Hardening up mybb Security and protecting it from hackers.
Change the default address of Admin CP (control panel)
The default address of mybb admin cp is http://example.com/admin
Login into your file manager via your hosting panel or by using apps like filezilla.
Once logged in go into the directory named inc which is in the root directory or the directory where you have installed mybb.
If its a new mybb installation then the name of inc directory may be config.default.php so in that case you need to change its name to config.php
Edit the file named config.php
Inside the config.php file search for the line $config[‘admin_dir’] = ‘admin’; Here admin is the name of the default admin directory which determines the link to the admin control panel which by default is http://example.com/admin Now change the name from admin to something less obvious.
For example I change its name to $config[‘admin_dir’] = ‘nature125’;
After this go into the root directory or the directory where you have installed mybb.
Rename this admin directory to the same name that you specified $config[‘admin_dir’] = ‘nature125’; here instead of the admin, in my case it should be nature125.
Now my new admin login link will be http://example.com/nature125
Hide Admin control panel Links
When you login into your forum using your admin account and password from the front end you may see a link to Admin Control Panel it should be hidden from the front end.
Go into the directory named inc which is in the root directory or the directory where you have installed mybb.
Edit the file named config.php
If $config[‘hide_admin_links’] = 0 then change it to 1
Deny access to directories
/inc
/admin/inc
/admin/modules
If you have changed the name of admin directory then it should be your custom name instead of that admin.
Create a .htaccess file containing the following code deny from all and upload the file into the three directories mentioned above.
Configuring an Admin CP PIN
Go into the inc directory which is in the root directory or the directory where you have installed mybb. Edit the file named config.php
Find $config[‘secret_pin’]
$config[‘secret_pin’] = ‘your secret pass or pin’;
For example $config[‘secret_pin’] = ‘xsecret18’; then xsecret18 will be my secret pin.
After you specify your secret pin in the config.php file then you will see secret pin option when you try to login as admin. This will provide additional security. The secret pin feature was added in mybb version 1.8, the older versions does not have this feature.
Deny access to Global.php
In the main .htaccess file which is in your root directory or where ever you have installed mybb, copy and paste the following code at the end of the .htaccess file.
<files global.php> Order deny,allow deny from all </files>
Password protected directories
Also called Htpasswd is used to password protect directories. In the case of mybb you can protect the admin directory or whatever is the name you have renamed the admin directory to.
If you are able to configure it then it provides an extra layer of security.
The method to enable it may vary across different hosts and control panels. You may ask your hosting provider or check out their tutorial / manual on how to enable it.
For Siteground http://www.siteground.co.uk/tutorials/cpanel/pass_protected_directories.htm
For Dreamhost http://wiki.dreamhost.com/Password-protecting_directories
Delete the install directory
After you successfully install mybb you should delete the install directory.
Keep your forum up to date
Always install updates as soon as they are available because updates include some important security patches.
Disallow HTML in Posts
In the admin panel Forums & Post section there is an option to allow HTML in posts it is disabled by default. You should not enable it.
Hide the version number
Displaying which MyBB version you’re running is essentially the same as yelling “hey, I’m running this specific version, which contains these specific vulnerabilities”. If you’re running on the latest version, it’s probably nothing to worry about, but there is simply no point in displaying it. To hide it go to Admin Control Panel > Configuration > Settings > Site Details > Show Version Numbers > Off.
Minimize Installed Plugins
Don’t install plugins that are very old and minimize the number of plugins. The more plugins you have installed, the more code can hackers exploit. Most plugins are fairly secure, but if one of them has a vulnerability, hackers can take advantage of it to get access to your forum. And for that simple reason it is highly recommended to keep the number of plugins to a minimum and only install those that you really need. It’s also worth considering the popularity and the author of the plugin.
Backup Regularly
Backup your forum regularly, if something goes wrong or in case a hacker gets unauthorized access to your forum and deletes everything then you should have a local copy of the backup so that you can restore the forum.
