phpBB has always had an excellent security track record. There has only been one serious issue I'm aware of. If you look through the releases there is a 3.0.7PL that replaced the 3.0.7 release. This goes back more than ten years, in that release RSS feeds were added and under a specific set of permission settings someone that did not have access to a forum could read it through the RSS feed. The flaw was found and patched in about 24 hours.
You would have to apply changes to custom theme. The easiest way I have found to manage this is using Winmerge to compare and merge files. If you comment changes it's even easier.2. If phpBB has updates which require changes to themes how hard is it to patch existing themes because it would suck to modify the default theme and have to start from scratch each update. Does it have a system in place like MyBB where you can check the templates for any needed changes with a click of a button?.
As already mentioned phpBB itself has a really good track record.There isn't a whole lot you can do to secure phpBB itself that hasn't already been done. Security of any site/server needs to be layered. For example you could add a .htaccess password to the adm folder. Not only are you adding another layer of authentication but since that is separate than phpBB it could also prevent any vulnerabilities that may crop in the future with phpBB's authentication for the admin panel. Same thing can been done with any web application. A .htaccess password itself is no guarantee because it can be brute forced, however there is server applications that can monitor that activity and firewall an IP after X amount of failed logins.... layers.3. Overall how secure is phpBB out of the box and is there a list of optional things that can be done to secure phpBB even more?.
In regards to the .htaccess password that is something I do with MyBB as well, but I also change the admin directory. Is this possible on phpBB to change the admin directory?.thecoalman wrote: ↑Mon Mar 08, 2021 2:21 pm
As already mentioned phpBB itself has a really good track record.There isn't a whole lot you can do to secure phpBB itself that hasn't already been done. Security of any site/server needs to be layered. For example you could add a .htaccess password to the adm folder. Not only are you adding another layer of authentication but since that is separate than phpBB it could also prevent any vulnerabilities that may crop in the future with phpBB's authentication for the admin panel. Same thing can been done with any web application. A .htaccess password itself is no guarantee because it can be brute forced, however there is server applications that can monitor that activity and firewall an IP after X amount of failed logins.... layers.
i don't know what you mean that exactly, but i try it. You can protect the ACP with htpasswd / htaccess, but you cannot change the path of the link.
What is an "admincp pin"?
Yes, with some exceptions.
I suspect that he asking whether the Admin control Panel can be passworded.
Crizzo wrote: ↑Tue Mar 09, 2021 8:28 pmi don't know what you mean that exactly, but i try it. You can protect the ACP with htpasswd / htaccess, but you cannot change the path of the link.What is an "admincp pin"?Yes, with some exceptions.
But it is open for downloads. So just pick your webspace/server/xampp etc. and install it and try it out
No, this is not possible. But just surfing to "example.org/admin/index.php" won't work, too. So imho no need for that and you can access the ACP via many different ways, the link will easily be decovered. Security through obscurity is not the way.
No, you will get asked for your Admin-account password again, when you want to go to the ACP.BlasterX wrote: ↑Tue Mar 09, 2021 8:39 pm And the admincp pin is when you go to the admin panel to log in, on top of your username and password you also have to give a security pin which you setup during installation it can be anything like a birthday, year, etc that way if for some reason the admin main account gets breached whoever did it still has to get that pin to access the admin panel.
Nope, and it isn't necessary as you'ld need host permissions (or ftp) to access that directory.
To enter the ACP the admin has to login a second time (using the same credentials). This actually prevents someone from using that account to access the ACP, if the true admin leaves the PC unattended, because the rogue person doesn't know the admin password.BlasterX wrote: ↑Tue Mar 09, 2021 8:39 pm And the admincp pin is when you go to the admin panel to log in, on top of your username and password you also have to give a security pin which you setup during installation it can be anything like a birthday, year, etc that way if for some reason the admin main account gets breached whoever did it still has to get that pin to access the admin panel.