How to protect your XenForo forum

  1. Brivium

    Brivium - Nov 5, 2014 XenForo Services Staff Member

    Credit
    Point
    xenforo_security

    XenForo is becoming popular in building a community. So it is no surprise that a lot of hackers keep an eye on that. To protect your site out of the danger zone, today we introduce you certain effective tips to against hidden dangers.

    1. Update your XenForo site instantly
    Subscribe to XenForo Security updates via email or RSS Feed. Update your site whenever a new release comes out. This should be done as soon as possible. A new release for XenForo also comes with an explanation of all the security holes that were fixed, thus giving hackers a roadmap for getting into. If you do nothing else, update your XenForo site as soon as possible.

    2. Change your Admin user
    The default ID for the admin user in XenForo is usually “admin” “administrator” “root”, and a hacker may use this to attack your site. To avoid this, do the following steps:
    • Login into AdminCP
    • Switch to the tab User > User Admin > Click on “Admin” and change the name in the username.
    Note: Must enter the current password.

    3. Use a strong password and change it regularly
    Change you XenForo administrative passwords as well as your panel and FTP passwords. This is particularly important if you login from different computers that other people have access to. Create a unique passwords from a combination of upper- and lowercase letters, numbers and symbols. Besides that, change your username and password at least every 2 months.

    4. Don’t use the root user in MySQL as the user of your database
    You should always create a new database user when installing a new site, and give rights to the new database only. This way, the user will only have access to the specific site. If not, you can have one site hacked and the rest is wide open as well.

    5. Protect admin.php file by .htpasswd
    Below there we guide you to create file .htpasswd on two common Hosting Controller now (Cpanel and Directadmin).
    A. With cPanel:
    • Logging into cPanel
    • Choose "Password Protect Directories" >> "Web Root" >> Choose the mother folder of your site.
    • Tick in "Password protect this directory"
    • In the section "Name the protected directory", fill: Admin Control Panel Protected
    • Click Save.
    • In the part "Create User" fill in Username & Password yours.
    • Click "Add/modify authorised user"
    • Okay, so now you have a file passwd at: /.htpasswds/public_html/name_folder_forum
    B. With Directadmin:
    • Login into Directadmin
    • Choose "Password Protected Directories" >> "Find a Directory to Password Protect" >> Choose the mother folder of your site.
    • Tick in "Protection Enabled".
    • Fill the parameters into: "Protected Directory Prompt" - "Set/Update User" - "Password" - "Re-Enter Password"
    • Click Save.
    • Okay, now you have a passwd file at: .htpasswd/public_html/name_folder_forum
    After you created htpasswd above, you should open the file.htaccess (in the original folder of your forum) and find this code:
    Code:
    AuthGroupFile /dev/null
    AuthType Basic
    AuthUserFile path/to/passwd/file
    AuthName "ACP Protected"
    Require valid-user
    Replace with this code:
    Code:
    <Files admin.php>
    AuthType Basic
    AuthName "ACP Protected"
    AuthUserFile "path/to/passwd/file"
    Require valid-user
    </Files>
    Note: path/to/passwd/file will be formed
    - /home/demosite.org/domains/demosite.org/.htpasswd/public_html/.htpasswd (With Directadmin)
    - /home/demosite.org/.htpasswds/public_html/passwd (With cPanel)

    6. Protect folder /install by .htpasswd
    Create a file .htaccess inside the folder /install with this code:
    Code:
    AuthType Basic
    AuthName "Install Protected"
    AuthUserFile "path/to/passwd/file"
    Require valid-user
    At path/to/passwd/file you could use at this path file htpasswd to protect admin.php above or create a new account.

    7. Using IP Address to admin.php file and folder /install
    You could use IP Address to protect admin.php and the folder /install instead of using passwd. In this case, you need to change file .htaccess (In the original folder of your site) to protect the file admin.php like:
    Code:
    <Files admin.php>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    </Files>
    And create file .htaccess in the folder /install like below:
    Code:
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Replace 127.0.0.1 by your current IP Address. You could enter http://whoer.net to check your IP Address.
    You could add more IP Address by adding this line:
    Code:
    Allow from 127.0.0.1
    There is a rising problem here, the Code above is only active if your IP address is a static IP address. If you use a dynamic IP, instead of updating the IP Address at the file.htaccess on each of IP address changing. You could add a code paragraph below file .htaccess like:
    Code:
    Allow from 127.0
    While 127.0 is the first two layers of your IP Address.

    8. Using Account Security Essential add-on for your safety
    If you are affraid of any hazards affecting to your admin account as well as your member accounts, we suggest you to use “Account Security Essential” add-on (You could take it here: https://brivium.com/resources/account-security-essential.118/).
    Account Security Essential is a tool providing you methods to keep your accounts and your member accounts safety by adding many extra layers of protection to prevent unauthorized visitors to access forum's accounts.
    You could prevent or delay because of unidentified ID address or whenever a customer try to change any security information. Brivium provides you 4 methods to keep safe: Google Authenticator, IP Address, Secret Question and Email Sending Code.
    - Google Authenticator restricts your account so it only be logged in by entering exactly your username, password and the code raised prior to 30 seconds noticed through your phone.
    - The IP Address is a protection method which will use the recognition system to identify your IP address and check how it is trusted.
    - Secret Question is a protective system. Following that, we offer you a list of secret questions and you can choose to set a privacy system due to your answers for each question.
    - Email OTP is the newest recognition account system for security. Through your registered email, we could send you a code which will be raised by an automatic system as soon as you logging into your account.

    9. Create a Back-up Plan for your site
    This is so crucial. You never expect to be hacked, but when you are, a backup of your site could get you up and running within an hour. Check to see if your hosting company does daily or weekly backups. Even if they do, it's better insurance to take your own backup of the site. You can do this manually by copying down the files and exporting a copy of the mySQL database. It's easier to use a 3rd party backup extension like CodeGuard.

    These are 9 tips for protecting your XenForo. If you have any useful tips, do not hesitate to share with us through the comment box below.
     
    Last edited: Nov 5, 2014
    Loading...
  2. Brillias

    Brillias - Apr 5, 2015 New Member VIP Member

    Credit
    Point
    Very useful information! Thank you.
     
    #2
  3. oO5 Dynasty

    oO5 Dynasty - Nov 27, 2015 New Member

    Credit
    Point
    Thats a ton of steps, i would need somebody to take care of this for me.
     
    #3
  4. Adzkii

    Adzkii - Dec 15, 2015 New Member

    Credit
    Point
    The IP deny doesn't work for me :( Any help?
     
    #4
  5. Brivium

    Brivium - Dec 15, 2015 XenForo Services Staff Member

    Credit
    Point
    What's webserver you're using ?
     
    Adzkii likes this.
    #5
  6. Adzkii

    Adzkii - Dec 16, 2015 New Member

    Credit
    Point
    Apache2 latest version, Ubuntu 14x
     
    #6
  7. moby2006

    moby2006 - Dec 16, 2015 New Member VIP Member

    Credit
    Point
    Hello, very informative, I have implemented it and works just fine.
    except without adapting the IP, only .htaccess and .htpasswd.
    Thank you
     
    Adzkii likes this.
    #7