MyBB Security Guide

amazinghorse · December 17, 2014

Security Guide

NOTICE BEFORE READING:
This is not a guide to making your forum completely secure and untouchable but this is a guide to the many different things that one can do to tighen up security. I would also like to note that the latest version of MyBB is very secure even out of the box. Also note that i'm no expert on this, I've never even had a public MyBB forum but i'm hoping to start one soon. This is mostly about securing MyBB itself, look elsewhere for information on securing any other web applications that you are hosting

The key points

#1 Keep your forum as up to date as possible
It is very important you keep everything up to date, this includes plugins.
Make sure to manually check for updates in the Admin CP often and/or frequent the downloads section of mybb.com

#2 Check before installing plugins
Plugins have the potential to bring down your whole forum if they are insecure/intentionally backdoor-ed. Google is your friend with plugins so ensure you check through any posts/advisories on the plugin and any other sources of the plugin that could are more likely to be secure. Don't use cracked/nulled plugins. If you can understand PhP then look through the code. If the code is encrypted/obfuscated etc.. and the plugin is not commercial then be very careful. Look into the plugin author and their credibility as well. Using a plugin that is used on HF and made by labrocca for example is a much better idea then some random thing you found dumped on the net.

#3 Use secure and unique passwords
Ensure the passwords to all powerful accounts are different, unique, long and use a large array of chars.

*ndEyd7_-38Dne3dhy3(8ednYe}&yDp2@04(jNPKNBGgdue

^ Is the type of thing you are going to want as a password to any account with powers that could damage the forum. Don't use passwords that you use on other forums because they could be easily tracked down. If you can't remember the password store it in an encrypted vault such as a keepass vault.

#3 Deny access to directories
There are a number of directories in MyBB that contain files that never need to be accessed from browser. It's a good idea to deny access to these.

Directories to protect

{root}/inc

{root}/install (whenever not needed)

{root}/{admincpdir}/inc

{root}/{admincpdir}/modules

As there is no legit reason to access this stuff it's best to create a .htaccess file in the root of these directories containing the following.

deny from all

Another way to add to security to the files is the add to/create a .htaccess file in the forum root containing

Options -Indexes

To stop anyone browsing folders without an index.

Another thing one can do is the rename the Admin Directory, to do this open

{root}/inc/config.php

and edit the

$config['admin_dir']

to whatever you want your new directory to be then rename the actual directory from 'admin' to whatever you specified in the config.php. --- This does not give much extra security unless you set the

$config['hide_admin_links']

to 1 (note you will need to access the adminCP from a stored link rather than from a link on the front end if this is enabled)

#4 Obscure, obscure, obscure
It's a great idea to make it as hard as possible for a potential attacker to get correct information on your forum.

Change the default table prefix (this can be done easily upon when installing a fresh install of MyBB in the installation wizard) This can also be done in the

config.php

but only people who know what they are doing should attempt to change it after MyBB has been installed also note that a few plugins are broken by non-default table prefixes. This can make it harder for ub3r el1te SQLI masters to attack your DB

Other things you can do include giving your main account (the one you post with) super mod perms and giving super-admin to another extremely secure account that has a normal usergroup as it's primary.

#5 Lock down the AdminCP
It's very important to implement extra security on the admin cp to prevent unwanted access.
Here are a few things you can do.

Add extra auth with .htpasswd
http://www.htaccesstools.com/htpasswd-generator/
http://www.htaccesstools.com/htaccess-authentication/
^ The above links can be used to generate the files needed to do this.
Once done simple place the .htpasswd and .htaccess files in the adminCP directory for some extra security. Make sure the user/pass is different to the Admin password.

Add an ip whitelist to the AdminCP
You can use .htaccess to permit only those with a certain ip to access the AdminCP, this is very secure! (It's not a very good idea to do this if you have a dynamic IP though because you might find your self locked out one day. Just put/add to a .htaccess file in the admincp root containing the following.

Order Allow,Deny

Allow from Your.static.ip.adress

Add a pin to the Admin Cp
This pretty much does the same thing as .htpasswd but can look a little better. There are plenty of tutorials on this so just make a search.

Remove the backup system from the AdminCp
If someone was to gain unauthorized access to the admin cp they could easily dump all the SQL info using the built in backup feature. It's a good idea to disable this if you are not going to use it.

Simply go to

{root}/{admincpdir}/modules/tools/backupdp.php

And add a the following after the

<?php

die('Backups Disabled');

If you want to use this module then simply comment out the addition and uncomment it when you are done.

These are the key points. After this i will just put a few simple extra tips and some links for more info

Run MyBB with a database user that is not used with anything else on your website to prevent one failure leading to another
Restrict the database user that MyBB uses to only be able to do what it needs and nothing more
Restrict PHP to only be able to execute functions that are needed and nothing more
Remove any features you don't need (don't use the portal?. then remove it, don't use the calendar? then disable it etc)
Make sure you don't have scrutinize IP enabled unless you really, really, really know what you are doing
Search through forums/exploit DB's for potential exploits often
If you are starting a forum from scratch change how passwords are salted and hashed for some extra obscurity in the event your DB is leaked
If you've left anything in Areas the public can access such as a plugin zip file or a phpinfo.php then be sure to remove
If something is suspicious... CHECK IT OUT!

Credits for this materials: http://community.mybb.com/thread-131553.html