

Any other suggestions?

da_badtz_one
Registered User
Posts: 376
Joined: Thu Jan 29, 2004 8:25 pm

Post by da_badtz_one » Sat Oct 01, 2005 12:06 am

LaviniaFFXI, make sure that the hacker isn't hacking by accessing phpmyadmin or have access to your server by any chance. I suggest you to use random password generators to strengthen your site's security and also access to the websites backend. Then, password protecting your admin director would be a good idea with a strong password to have double layered protection.

I also suggest simplementing a code which only restricts you or other admins you assign to your board to have admin status. I've written a code which disallows any other admins other than myself and a few others to have admin status, anyone else who gets it gets a 'die' (php function) message throughout the whole forum, including admin cp. ;)

Code: Select all

if ( $userdata['user_level'] == ADMIN )
{
	if ($userdata['user_id'] != 2 )
	{
		die("500 Error");
	}
}
edit: Also update to the latest phpbb version which is 2.0.17 ;)

chainReaction
Registered User
Posts: 16
Joined: Wed Sep 08, 2004 3:05 pm

serv hackers suck

Post by chainReaction » Wed Aug 23, 2006 4:55 am

i too was running a fairly non active forum v2.0.8 and not very responsible for upgrades because i have a shared userbase that interacts between forum and image gallery - i am still slow to update because i paid to have the userbase configured correctly and am affraid that a upgrade will dump the config and im not sure how to reset a shared userbase - i did password protect the entire phpBB directory and that really keeps out the punks but it has this annoying habit of requesting the PW authentication everytime i call up the database going to the forum then loggingin then accessing from a different path - thats a hassel in itself. after reading this i decided to go back and protect the admin file and open it back up but id appreciate some input as to the level of security that provides - will that keep the hackers out by just Pprotecting the admin directory? any thoughts - its a pretty kool setup but it needs updating and higher security.

amir abbas
Registered User
Posts: 113
Joined: Fri Mar 31, 2006 2:26 pm
Contact:

Post by amir abbas » Wed Aug 23, 2006 7:20 am

i think protecting admin folder with password can be very effective

Locked

Return to “2.0.x Discussion”