How to secure your forum from Hackers

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • How to secure your forum from Hackers




      Running a forum is not technically difficult these days. But it is to keep it up and running without hassles. Apart from the hosting woes, you need to deal with spammers, hackers and what not.


      Secure your hosting

      Let us hope your host is smart enough to handle DDoS attacks using CloudFlare or similar technologies. And make sure that you give proper permissions to directories and files have proper permissions that meets industry standards. Avoid anything that give 777 permissions on your hosting. That would be an open invitation to someone who wishes to malice your website. For those who do not know, 777 will allow anyone ( ie, user, group and world ) to read, write and execute permissions on your hosting.

      Make sure you change your cPanel (or other control panel if you use something different ) log in password if you had to share it with someone else ( avoid this if possible ). The same applies to your FTP password.

      Make sure you verify the security of whatever you install on your hosting. Some scripts in billing or for control panel might give security issues you never thought of.


      Stop access to Admin Control Panel ( ACP )

      The next security vulnerability is through your script. Normally, admins are given a lot of privileges that can be misused by hackers. Most basic of precautions is to limit access to Admin Control Panel to an IP range in which you operate.

      Some scripts give Two Factor Authentication(2FA) feature as well. Make use of it and use your phone or email to add another layer of security to your admin control panel.

      Another chance of getting ACP access compromised is when you start distributing admin accounts. This can be operations based in which you add more admins to your forum or give someone an admin account in order to get some troubleshooting done. Both are however highly discouraged if you do not want your forum's safety compromised. It would be better to give admin account with restricted access ( ie, no access to templates and similar ) if you cannot avoid giving access to admin control panel.

      Also revoke the admin account once you finish the troubleshooting activity. It will be prudent not to hand over admin control panel access to some untrustworty or unknown person. Also, acquire some basic coding skills to go through your core templates and make sure no malicious code has been added to it when you shared the admin control panel access.


      Make sure you are up to date

      Always use scripts which give regular updates that fix potential vulnerabilities. The same applies to your themes and plugins. Build a tech team that will monitor info about release of new updates and keep your forum script and addons updated. It would be a bad lookout if you update just the core and leave addons or themes vulnerable to attack from hackers.


      Scan and check if your forum is already compromised

      Use some website scanning tool like Sucuri (sitecheck.sucuri.net/) to make sure that your are not already victimized. This gives you an option to correct your previous errors and fix it.

      I have checked admin-hub and it came clean



      Good luck and happy foruming.

      The post was edited 1 time, last by meetdilip ().

    • I would also suggest...
      1) Changing your ssh port from the default 22. Some admins say this is a waste of time, but changing the port may cause a script kiddie to not even attempt to get into your site if he can't get in from port 22.

      2) lock down ssh logins. Turn off password authentication and use keys, and/or change your sshd_config file so only allow connections from your known IP's, with a limited number of userid's, none of them being "root".

      Most hacking attempts will be based on vulnerabilities in existing software codebase, so the OP's point of "make sure you're up to date" is the most important.
    • Great article! I always worry about my blogs and forums being hacked. I don't know what it is but I always get the feeling that each time my sites go up in ranking, it is more of a threat they will get hacked. I guess that is why you want to use the best security at all times. I also agree about changing your password often. Better to be safe than sorry!
    • meetdilip wrote:

      Adding SSL is a nice solution. It will be something like standard practice very soon.
      SSL is here for a long time and it's already standard practice when needed. It will not go popular any more, we're not going to see more website using it. You can see SSL used in all eCommerce sites.
      You don't see SSL in eCommerce sites if they use third party payments - so the payment is not happening at their server. We could see increase in this field only if SSL would get cheaper and easier to set up. It's not an easy task for a newbie. However these years will be more Shopiffy and other third part services year. So we're going to see more eCommerce based on that and because of this trend there will be more eCom. sites that are not made by people themselves so I don't expect SSL to rise in popularity or sales.
      /Enter Your Signature here/
    • Rinalds wrote:

      You don't see SSL in eCommerce sites if they use third party payments - so the payment is not happening at their server.
      But potential customers don't necessarily know if the payment will take place in the website or a third party platform. I wouldn't buy anything from a website that doesn't encrypt my data.
    • Caribe_Soy wrote:

      Rinalds wrote:

      You don't see SSL in eCommerce sites if they use third party payments - so the payment is not happening at their server.
      But potential customers don't necessarily know if the payment will take place in the website or a third party platform. I wouldn't buy anything from a website that doesn't encrypt my data.
      A big chunk of people don't even know what is SSL and how to see if website has it. There are way too many people who don't know how to check websites and they believe on all banners that websites has put on "100% satisfaction 100% secure" etc.
      /Enter Your Signature here/
    • If anyone is using CSF (which several probably are, especially if using CentOS/CentMin) I have a list of over 7800 IP's to use in csfpre.sh (using ipset) to create a few rule sets. Two of the rule sets are from IP's (and CIDR's) that I've had multiple attempts to log into my mail service with, and then the others are a list of IP's that have been shown to be used in WP-Pingback DDOS attacks.

      servinglinux.com/articles/entr…block-ip-s-via-csfpre-sh/
      Are you a Brother of the Briar?
      Or is Linux more to your speed?

      The post was edited 1 time, last by Tracy Perry ().