08-15-2012, 06:37 PM
HowTo :: secure your vBulletin Forum
--------------------------------------------------------------------------------
HowTo :: secure your vBulletin Forum
To secure your vBulletin from being hacked, do the following:
This article is adapted from:
Do not install any unofficial hacks or plugins as they are not written or reviewed by vBulletin developers.
Make sure the file: tools.php (vBulletin v3.x or higher) is not on your website.
Remove all upgrade files from the install/ directory (or you can remove the whole install/ directory).
Remove the ImpEx files, if you used this import system.
If you imported data from another software/system using ImpEx, make sure to remove the impex/ directory when you're done.
Do NOT upload the directory called do_not_upload/
Update the config.php file and set yourself as "undeletable user" so hackers won't be able to alter and/or access your admin account.
If you have PhpMyAdmin make sure it's password protected. This doesn't apply to the cPanel control panel.
Passwords and vBulletin
Password protect your Administrator and Moderator Control Panels directories using .htaccess/.htpassword.
Click here for more information on HowTo use .htaccess. (cPanel users can login to your cPanel and use Password Protect Directories feature instead.)
If you suspect a hacking attempt, change the login passwords for your hosted account.
Make sure Admin and Mod passwords are secure, and use hard to guess passwords.
Use a different password for each forum you sign up with. Use a different password for your forum and for the .htaccess directory, respectively.
HTML code, Plugin/Product Management and vBulletin
NEVER use and/or allow HTML codes in posts, PMs, and sigs.
Do not allow anyone to access the plugin / product management area. Giving people access to code plugins on your live production system is like asking to be hacked because they can interrupt any standard vBulletin process.
Your PC and vBulletin
Make absolutely sure there are no viruses, trojans or keylogger spyware on your own laptop and/or desktop PC. If your PC is infected, your password and other personal information can be stolen by a hacker.
Shared Hosting and vBulletin
If you are on a shared hosting server, make sure the permission on all your vBulletin Php files is set to 644. If you have SSH access to your virtual server, run the following commands: cd /path/to/your/vbulletin
chmod -R 644 *.php
If you do not have SSH access, you can use your FTP software application instead.
The 'chmod 644' command sets the file(s) to be "readable and writable" by the owner of the account (typically: you), and readable by everybody else (this is so that the webserver can read the file to present it to the viewers of your page).
If the index.php page gets hacked frequently, set the permission on that page at 444.
Security through obsecurity
Renaming Admincp and Modcp directories
Every hacker knows the default paths to vBulletin admincp and modcp control panels:
If you rename your admincp and modcp directoires, you MUST update the directives in config.php file with the new names.
Upgrading vBulletin to the latest Stable release
We highly recommend making a a backup copy of your MySQL database. Do NOT save or store the backup copy of MySQL in the public_html directory. Save the backup copy of MySQL in either the root directory of your virtual server, or download it on your own PC.
When you upgrade your forum to the latest Stable release, make sure to rename the admincp and modcp directories again!
Using the following directives, add the IP address(es) of your admin(s) and your own Cable Modem/DSL into a .htaccess. This .htaccess file should be saved in your admincp directory: order allow,deny allow from YOUR_IP_ADDRESS
allow from ADMIN_IP_ADDRESS
deny from all
This way the directory will be accessible for those with IP addresses in the .htaccess file, only.
Even if your owned license has expired, you can still download the security patches for FREE from vBulletin's security center at:
--------------------------------------------------------------------------------
HowTo :: secure your vBulletin Forum
To secure your vBulletin from being hacked, do the following:
This article is adapted from:
[To see links please register here]
Always upgrade to the latest Stable version.Do not install any unofficial hacks or plugins as they are not written or reviewed by vBulletin developers.
Make sure the file: tools.php (vBulletin v3.x or higher) is not on your website.
Remove all upgrade files from the install/ directory (or you can remove the whole install/ directory).
Remove the ImpEx files, if you used this import system.
If you imported data from another software/system using ImpEx, make sure to remove the impex/ directory when you're done.
Do NOT upload the directory called do_not_upload/
Update the config.php file and set yourself as "undeletable user" so hackers won't be able to alter and/or access your admin account.
If you have PhpMyAdmin make sure it's password protected. This doesn't apply to the cPanel control panel.
Passwords and vBulletin
Password protect your Administrator and Moderator Control Panels directories using .htaccess/.htpassword.
Click here for more information on HowTo use .htaccess. (cPanel users can login to your cPanel and use Password Protect Directories feature instead.)
If you suspect a hacking attempt, change the login passwords for your hosted account.
Make sure Admin and Mod passwords are secure, and use hard to guess passwords.
Use a different password for each forum you sign up with. Use a different password for your forum and for the .htaccess directory, respectively.
HTML code, Plugin/Product Management and vBulletin
NEVER use and/or allow HTML codes in posts, PMs, and sigs.
Do not allow anyone to access the plugin / product management area. Giving people access to code plugins on your live production system is like asking to be hacked because they can interrupt any standard vBulletin process.
Your PC and vBulletin
Make absolutely sure there are no viruses, trojans or keylogger spyware on your own laptop and/or desktop PC. If your PC is infected, your password and other personal information can be stolen by a hacker.
Shared Hosting and vBulletin
If you are on a shared hosting server, make sure the permission on all your vBulletin Php files is set to 644. If you have SSH access to your virtual server, run the following commands: cd /path/to/your/vbulletin
chmod -R 644 *.php
If you do not have SSH access, you can use your FTP software application instead.
The 'chmod 644' command sets the file(s) to be "readable and writable" by the owner of the account (typically: you), and readable by everybody else (this is so that the webserver can read the file to present it to the viewers of your page).
If the index.php page gets hacked frequently, set the permission on that page at 444.
Security through obsecurity
Renaming Admincp and Modcp directories
Every hacker knows the default paths to vBulletin admincp and modcp control panels:
[To see links please register here]
or[To see links please register here]
Since these paths are known, hackers by pass the forums and then attempt to hack into your admincp or modcp. Give admincp and modcp directories new names. You can name them any thing you like. Giving new names to admincp and modcp will make it difficult for amateur hackers to penetrate your forum.If you rename your admincp and modcp directoires, you MUST update the directives in config.php file with the new names.
Upgrading vBulletin to the latest Stable release
We highly recommend making a a backup copy of your MySQL database. Do NOT save or store the backup copy of MySQL in the public_html directory. Save the backup copy of MySQL in either the root directory of your virtual server, or download it on your own PC.
When you upgrade your forum to the latest Stable release, make sure to rename the admincp and modcp directories again!
Using the following directives, add the IP address(es) of your admin(s) and your own Cable Modem/DSL into a .htaccess. This .htaccess file should be saved in your admincp directory: order allow,deny allow from YOUR_IP_ADDRESS
allow from ADMIN_IP_ADDRESS
deny from all
This way the directory will be accessible for those with IP addresses in the .htaccess file, only.
Even if your owned license has expired, you can still download the security patches for FREE from vBulletin's security center at:
[To see links please register here]
Make sure your VPS or dedicated server is hardened and secured. If not, or not sure, sign up for the ServerTune Plan. This server management plan includes all features you need to secure, harden, and keep your server in perfect running condition.