vBulletin Security Tips – Part II

by Shadab

This is Part 2 of the "vBulletin Security Tips" article. If you haven't read the first part of this article, read it here: vBulletin Security Tips - Part I

Securing your AdminCP

11. If you are using the Apache webserver, create a .htaccess file in your AdminCP directory, with the following content in it:

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Replace xxx.xxx.xxx.xxx in the above code with your actual IP address, like If you are on a dynamic IP, put only the first two octets of your IP address, like: 122.168. (notice the dot at the end). To find out your IP address or range, go to WhatIsMyIP.com

If you have multiple administrators on your website, put an 'allow' entry in your .htaccess for each of the administrator; like this :

order deny,allow
deny from all
allow from
allow from
allow from

NOTE: When you ever need to give out your AdminCP login credentials in a support ticket, for example at vbulletin.com or vbseo.com; comment out all the lines in your .htaccess file in your AdminCP as shown below, by adding a hash (#) to the start of each line. (So the support staff can access and login to your AdminCP)

# order deny,allow
# deny from all
# allow from

After you're done with the ticket, uncomment the lines to enable the IP restriction again.

12. Having a secure password for your Forum's admin account and IP protecting the AdminCP directory is sufficient. But still, if you (are paranoid and) want an added layer of security, consider password protecting your AdminCP and ModCP directories additionally via .htpasswd/.htaccess

Guide on how to do it can be found at JavaScriptKit.com

HTML in Posts

13. Never ever allow users to post raw HTML anywhere on your Forum. Since vBulletin lacks the functionality to enable or disable raw HTML input on a per-usergroup basis, it's better to keep this feature disabled.

  • While adding or editing forums and sub-forums via the "Forum Manager", just make sure that the Allow HTML setting under the Enable / Disable Features section is set to No.
  • Similarly, while adding or editing usergroups via the "Usergroup manager", make sure that the Allow HTML setting under the Signature Permissions section is set to No, too.

(Not to be confused with the 'Allow HTML BB Code' setting; which can be safely enabled.)

Hard-Delete Posts

14. There are two types of deletions in vBulletin: Soft-delete and hard-delete. Soft-delete effectively 'hides' the post from the users. Administrators and Moderators can still access and view that post, and can un-delete / restore the post if needed.

Whereas Hard-delete removes the post from the database, with almost no chance of recovery. To check and revoke the permission to hard-delete posts from a Moderator, go to:

AdminCP » Forums & Moderators » Show All Moderators

Click on the [Edit Permissions] link beside each Moderator or Super Moderator's name and check the Can Physically Delete Posts setting. (Make sure the 'No' option is selected)

Secure your PC

15. Keep your PC clean and free from any malware (Virus, Trojans, Spyware, Rootkits, etc.). Some are notorious for stealing important and sensitive information from your computer like account passwords (including your websites' FTP details); and infecting HTML & PHP files on your machine.

An example of such a malware is Gumblar, which had spread like wildfire of-late. More information can be found at:

You are only as secure as the passwords you use and the web server your Forum is on. If the server has been compromised/hacked, then there's nothing vBulletin can do to prevent potential security violations. (Related thread on vBulletin.com)

If you are not at ease with making the above mentioned changes, or fear that you’ll end up messing your vBulletin Forum; feel free to open a thread in our Forum Management section or simply add a comment here; asking for assistance.