Locked vBulletin Security Tips – I & II

[sQuo]

vBulletin Security Tips – I

 

 

vBulletin Version

 

1. First and the foremost, upgrade to the latest stable vBulletin release. Don’t run beta releases on a live production environment. They are beta for a reason (they are under testing and may contain unconfirmed bugs and loopholes).

Secure Passwords

 

2. This is more of a generalized tip: Use a long, secure password for your administrator accounts. Best is to utilize both cases (upper case and lower case letters) as well as numbers. Also make sure your passwords don’t contain any word that can be ‘related’ to you in any way. Use absolute random Alphanumeric strings as passwords.

 

To generate such strings, you can utilize this online tool : GRC | Ultra High Security.

 

3. In addition, use different passwords for your different admin access accounts : Forum account, AdminCP password, hosting control panel (for eg, cPanel), database user, etc. So, in case one password is leaked, your other admin accounts would remain safe.

 

/includes/config.php Tips

 

4. Set yourself as an undeletable/unalterable user in the vBulletin’s config.php file (found in the /includes/ directory in forum root). Find the code shown below in your config file and replace 1 with your actual UserID.

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

5. Make sure that nobody has the ability to run database queries directly from the AdminCP. (Not even yourself !) You will rarely ever need to run DB queries from here. So you can blank out everything between the two quotes (’), as shown below :

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

6. If you have multiple administrators on your Forum, then you can set yourself as the Super Administrator; and then control the permissions of other administrators (of what and what-not actions the other admins can perform). Here also, replace 1 with your own UserID.

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

7. Whatever action an administrator performs in the Forum, is logged / written to the database; so it can be useful in keeping a track of what changes your other administrators and co-admins are making on your forum. So at max, only one person (ie YOU) may have the permission to prune the admin logs.

 

This is the hidden content, please

• Sign In
• or
• Sign Up

Rename Control Panels

 

8. By default, the Administrator and Moderator control panels are located at /admincp/ and /modcp/ respectively. Everybody knows that these are the default CP locations in vBulletin. So, it’s best to change these paths. You should rename /admincp/ to something like /my-area51/ Smoking. Similarly rename the /modcp/ directory too, via FTP.

 

And whatever changes you make to your CP directories, make sure you set them in the config.php file too. For example :

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Critical Files

 

9. If you have ever used tools.php file to fix your broken vBulletin installation, or ImpEx to import threads/posts/users to your Forum; double-check and make sure they aren’t on your server anymore.

 

CHMOD 644

10. For those who are on a shared hosting environment, CHMOD all your PHP files’ permission to 644. You can do this easily via any FTP client. This would ensure that your files are writable by only other files under your hosting account; and not from any other hosting account on the same shared server.

 

---

 

vBulletin Security Tips – II

Securing your AdminCP

 

11. If you are using the Apache webserver, create a .htaccess file in your AdminCP directory, with the following content in it:

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Replace xxx.xxx.xxx.xxx in the above code with your actual IP address, like 122.168.8.149 If you are on a dynamic IP, put only the first two octets of your IP address, like: 122.168. (notice the dot at the end). To find out your IP address or range, go to WhatIsMyIP.com

 

If you have multiple administrators on your website, put an 'allow' entry in your .htaccess for each of the administrator; like this :

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

NOTE: When you ever need to give out your AdminCP login credentials in a support ticket, for example at vbulletin.com or vbseo.com; comment out all the lines in your .htaccess file in your AdminCP as shown below, by adding a hash (#) to the start of each line. (So the support staff can access and login to your AdminCP)

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

After you're done with the ticket, uncomment the lines to enable the IP restriction again.

 

12. Having a secure password for your Forum's admin account and IP protecting the AdminCP directory is sufficient. But still, if you (are paranoid and) want an added layer of security, consider password protecting your AdminCP and ModCP directories additionally via .htpasswd/.htaccess

 

Guide on how to do it can be found at JavaScriptKit.com

HTML in Posts

 

13. Never ever allow users to post raw HTML anywhere on your Forum. Since vBulletin lacks the functionality to enable or disable raw HTML input on a per-usergroup basis, it's better to keep this feature disabled.

 

While adding or editing forums and sub-forums via the "Forum Manager", just make sure that the Allow HTML setting under the Enable / Disable Features section is set to No.

Similarly, while adding or editing usergroups via the "Usergroup manager", make sure that the Allow HTML setting under the Signature Permissions section is set to No, too.

 

(Not to be confused with the 'Allow HTML BB Code' setting; which can be safely enabled.)

 

Hard-Delete Posts

14. There are two types of deletions in vBulletin: Soft-delete and hard-delete. Soft-delete effectively 'hides' the post from the users. Administrators and Moderators can still access and view that post, and can un-delete / restore the post if needed.

 

Whereas Hard-delete removes the post from the database, with almost no chance of recovery. To check and revoke the permission to hard-delete posts from a Moderator, go to:

AdminCP » Forums & Moderators » Show All Moderators

 

Click on the [Edit Permissions] link beside each Moderator or Super Moderator's name and check the Can Physically Delete Posts setting. (Make sure the 'No' option is selected)

 

This is the hidden content, please

• Sign In
• or
• Sign Up