Alright since i am White Hat I decided to make a tutorial on how to secure your forum. Following everything will not make your site impossible to hack as anything can be hacked however it will help cut down on script skiddies. This is not a copy and paste, I spent time writing it up so it might have some grammatical errors, so if you catch any let me know. Any changes just reply.
Staff - This is one of the biggest reasons why and how sites get hacked. (little kids favorite method). They will tell a staff member to sign up on there forum and phish there password. Tell all your staff members to use a separate password for your forum that is completely different then any other site they visit. Using a random character generator with no words makes a huge difference. Also set or remind your staff to change there password at least once every 60 days.
Admin Folder (more info) - Move the default admin folder. This means if any admin account at a forum level get's hacked the chance of them gaining admin cp access is greatly reduced since they won't know where to go to access the admin cp. Another option which requires some work but would be helpful is to keep the default admin login and save records of attempts. So you can see who is trying to access the admin cp. Another tip regarding the Admin Folder is to add a htaccess with a user name and password. This adds a second level of security. Give a separate one to each user who has admin cp access. You can also only allow only certain ips.
Who Can Access - Based on WJunction and how members look for staff be careful who can access the admin cp. Don't just give your forum power to anyone, no matter how trustworthy they seem.
Forum Mods/Add ons - Be careful as to what you install. An example is the inferno shoutbox for vBulletin. Although it has great features it not only uses a lot of your servers CPU it is also exploitible. How to prevent this? Do some simple searching if the mod your installing is exploitble.
Forum Upgrades - Always make sure you have the latest version of your forum script as it will help prevent a lot of these exploits.
Remove Un needed Files - A few examples is to remove your install files & folders. Alot of sites don't do this and is a major mistake. If your using vb the whole install folder should be removed. Another example is the upgrade file on vb. It is only a problem if they get your vb customer number, but just to be safe.
General - For Posts, PM, Signatures never allow any code other then bbc. Allowing HTML can lead to problems. Forum Attachments should only be allowed for staff. You should also keep daily backups. You never know when your forum can go down. Your host can close at any time, or anything can happen.
Any suggestions on what I should add or fix let me know. This covers all the basics.
Staff - This is one of the biggest reasons why and how sites get hacked. (little kids favorite method). They will tell a staff member to sign up on there forum and phish there password. Tell all your staff members to use a separate password for your forum that is completely different then any other site they visit. Using a random character generator with no words makes a huge difference. Also set or remind your staff to change there password at least once every 60 days.
Admin Folder (more info) - Move the default admin folder. This means if any admin account at a forum level get's hacked the chance of them gaining admin cp access is greatly reduced since they won't know where to go to access the admin cp. Another option which requires some work but would be helpful is to keep the default admin login and save records of attempts. So you can see who is trying to access the admin cp. Another tip regarding the Admin Folder is to add a htaccess with a user name and password. This adds a second level of security. Give a separate one to each user who has admin cp access. You can also only allow only certain ips.
Who Can Access - Based on WJunction and how members look for staff be careful who can access the admin cp. Don't just give your forum power to anyone, no matter how trustworthy they seem.
Forum Mods/Add ons - Be careful as to what you install. An example is the inferno shoutbox for vBulletin. Although it has great features it not only uses a lot of your servers CPU it is also exploitible. How to prevent this? Do some simple searching if the mod your installing is exploitble.
Forum Upgrades - Always make sure you have the latest version of your forum script as it will help prevent a lot of these exploits.
Remove Un needed Files - A few examples is to remove your install files & folders. Alot of sites don't do this and is a major mistake. If your using vb the whole install folder should be removed. Another example is the upgrade file on vb. It is only a problem if they get your vb customer number, but just to be safe.
File Permissions - Make sure your chmod is 664 and nothings else. Leaving it like 777 which allows read write and excite is a bad idea.Mr Happy; said:Along with removing the install folders if (and I know most here are) using a nulled version of a script make sure you remove the validate.php or keygen.php or any other files you used to install the site. More info from Litewarez here http://www.wjunction.com/showthread.php?t=21057
General - For Posts, PM, Signatures never allow any code other then bbc. Allowing HTML can lead to problems. Forum Attachments should only be allowed for staff. You should also keep daily backups. You never know when your forum can go down. Your host can close at any time, or anything can happen.
Any suggestions on what I should add or fix let me know. This covers all the basics.