vBulletin is well known for staying on top of updating their forum software to fix security flaws and miscellaneous bugs. Sometimes I personally wish the releases wouldn’t come as fast (from the standpoint of template changes!). In addition to keeping your vBulletin version up to date, there are other things that you can do to make your vBulletin forum more secure.
1. As mentioned above, keep your forum up to date with the latest release of vBulletin.
2. Rename your Admincp and Modcp directories. Be sure to change their names in the config.php file.
// ****** PATH TO ADMIN & MODERATOR CONTROL PANELS ******
// This setting allows you to change the name of the folders that the admin and
// moderator control panels reside in. You may wish to do this for security purposes.
// Please note that if you change the name of the directory here, you will still need
// to manually change the name of the directory on the server.
$config['Misc']['admincpdir'] = 'admincp';
$config['Misc']['modcpdir'] = 'modcp';
3. Password protect your Administrator and Moderator Control Panels directories as well as the install and includes directories using .htaccess/.htpassword http://www.javascriptkit.com/howto/htaccess3.shtml. You can also do this in cPanel if you are on a hosts using cPanel.
4. If you are upgrading or have upgraded from previous versions of vBulletin, make sure the tools.php (vB3) file is NOWHERE on your server.
5. Edit your config.php and make yourself a undeleteable user.
// ****** UNDELETABLE / UNALTERABLE USERS ******
// The users specified here will not be deletable or alterable from the control panel by any users.
// To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = 'YOUR USER ID HERE';
Tip: If you are upgrading your forums make sure you don’t forget to rename the directories again!
6. Remove the ImpEx files if you had used this import system.
7. If you have phpMyAdmin make sure it’s password protected.
8. DO NOT store backups in the publicly accessible area of your server. Too many times I work on clients forums to find they have been saving their backups to public_html/backups directory or something similar. No password protection, nothing. All their forums files and database there for the internet users to see!
9. Use unique and different passwords for your forum account, and those forums and websites you frequent. You can use sites like http://www.goodpassword.com/ to generate them for you or search Google for a password strength tester to determine how secure your password is. If you use the same username on multiple forums, and your single use password is compromised, you have now given access to all those forums and sites to the person who has your password.
10. Make sure your vBulletin file permissions are set to chmod 644 (Read Access), and that none are chmod 777 (Read/Write Access).
cd /path/to/your/vBulletin
chmod -R 644 *.php
11. When installing or upgrading, do NOT upload the directory called “do_not_upload”. Seems simple enough yet some do.
12. Never allow HTML in posts, PM’s and sigs.
13. Less is more. As much as you may be tempted to use every vBulletn mod that gets published on vBulletin.org, don’t. Use modifications sparingly. The more mods you have, the less secure your vBulletin becomes. “Coders” do not always code with security in mind.
14. Make absolutely sure there are no viruses, trojans or keylogger spyware on your PC. Any of these could steal your password and other personal info.
15. Last but not least, since there is always room to become more secure, I’ll end with this: “Think twice before giving members a staff position”. Pick your staff members wisely. You give them access to more commands which allows them to harm your site. Once they are a moderator they can ruin the mood on your site, they can mass delete posts if they have the permission and they can edit the posts of existing members. Super moderators can do this in every forum. Super Moderators and Moderators have access to the modcp/ directory, but not the admincp/ directory. If you give someone Administrator access on your forum you basically give them full access to your site (except for FTP). They can download your database or delete forums and usergroups, delete threads and posts or change settings, etc. So check your admin permissions on a per admin user. And think twice before you give someone admin access to your forum.
Tip: I don’t recommend to give other admins access to the phpmyadmin or ftp or control panel of your site, and especially not to the members area on vBulletin.com (Because giving someone else access to your members area means they can take over your vBulletin account; Also note that the vBulletin staff will never ask you for your customer password in full)
Tip: For added security check the control panel log history and set up password history so important usergroups are more secure by having to change their password once in a while. And request them to use a hard to guess password.
Tip: Do not give anyone plugin / product management access. Giving people access to code plugins on your live production system is like asking to be hacked because they can interupt any standard vBulletin process.
