This is Part 2 of the "vBulletin Security Tips" article. If you haven't read the first part of this article, read it here: vBulletin Security Tips - Part I
Securing your AdminCP
11. If you are using the Apache webserver, create a .htaccess file in your AdminCP directory, with the following content in it:
order deny,allow deny from all allow from xxx.xxx.xxx.xxx
Replace xxx.xxx.xxx.xxx in the above code with your actual IP address, like 122.168.8.149 If you are on a dynamic IP, put only the first two octets of your IP address, like: 122.168. (notice the dot at the end). To find out your IP address or range, go to WhatIsMyIP.com
If you have multiple administrators on your website, put an 'allow' entry in your .htaccess for each of the administrator; like this :
order deny,allow deny from all allow from 122.168.8.149 allow from 123.175.249.49 allow from 123.176.245.45
NOTE: When you ever need to give out your AdminCP login credentials in a support ticket, for example at vbulletin.com or vbseo.com; comment out all the lines in your .htaccess file in your AdminCP as shown below, by adding a hash (#) to the start of each line. (So the support staff can access and login to your AdminCP)
# order deny,allow # deny from all # allow from 122.168.8.149
After you're done with the ticket, uncomment the lines to enable the IP restriction again.
12. Having a secure password for your Forum's admin account and IP protecting the AdminCP directory is sufficient. But still, if you (are paranoid and) want an added layer of security, consider password protecting your AdminCP and ModCP directories additionally via .htpasswd/.htaccess
Guide on how to do it can be found at JavaScriptKit.com
HTML in Posts
13. Never ever allow users to post raw HTML anywhere on your Forum. Since vBulletin lacks the functionality to enable or disable raw HTML input on a per-usergroup basis, it's better to keep this feature disabled.
- While adding or editing forums and sub-forums via the "Forum Manager", just make sure that the Allow HTML setting under the Enable / Disable Features section is set to No.
- Similarly, while adding or editing usergroups via the "Usergroup manager", make sure that the Allow HTML setting under the Signature Permissions section is set to No, too.
(Not to be confused with the 'Allow HTML BB Code' setting; which can be safely enabled.)
Hard-Delete Posts
14. There are two types of deletions in vBulletin: Soft-delete and hard-delete. Soft-delete effectively 'hides' the post from the users. Administrators and Moderators can still access and view that post, and can un-delete / restore the post if needed.
Whereas Hard-delete removes the post from the database, with almost no chance of recovery. To check and revoke the permission to hard-delete posts from a Moderator, go to:
AdminCP » Forums & Moderators » Show All Moderators
Click on the [Edit Permissions] link beside each Moderator or Super Moderator's name and check the Can Physically Delete Posts setting. (Make sure the 'No' option is selected)
Secure your PC
15. Keep your PC clean and free from any malware (Virus, Trojans, Spyware, Rootkits, etc.). Some are notorious for stealing important and sensitive information from your computer like account passwords (including your websites' FTP details); and infecting HTML & PHP files on your machine.
An example of such a malware is Gumblar, which had spread like wildfire of-late. More information can be found at:
- Information on the Gumblar Virus - vBulletin Community Forum
- Gumblar .cn Exploit - 12 Facts About This Injected Script
You are only as secure as the passwords you use and the web server your Forum is on. If the server has been compromised/hacked, then there's nothing vBulletin can do to prevent potential security violations. (Related thread on vBulletin.com)
If you are not at ease with making the above mentioned changes, or fear that you’ll end up messing your vBulletin Forum; feel free to open a thread in our Forum Management section or simply add a comment here; asking for assistance.
I’m running VBulletin 3.7 and would like to make a sub forum with only one post to embed a live streaming video. If I enabled html in this sub forum only, embed this one link, lock the forum, and edit ALL user groups permissions for this forum to only be able to view this post. Would this cause a security issue?
Another great set of tips
- CHMOD all folders to 755 and files to 644 of your forum.
- Do not use 777 for any folder, i am sure some hacker will upload shell in that.
- If you and your staff are using dynamic IP, at least Password protect your admin panel and mod panel.
- Use VB Firewall to be save from XSS attacks. If anybody will try to do XSS attack, he will get the message “You are logged” and could not go further more. There are many secret/hidden exploits for vBulletin, about which even may be vBulletin designers don’t know.
- Turn off Visitors messages, Faq.php and calender.php.
- Make sure to backup your database time to time.
- There isn’t any way to avoid DDOS attacks, so don’t waste your time and efforts for DDOS firewalls etc. I know there are some servers which assure the protection from DDOS but they are very expensive.
- Do not install any old or unknown products.
- Don’t give permission to other Admins of your site to upload style or languages or other XML files.
- Apply Human Verification (Captcha) to searches. As there are some exploits out there which can be run using search.
- Above all, Secure your PC first then you can secure your website as already said above.
I am still learning and the tips i gave you are presented here with my own experience.
@JohnC,
Well, may be this could lead into some security issue. But you should scan your site with “Acunetix Web Vulnerability Scanner”.