Since 2001 I’ve run online discussion forums. PhpBB was my first software but they had a major software exploitation back in December 2004 that brought down my forum network. The release of Phpbb 2 and 3 seemed to alleviate a lot of the problems, but in the meantime I switched many forums over to VBulletin.
I haven’t had my phpBB 2.x sites hacked but have had several hacks on VBulletin. They seem to have increased in 2011 with an almost monthly hack on one of my forums. Normally just kids having fun and reading instructions on how to hack using the latest software vulnerability in VBulletin 4.x. But in July 2011, for the first time, I had a hacker use one of my websites as a phishing site.
The phishing hackers exploit a discovered software vulnerability and upload files to your website to replicate other websites. In my case they uploaded folders to replicate the PayPal website. They probably sent out mass emails to innocent random people with links to login to PayPal. The link would take them to my website with a login that looked exactly like PayPal. For someone not internet savvy or a little sleepy – they might input their PayPal login info that the hackers can log.
Fortunately the files were on my server less than two hours before I was notified about it and files removed. Thanks to my host for that. I’m confident that no innocent people were harmed from my website but it was an unsettling event for me. These were not kids having fun. This was malicious and with thought-out bad intentions.
FYI – this did not happen here on my blog website or forum. It was on another unrelated website URL.
I had not taken steps in the past to secure my forums because I didn’t think it was needed. Here is a list of steps you can take to secure your VBulletin 3.x or 4.x forums. Any website can get hacked and this won’t make it into Fort Knox, but I’m told it can help keep the vanilla kid hackers out.
1. Always upgrade to the latest stable version.
2. Do not install any unofficial hacks or plugins as they are not written or reviewed by VBulletin developers.
4. Make sure the tools.php file is NOWHERE on your website.
5. Although this is only a potential problem if someone gets a hold of your customer number, you should remove the upgrade.php file in your located in the install directory.
6. Remove the ImpEx files if you had used this import system.
7. If you have phpMyAdmin make sure it’s password protected.
8. If you suspect a hacking attempt, ask your host to change the login password for your web account.
9. Make sure all the Admin and Mod passwords are secure. Change them if you have any doubts. And use hard to guess passwords.
10. Enable the ‘strikes’ system which will help thwart brute force password attempts:
Admin CP -> Settings -> Options -> General Settings -> Use Login “Strikes” System -> Yes
11. NEVER allow HTML in posts, PMs or in sigs.
12. Make absolutely sure there are no viruses, trojans or keylogger spyware on your PC. Any of these could steal your password and other personal info.
13. Do NOT upload the directory called do_not_upload/
14. Use a different password for each forum you sign up with. Use a different password for your forum as you do for the .htaccess directory password.
15. Update the config.php file and set yourself as undeletable user so they can’t touch your admin account.
16. If you are on a shared hosting server, make sure all your vBulletin PHP files are chmod 644
17. Every hacker knows the default paths to the vbulletin admincp and modcp control panels. www.yoursite.com/forum/admincp or www.yoursite.com/forum/modcp By knowing these paths, hackers by pass going through the forums first before attempting to hack into your admincp or modcp.
If you rename the admincp and modcp folders, they will have to hack your log in for the forums first before they are able to find these folders. You can rename these folders anything you like. Here are a couple of examples: www.yoursite.com/forum/firstcp and www.yoursite.com/forum/secondcp
Rename these two folders on your ftp site and change your config.php file to match the names of the new folders.
If you rename your admincp and modcp folders, you MUST change the names of the these in the config.php file to match what you renamed them.
18. If you have and the other admins have a unique IP address you can edit the .htaccess file in your admincp directory with:
order allow,deny allow from <your IP>
allow from <admin2’s IP>
deny from all
This way the directory should not load for anyone whose IP doesnt match this list.
19. Pick your staff members wisely. You give them access to more commands which allows them to harm your site. Super Moderators and Moderators have access to the modcp/ directory, but not the admincp/ directory.
Note your forums are only as secure as the passwords you use and the server it is on. If the server is accessed then there’s nothing vB can do to prevent potential security violations.