Topic: Security Issues, please help!

I have been given the chance to create forums for a commercial website and I cannot mess this chance up!  Since it is so commercial and will be given a lot of attention, I need to know the best way to keep the forums secure to prevent any possible hackers.  Please help me! Thank guys!

Re: Security Issues, please help!

Keep the forums up to date and you should be fine wink
Also, more generally, don't use easy to guess usernames/passwords

Moved to PunBB Discussion

Re: Security Issues, please help!

Ok so there is no way someone can type in, for example, mydomain.com/punbb/config.php and hack into anything?  Because I have heard of hackers getting into forums and messing with stuff.

Re: Security Issues, please help!

It's not in the best interest of PunBB to be insecure, now is it tongue

Re: Security Issues, please help!

Generally, when I hear of people getting hacked, it's not from the newer and up-to-date
scripts they have running. Rather, it's something smaller, and generally updated less frequently script that allows the hacker access to the entire site.

And in general, Punbb's pretty secure.

Re: Security Issues, please help!

Burnsy86 wrote:

...I need to know the best way to keep the forums secure to prevent any possible hackers.  Please help me! Thank guys!

The most fundamental way to run a secure punBB forum is to make sure the server sitting underneath it is secure - ie the server itself (O/S, Apache, MySQL, PHP etc) is appropriately hardened, regularly patched, regularly monitored, and has good defences - eg has a tight firewall running on it, and Apache is running a HTTP request sanitizer like mod_security...

My point is: if you can't be sure your server is secure, including ALL THE OTHER APPS AND SERVICES RUNNING ON IT, forget about trying to secure punBB.

It's that simple. The weakest link in the chain may not be punBB. Focussing just on securing punBB would be a big error.

As for punBB itself, some simple tips:

- choose complex passwords for MySQL and your punBB admin account, natch...
- run some sort of forum spam tool (one of the CAPTCHA mods or the Kismet add-on),
- MINIMISE your usage of punBB's many 3rd party add-ons, mods etc etc. These can introduce vulnerabilities.
- install punBB into a non-standard location (not 'forum.mysite.com' or 'mysite.com/forum').
- try .htaccess password protecting the key punBB admin PHP files
- check, tighten and recheck/retighten the users and permissions set on all your punBB files and folders to ensure
  they are as restrictive as you can practically make them (eg 0644 is nice for your files).