XenForo is becoming popular in building a community. So it is no surprise that a lot of hackers keep an eye on that. To protect your site out of the danger zone, today we introduce you certain effective tips to against hidden dangers. 1. Update your XenForo site instantly Subscribe to XenForo Security updates via email or RSS Feed. Update your site whenever a new release comes out. This should be done as soon as possible. A new release for XenForo also comes with an explanation of all the security holes that were fixed, thus giving hackers a roadmap for getting into. If you do nothing else, update your XenForo site as soon as possible. 2. Change your Admin user The default ID for the admin user in XenForo is usually “admin” “administrator” “root”, and a hacker may use this to attack your site. To avoid this, do the following steps: Login into AdminCP Switch to the tab User > User Admin > Click on “Admin” and change the name in the username. Note: Must enter the current password. 3. Use a strong password and change it regularly Change you XenForo administrative passwords as well as your panel and FTP passwords. This is particularly important if you login from different computers that other people have access to. Create a unique passwords from a combination of upper- and lowercase letters, numbers and symbols. Besides that, change your username and password at least every 2 months. 4. Don’t use the root user in MySQL as the user of your database You should always create a new database user when installing a new site, and give rights to the new database only. This way, the user will only have access to the specific site. If not, you can have one site hacked and the rest is wide open as well. 5. Protect admin.php file by .htpasswd Below there we guide you to create file .htpasswd on two common Hosting Controller now (Cpanel and Directadmin). A. With cPanel: Logging into cPanel Choose "Password Protect Directories" >> "Web Root" >> Choose the mother folder of your site. Tick in "Password protect this directory" In the section "Name the protected directory", fill: Admin Control Panel Protected Click Save. In the part "Create User" fill in Username & Password yours. Click "Add/modify authorised user" Okay, so now you have a file passwd at: /.htpasswds/public_html/name_folder_forum B. With Directadmin: Login into Directadmin Choose "Password Protected Directories" >> "Find a Directory to Password Protect" >> Choose the mother folder of your site. Tick in "Protection Enabled". Fill the parameters into: "Protected Directory Prompt" - "Set/Update User" - "Password" - "Re-Enter Password" Click Save. Okay, now you have a passwd file at: .htpasswd/public_html/name_folder_forum After you created htpasswd above, you should open the file.htaccess (in the original folder of your forum) and find this code: Code: AuthGroupFile /dev/null AuthType Basic AuthUserFile path/to/passwd/file AuthName "ACP Protected" Require valid-user Replace with this code: Code: <Files admin.php> AuthType Basic AuthName "ACP Protected" AuthUserFile "path/to/passwd/file" Require valid-user </Files> Note: path/to/passwd/file will be formed - /home/demosite.org/domains/demosite.org/.htpasswd/public_html/.htpasswd (With Directadmin) - /home/demosite.org/.htpasswds/public_html/passwd (With cPanel) 6. Protect folder /install by .htpasswd Create a file .htaccess inside the folder /install with this code: Code: AuthType Basic AuthName "Install Protected" AuthUserFile "path/to/passwd/file" Require valid-user At path/to/passwd/file you could use at this path file htpasswd to protect admin.php above or create a new account. 7. Using IP Address to admin.php file and folder /install You could use IP Address to protect admin.php and the folder /install instead of using passwd. In this case, you need to change file .htaccess (In the original folder of your site) to protect the file admin.php like: Code: <Files admin.php> Order Deny,Allow Deny from all Allow from 127.0.0.1 </Files> And create file .htaccess in the folder /install like below: Code: Order Deny,Allow Deny from all Allow from 127.0.0.1 Replace 127.0.0.1 by your current IP Address. You could enter http://whoer.net to check your IP Address. You could add more IP Address by adding this line: Code: Allow from 127.0.0.1 There is a rising problem here, the Code above is only active if your IP address is a static IP address. If you use a dynamic IP, instead of updating the IP Address at the file.htaccess on each of IP address changing. You could add a code paragraph below file .htaccess like: Code: Allow from 127.0 While 127.0 is the first two layers of your IP Address. 8. Using Account Security Essential add-on for your safety If you are affraid of any hazards affecting to your admin account as well as your member accounts, we suggest you to use “Account Security Essential” add-on (You could take it here: https://brivium.com/resources/account-security-essential.118/). Account Security Essential is a tool providing you methods to keep your accounts and your member accounts safety by adding many extra layers of protection to prevent unauthorized visitors to access forum's accounts. You could prevent or delay because of unidentified ID address or whenever a customer try to change any security information. Brivium provides you 4 methods to keep safe: Google Authenticator, IP Address, Secret Question and Email Sending Code. - Google Authenticator restricts your account so it only be logged in by entering exactly your username, password and the code raised prior to 30 seconds noticed through your phone. - The IP Address is a protection method which will use the recognition system to identify your IP address and check how it is trusted. - Secret Question is a protective system. Following that, we offer you a list of secret questions and you can choose to set a privacy system due to your answers for each question. - Email OTP is the newest recognition account system for security. Through your registered email, we could send you a code which will be raised by an automatic system as soon as you logging into your account. 9. Create a Back-up Plan for your site This is so crucial. You never expect to be hacked, but when you are, a backup of your site could get you up and running within an hour. Check to see if your hosting company does daily or weekly backups. Even if they do, it's better insurance to take your own backup of the site. You can do this manually by copying down the files and exporting a copy of the mySQL database. It's easier to use a 3rd party backup extension like CodeGuard. These are 9 tips for protecting your XenForo. If you have any useful tips, do not hesitate to share with us through the comment box below.