I use the sortables captcha extension located here:
https://www.phpbb.com/customise/db/exte ... s_captcha/
Then I use a script which can be overwhelming to use and install by normal everyday non-techy people called ZBblock located in my signature below. This blocks many hosting providers, even whole countries when they load one of your php files.
I also use the reverse proxy Cloudflare and I have just began to add a crap load of ASNs (whole IP assignments) to my Cloudflare Firewall. Dedicated hosters like; Digital Ocean, Rackspace, QuadraNet, Colocrossing, Hurricane Electric, SoftLayer Amazon AWS, etc, etc, etc. At least 30 ASNs are now blocked and I add more after reading my server logs everyday. Amazon AWS has got to be the worst offender.
I should also note that ZBblock uses the stop forum spam database. You have to download the bannedips.csv at least once a month and add it to the ZBblock's vault folder in your FTP. ZBblock also by default can block Tor if set in the .ini file.
I have NEVER got a robot spam post in the year and about three months I have had my forum and Wordpress blog. Except human spammers. I have had about three of those and when I get that I use my stop forum spam account and report their IP, E-mail and username. Easy peasy lemon squeezy. LOL
I run layers of security. Both on my websites, and my computers at home. I refuse to be a victim. If you don't want to be one read and learn.
BTW- If you do use Cloudflare I would not use the MX record at all. Which means you shouldn't use your host's E-mail system. I use gmail now for my Wordpress blog and forum E-mail. The reason being is that the MX record can be queried and thus your real IP address can be found. If you use a reverse proxy like Cloudflare then it becomes meaningless. I so happened to have had my host give me a dedicated IP address and now when you use one of those Cloudflare resolvers only my old IP address shows up. I have yet to find a tool or method showing my real IP address.
Tip- If you use a reverse proxy like Cloudflare I would add this bit of code in your htaccess file to prevent direct connections to your website with your IP address. Nobody needs to directly connect to your site and if they do it is more than likely a bot.
Code: Select all
RewriteCond %{HTTP_HOST} 10.0.0.1 <----Your IP
RewriteRule .* - [F]
Here's a few more that could benefit you.
Code: Select all
RewriteCond %{HTTP_USER_AGENT} ^.{0,13}$
RewriteRule .* - [F]
This will prevent user agents that are blank or less than 13 characters in size. A lot of bots use no UA at all.
Code: Select all
RewriteCond %{REQUEST_METHOD} !(GET|POST) [NC]
RewriteRule .* - [F,L]
This will only allow Get and Post to your website. There really isn't a need for Head or anything else. Cloudflare will use Head to connect to your site, but it's not needed. In fact, I don't even know why they make a few connections to my site at all.
If you want to use gmail in your forum. In your E-mail settings in the ACP.
SMTP server address: tls://smtp.gmail.com
Port: 465
Authentication: Plain.
Keep in m ind that with the free SMTP usage of gmail you are limited to a set amount of E-mails. I have heard anywhere from 150-500. I have no idea what it is. You may want to upgrade to a paid plan for more E-mails or just use another E-mail service. Remember. Using your host's E-mail and the MX record in Cloudflare will expose your real IP address.
Anyway... That's some of the stuff I have learned thus far. One more thing. If you have Mod_security in your host, do use it! This site didn't and they got hacked. I read the hackers blog. At least that's what I read.
Edit- Just want to spread some love hear for an addon I have used for about seven years that just saved me from having to retype this whole post again. If you use Firefox or Chrome check out Lazarus! I use PaleMoon myself and it works in here. Use the Firefox addon if you use Pale Moon. I tried to make a donation, but the link isn't working. Anyway. I'm sure this addon would be beneficial to someone that post's like I do and then loses the whole thing! LOL!
https://addons.mozilla.org/en-US/firefo ... -recovery/
https://chrome.google.com/webstore/deta ... fgno?hl=en