WoodiE55
09-15-2006, 06:59 AM
Making your forum a little more secure
First, there is no one be all in all when it comes to security and there is no server out there that can’t be hacked, however the more LAYERS of security you have on your site the lower your odds are of being hacked. With that I’d like to share one or two of the many layers I use to protect not just my forum but also many other areas of my site.
Layer one:
One of my favorite features but probably the most under used feature of vBulletin is the ability to change your admin and mod control panel directory. How is this a security features you may ask? Go to any vBulletin forum you know of and type in www.example.com/forum/admincp and 9 times out of 10 you’ll be taken to the admin control panel login page. Point is everyone that’s familiar with vBulletin knows how to get to your admin control panel and with a use of a Brute Force attack there is that chance of getting access to your admin panel. Going back to my favorite feature of vBulletin, I like to change that directory to say /image or maybe /blue_flying_ponies doesn’t matter it can be whatever floats your boat. So now when a hacker goes to www.example.com/forum/admincp he gets a 401-error page and how in order for him to Brute Force attack your admin panel he must figure out what you’ve named your control panel. Make sense? Good, now that’s layer one!
Layer two:
For those of you that have access to a control panel such as cPanel you can very easily password protect any folder on your website.
To enable password protection, simply follow these steps:
1. Login to your CPanel and click on the Password Protected Directories icon.
2. On the next screen, you’ll be presented with a listing of your website’s main folders or any files placed directly under public_html folder. If you wish to secure one of these, simply click on its name. If you aim to drill deeper then click on the icon beside the folder’s name and you’ll be taken another level deep. Continue drilling down till you hit the file or folder you wish to protect. Click on its name.
3. Mark the checkbox that says ‘Directory/File’ requires a password.
4. Give the protected resource a name like ‘Members Area’ etc and click Save.
5. Enter a username and password for the Directory then press “Add/Modify User”
6. Now when a website visitor tries to access this protected he will be prompted for a password.
For those of you that do not have a control panel like cPanel but have access to .htaccess file then you can follow this tutorial: http://www.javascriptkit.com/howto/htaccess3.shtml
The benefit of doing this adds a second username and password which can be and should be totally different then what your forum username and password is, this now means the possible hacker has two sets of usernames and passwords that he must figure out and then hack, thus creating a second and secure layer of security.
Putting it all together:
Now for a third layer that’s sure to mess with any hacker, putting the above two steps together and adding a third element. First I’ll change the admin AND staff control panel folder to something that wouldn’t even think of a control panel being in, second I’ll go to cPanel and password protect both new folders with a different username and password for each control panel. The third element I like to throw in there is then go back and re-create a admincp and modcp folder in my forums, upload a blank index.html file then password protect those two folders as well using some crazy long username and even longer password.
What does this do? Well going back to my first statement EVERYONE that’s familiar with vBulletin knows where the mod and admin control panels are located so I play off that effect. A hacker will go to my forums www.example.com/forum/admincp and notice it’s password protected, this alone might be enough to run them off and try to find a weaker site. In the case of it not being enough to scare them off they now have to hack that username and password before they realize the username and password they spent all that time trying to hack is just a blank index.html page, which then leads them back to square one – where the heck is my admin panel?
Pretty cool huh? Again no site is un-hackable, however the harder it is for a hacker to get into your site the more likely they will move on to another site, one that’s not so secure. Going back to layer two, password protecting folders, this method can be used on any folder on your site and I do password other folders for one I also run WordPress on my site, those familiar with WordPress also knows how to access the WordPress admin panel so I also password protect that folder as well so again making it a dual login that’s needed to be hacked instead of just one and this can go for any other script where the admin panel is in it’s own folder!
In closing all the above security layers are something you can do yourself, regardless of what your web host already does to make your server secure – however doing all the above is pointless if you’re using passwords like “password”, “abc123”, you MUST use strong passwords. Use lowercase, uppercase, special characters and so on. Microsoft has a nice online utility ( http://www.microsoft.com/athome/security/privacy/password_checker.mspx ) which you type in possible passwords and it gives you a bar graph of how weak or strong your password is, if it comes back as weak or medium then I’d strongly suggest changing your password(s).
In closing, use strong passwords and create security layers. The harder you make it for a hacker the more likely they are to just pass you up. Enjoy and I hope this helps some of you.
First, there is no one be all in all when it comes to security and there is no server out there that can’t be hacked, however the more LAYERS of security you have on your site the lower your odds are of being hacked. With that I’d like to share one or two of the many layers I use to protect not just my forum but also many other areas of my site.
Layer one:
One of my favorite features but probably the most under used feature of vBulletin is the ability to change your admin and mod control panel directory. How is this a security features you may ask? Go to any vBulletin forum you know of and type in www.example.com/forum/admincp and 9 times out of 10 you’ll be taken to the admin control panel login page. Point is everyone that’s familiar with vBulletin knows how to get to your admin control panel and with a use of a Brute Force attack there is that chance of getting access to your admin panel. Going back to my favorite feature of vBulletin, I like to change that directory to say /image or maybe /blue_flying_ponies doesn’t matter it can be whatever floats your boat. So now when a hacker goes to www.example.com/forum/admincp he gets a 401-error page and how in order for him to Brute Force attack your admin panel he must figure out what you’ve named your control panel. Make sense? Good, now that’s layer one!
Layer two:
For those of you that have access to a control panel such as cPanel you can very easily password protect any folder on your website.
To enable password protection, simply follow these steps:
1. Login to your CPanel and click on the Password Protected Directories icon.
2. On the next screen, you’ll be presented with a listing of your website’s main folders or any files placed directly under public_html folder. If you wish to secure one of these, simply click on its name. If you aim to drill deeper then click on the icon beside the folder’s name and you’ll be taken another level deep. Continue drilling down till you hit the file or folder you wish to protect. Click on its name.
3. Mark the checkbox that says ‘Directory/File’ requires a password.
4. Give the protected resource a name like ‘Members Area’ etc and click Save.
5. Enter a username and password for the Directory then press “Add/Modify User”
6. Now when a website visitor tries to access this protected he will be prompted for a password.
For those of you that do not have a control panel like cPanel but have access to .htaccess file then you can follow this tutorial: http://www.javascriptkit.com/howto/htaccess3.shtml
The benefit of doing this adds a second username and password which can be and should be totally different then what your forum username and password is, this now means the possible hacker has two sets of usernames and passwords that he must figure out and then hack, thus creating a second and secure layer of security.
Putting it all together:
Now for a third layer that’s sure to mess with any hacker, putting the above two steps together and adding a third element. First I’ll change the admin AND staff control panel folder to something that wouldn’t even think of a control panel being in, second I’ll go to cPanel and password protect both new folders with a different username and password for each control panel. The third element I like to throw in there is then go back and re-create a admincp and modcp folder in my forums, upload a blank index.html file then password protect those two folders as well using some crazy long username and even longer password.
What does this do? Well going back to my first statement EVERYONE that’s familiar with vBulletin knows where the mod and admin control panels are located so I play off that effect. A hacker will go to my forums www.example.com/forum/admincp and notice it’s password protected, this alone might be enough to run them off and try to find a weaker site. In the case of it not being enough to scare them off they now have to hack that username and password before they realize the username and password they spent all that time trying to hack is just a blank index.html page, which then leads them back to square one – where the heck is my admin panel?
Pretty cool huh? Again no site is un-hackable, however the harder it is for a hacker to get into your site the more likely they will move on to another site, one that’s not so secure. Going back to layer two, password protecting folders, this method can be used on any folder on your site and I do password other folders for one I also run WordPress on my site, those familiar with WordPress also knows how to access the WordPress admin panel so I also password protect that folder as well so again making it a dual login that’s needed to be hacked instead of just one and this can go for any other script where the admin panel is in it’s own folder!
In closing all the above security layers are something you can do yourself, regardless of what your web host already does to make your server secure – however doing all the above is pointless if you’re using passwords like “password”, “abc123”, you MUST use strong passwords. Use lowercase, uppercase, special characters and so on. Microsoft has a nice online utility ( http://www.microsoft.com/athome/security/privacy/password_checker.mspx ) which you type in possible passwords and it gives you a bar graph of how weak or strong your password is, if it comes back as weak or medium then I’d strongly suggest changing your password(s).
In closing, use strong passwords and create security layers. The harder you make it for a hacker the more likely they are to just pass you up. Enjoy and I hope this helps some of you.
