Hacking phpBB - Forums Help - vBulletin, IPB, phpBB, SMF skins and community

Hawkstra · 10-17-2006, 09:07 PM

You may here a lot from people saying that phpBB gets hacked more than any other forums or not.

I thought I should tell you all who dont know or heard that, just like *any* software (Windows, Macs, media players, even Linux, etc.), if you don't keep the software up-to-date, then you could be hacked. Whenever a security hole is found in phpBB an update is quickly released. If you update as soon as they come out, you will be very safe from hackers.

Also there are alot of people hosting themselves who do not know how to configure server software securely which also adds to the risk

Besides not being up to date, phpBB got hacked a lot is because of its success.
A lot of script kiddies can play with this gpl code. But, on the other hand, since fixes are released, we end up with a pretty secure script (more than if no one had tested the security that much Wink

The minimal advice is to be up to date since everytimes a security hole is found, the fix suggest where to look for, so it's even easyer to hack old version after an upgrade, but if you keep on being up to date at least you won't be hacked for know issues.

Then .htpasswd is welcome to be in your admin folder (personnaly I also restrict it to only accept my personal ip since it's static).

Best is to add .htaccess with good old "deny from all" in db/ and includes/ folders.

But this only apply to apache servers.

Playing with more personnal redirections can also help out to disallow remote use of php scripts or to use custom error pages that inform eventual testers that you care about security (mine also hadle banned ip so that to many bad tryes lead to a ban, banned ip connection attemps to a message telling next time it will be reported to the ip provider, guess what none came back twice Wink ).

But there is nothing better than regular backups, so that the worst that can happend is to be offline the time to reinstall everything (15 min with good backups) in case of hack.

Ipb, vBulletin, phpBB, and all the others can get hacked. Anything can get hacked.

Hawkstra · 10-17-2006, 09:15 PM

Adam,

Move this thread into phpBB forum and delete this post.

Thanks,
Hawkstra

Mike · 11-09-2006, 12:28 PM

wow. thanks for that informative post! I used to use phpbb alot but because of the hacking problems, I finally decided that it wasnt worth the risk anymore. Maybe I will give it a shot again and try what youve suggested here.

Troy · 11-12-2006, 11:04 AM

I was thinking of trying out the other forum types they got out, aside from my Vbulletin one soon. Thanks for the heads up, Hawk. I will always keep this one up to speed.

10-17-2006, 09:07 PM	#1 (permalink)
User Profile Hawkstra Member Join Date: Oct 2006 Location: USA - California Age: 16 Posts: 98 Total Points: 912 Donate My Zoints Profile My Photos: (0) My Mood:	Hacking phpBB You may here a lot from people saying that phpBB gets hacked more than any other forums or not. I thought I should tell you all who dont know or heard that, just like any software (Windows, Macs, media players, even Linux, etc.), if you don't keep the software up-to-date, then you could be hacked. Whenever a security hole is found in phpBB an update is quickly released. If you update as soon as they come out, you will be very safe from hackers. Also there are alot of people hosting themselves who do not know how to configure server software securely which also adds to the risk Besides not being up to date, phpBB got hacked a lot is because of its success. A lot of script kiddies can play with this gpl code. But, on the other hand, since fixes are released, we end up with a pretty secure script (more than if no one had tested the security that much Wink The minimal advice is to be up to date since everytimes a security hole is found, the fix suggest where to look for, so it's even easyer to hack old version after an upgrade, but if you keep on being up to date at least you won't be hacked for know issues. Then .htpasswd is welcome to be in your admin folder (personnaly I also restrict it to only accept my personal ip since it's static). Best is to add .htaccess with good old "deny from all" in db/ and includes/ folders. But this only apply to apache servers. Playing with more personnal redirections can also help out to disallow remote use of php scripts or to use custom error pages that inform eventual testers that you care about security (mine also hadle banned ip so that to many bad tryes lead to a ban, banned ip connection attemps to a message telling next time it will be reported to the ip provider, guess what none came back twice Wink ). But there is nothing better than regular backups, so that the worst that can happend is to be offline the time to reinstall everything (15 min with good backups) in case of hack. Ipb, vBulletin, phpBB, and all the others can get hacked. Anything can get hacked. __________________ Hawkstra Last edited by Hawkstra : 10-17-2006 at 09:10 PM.

10-17-2006, 09:15 PM	#2 (permalink)
User Profile Hawkstra Member Join Date: Oct 2006 Location: USA - California Age: 16 Posts: 98 Total Points: 912 Donate My Zoints Profile My Photos: (0) My Mood:	Adam, Move this thread into phpBB forum and delete this post. Thanks, Hawkstra __________________ Hawkstra

11-12-2006, 11:04 AM	#4 (permalink)
User Profile Troy Junior Member Join Date: Sep 2006 Posts: 10 Total Points: 92 Donate My Zoints Profile My Photos: (0)	I was thinking of trying out the other forum types they got out, aside from my Vbulletin one soon. Thanks for the heads up, Hawk. I will always keep this one up to speed. __________________

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

11-09-2006, 12:28 PM	#3 (permalink)
User Profile Mike Junior Member Join Date: Sep 2006 Posts: 11 Total Points: 314 Donate My Zoints Profile My Photos: (0)	wow. thanks for that informative post! I used to use phpbb alot but because of the hacking problems, I finally decided that it wasnt worth the risk anymore. Maybe I will give it a shot again and try what youve suggested here.