vBulletin Security Tips – I

by Shadab

vBulletin is pretty secure out of the box. But a little more security for your vBulletin Forum won’t hurt. Right? Also, some of the tips mentioned herein can help prevent mass-damage to your Forum, even if your login info gets into wrong hands. This is part 1 of the "vBulletin Security Tips" article.

vBulletin Version

1. First and the foremost, upgrade to the latest stable vBulletin release. Don’t run beta releases on a live production environment. They are beta for a reason (they are under testing and may contain unconfirmed bugs and loopholes).

Secure Passwords

2. This is more of a generalized tip: Use a long, secure password for your administrator accounts. Best is to utilize both cases (upper case and lower case letters) as well as numbers. Also make sure your passwords don’t contain any word that can be ‘related’ to you in any way. Use absolute random Alphanumeric strings as passwords.

To generate such strings, you can utilize this online tool : GRC | Ultra High Security.

3. In addition, use different passwords for your different admin access accounts : Forum account, AdminCP password, hosting control panel (for eg, cPanel), database user, etc. So, in case one password is leaked, your other admin accounts would remain safe.

/includes/config.php Tips

4. Set yourself as an undeletable/unalterable user in the vBulletin’s config.php file (found in the /includes/ directory in forum root). Find the code shown below in your config file and replace 1 with your actual UserID.

  1. $config['SpecialUsers']['undeletableusers'] = '1';

5. Make sure that nobody has the ability to run database queries directly from the AdminCP. (Not even yourself !) You will rarely ever need to run DB queries from here. So you can blank out everything between the two quotes (’), as shown below :

  1. $config['SpecialUsers']['canrunqueries'] = '';

6. If you have multiple administrators on your Forum, then you can set yourself as the Super Administrator; and then control the permissions of other administrators (of what and what-not actions the other admins can perform). Here also, replace 1 with your own UserID.

  1. $config['SpecialUsers']['superadministrators'] = '1';

7. Whatever action an administrator performs in the Forum, is logged / written to the database; so it can be useful in keeping a track of what changes your other administrators and co-admins are making on your forum. So at max, only one person (ie YOU) may have the permission to prune the admin logs.

  1. $config['SpecialUsers']['canpruneadminlog'] = '1';

Rename Control Panels

8. By default, the Administrator and Moderator control panels are located at /admincp/ and /modcp/ respectively. Everybody knows that these are the default CP locations in vBulletin. So, it’s best to change these paths. You should rename /admincp/ to something like /my-area51/ Smoking. Similarly rename the /modcp/ directory too, via FTP.

And whatever changes you make to your CP directories, make sure you set them in the config.php file too. For example :

  1. $config['Misc']['admincpdir'] = 'my-area51';
  2. $config['Misc']['modcpdir'] = 'the-mod-room';

Critical Files

9. If you have ever used tools.php file to fix your broken vBulletin installation, or ImpEx to import threads/posts/users to your Forum; double-check and make sure they aren’t on your server anymore.

CHMOD 644

10. For those who are on a shared hosting environment, CHMOD all your PHP files’ permission to 644. You can do this easily via any FTP client. This would ensure that your files are writable by only other files under your hosting account; and not from any other hosting account on the same shared server.

If you are not at ease with making the above mentioned changes, or fear that you’ll end up messing your vBulletin Forum; feel free to open a thread in our Forum Management section or simply add a comment here; asking for assistance.