phpBB Security Guide

[amazinghorse]

Security Guide
The new branch of PHPBB - PHPBB 3 is quite secure. After some major security flaws in PHPBB 2 the PHPBB developers have paid great attention to the security of their product's new branch - PHPBB 3. According to the script's changelog and the users' reports there have been just several minor security issues. They have been resolved quite fast.
Still, in this article we will list useful practices that will additionally improve the security of your PHPBB 3 forum.

TIPS

---

Keep your software up--to-date
This rule is valid for all the applications that you use. Keep your local computer software (OS, anti-virus program, firewall, web browsers, etc.) and web applications (scripts, extensions, components, modules,plugins) upgraded to the corresponding latest stable versions.

Custom Database tables prefix
A wise solution is to set a custom database tables prefix during the PHPBB 3 installation. If your hosting provider supports an auto-installer like Softaculous just enter the new value in the "Table Prefix" field. The manual phpBB3 installation also allows to enter the chosen table prefix in the "Prefix for tables in database:" field.
The change of the tables prefix in an existing phpBB 3 installation is more difficult. First, you should edit the config.php file and replace the new prefix in the following field:

$table_prefix = 'phpbb_';

 
If you have custom modules integrated in your forum check whether they have additional configuration files. You might need to complete the same change in them.
Next, you should rename all the tables in the database. You can run the queries through a tool like phpMyAdmin.
The query for each table should be:

RENAME TABLE phpbb_table_name TO newprefix_table_name;

 
Additional admin login page
To add a new layer of security to your admin login functionality you should password protect the admin folder. In PHPBB 3 the default admin folder is called "adm". Usually the hosting providers have a password protection tool embedded in their control panels. If your hosting provider uses cPanel you can password protect the folder through the Password Protect Directories tool. The tool will create a .htaccess file under the "adm" folder. Make sure that the used password is different from the one set during the initial PHPBB 3 installation
Always use strong passwords that contain random sequence of letters, numbers and special characters.

Restrict the admin folder access
If you are using a computer with static IP to access your forum you can restrict the access to the admin area. Enter the code listed below in the .htaccess file under the "adm" folder. It will allow access only from your local computer.
 
Order Deny, Allow

Deny from all
Allow from 123.123.123.123

 
Instead of 123.123.123.123 use your IP. It can be checked at: http://whatismyipaddress.com/
The file can be edited either with FTP or with cPanel->File Manager. You can add more IPs to the list, separated with blank spaces.

Backup your forum
Often, keeping backups of your script will allow you fast and easy to restore the stable functionality of your web site. It does not matter if the script has been compromised by hackers or it has been broken by a custom code modification performed from your end. The backup restore will bring the web site to its normal state. Usually the hosting providers create daily or weekly backups of your account. Still, you can additionally take care of this task. Detailed instructions can be found in this knowledge base article.

Enhance the users registration
PHPBB 3 has some useful options which will stop most of the malicious users' registrations attempts. Open your forum's admin area and load the "User registration settings" section.
For the "Account activation" option pick "By user (email verification)". During the registration the user will have to provide a valid e-mail account and approve the registration through a confirmation link message delivered to it.
For "Password complexity" select "Must contain symbols". In this way the user will have to enter letters, numbers and symbols in the chosen password.
Leave the default values of the other options.

Forums that follow the above-mentioned tips experience 80% less security problems. If despite the measures taken, your forum gets hacked, you should contact your host for assistance and try to get more specific security tips from the community via the discussions boards.

Credits for this materials: http://www.siteground.com/phpbb-security.htm


Top 5 Security Mods for phpBB

---

No forum software is fully secure from the onslaught of hackers and spammers, and needs to keep being updated by new modifications and plugins to safeguard against such attacks. The open source nature of phpBB makes it more vulnerable to attacks. phpBB developers are constantly working towards identifying security gaps and trying to fix them.
Some of the main features added to provide protection to your forum from being attacked by hackers are:

• Providing a sophisticated authorization system;
• Effective encryption which basically helps by ensuring the safety of the passwords in the data base;
• Proper running of the URL and cookie sessions.

5 Security Mods for phpBB
Some helpful security mods for phpBB are:

RAC Mod: In this Mod, the administrator defines an auth code which you need to enter while registering. After this, the administrator may ask you a question, the answer to which is the code. The advancements made to this mod are:

• Language variable being used properly;
• phpBB templates being used properly;
• Unnecessary steps have been removed;
• Instructions are made more detailed.

Peoplesign CAPTCHA Plugin: This is a unique and new picture based CAPTCHA which gives its owners millions of different ways to customize and use it as per their liking. It is easy to install. People visiting the forum are given a picture-based text to enter the forum and by this means automated bots can be kept away.

Show Password Strength: This mod reflects the strength of the password to its users. It displays a color code to show the password strength which is green for strong and red for weak. Along with this, there is a text indicator such as ‘Very Strong’, ‘Strong’, ‘Good’, ‘Weak’ and ‘Very Weak’ for passwords. The basis on which the password strength is graded are:

• Mixed case alphabets;
• Numbers;
• Special characters;
• More than 12 characters in the password.

Breizh Ajax Checks: This mod is fast and the language can be changed in the ajax on the registration page. Through this mod, checks can be performed in real time in the registration page as well as edit account setting page for email address, password and username.

Key CAPTCHA: It is an innovative anti-spam service which is provided free. It provides protection to your website from spam and also works as an instrument for income acquisition. Contrasting other captchas, there is no requirement to type any text here.

phpBB is not fully protected from all attacks by hackers and spammers present on the net. While there are people working towards mods to improve the scenario, one should take precautions and be vigilant to ensure that the forum is not attacked. phpBB security does not merely involve protecting your forum from being hacked, but it also involves the security of personal information and data of visitors and the integrity of the member list as well as the community. Some issues that may take up a lot of admin and moderator time may be automated signups, member list abuses, email address harvesting and dropping links.

Credits for this materials: http://www.webmasterscafe.com/top-5-security-mods-for-phpbb/