phpBB Security Best Practices

Talk about HTML resources, styles etc.
Post Reply
User avatar
grelmar
Human Abacus
Posts: 474
Joined: Fri Dec 26, 2003 3:18 am
Location: Calgary, Alberta, Canada
Contact:

phpBB Security Best Practices

Post by grelmar » Fri Dec 24, 2004 11:28 pm

This article recently made the cover of www.webmasterworld.com - and is being reprinted here by permision of encyclo, of www.encyclo.ca - the author of the article. Thanks to him for giving his permision to re-post the article here.

If you were to follow the guidelines he presents, you would have been immune to the recent Santy worm outbreak, not to mention your board will be much easier to maintain and moderate in the long run.
...Security is not just protecting your forum against specific hacks, but also reducing or eliminating other menaces - not just to the software, but also the personal data and information contained within, as well as the integrity of your community and member list. Problems include email address harvesting, automated signups, dropping links, member list abuses and other such annoyances which take up valuable moderator and admin time.

So, what are the most important steps you should be taking as a forum administrator when securing your installation? Here are a few ideas:

1. Installation Security

1.1 Keeping informed

The first important step to take is to make sure your installation is fully patched and up to date at all times. To do this, you need to subscribe to the appropriate phpBB mailing lists, as well as monitor the phpbb.com site as well as the phpBB Sourceforge page.

Currently, although there is a "phpbb-announce" mailing list at Sourceforge, it is unused by the developers - which is very unfortunate. The current recommended way of getting notifications of new releases is to to use the "Monitoring" feature at Sourceforge. According to the phpbb.com site, the notification process is going to be improved in the near future - which will be a very good thing, as the current method is clearly insufficient.

1.2 Installing the updates

The phpBB documentation is excellent in this regard, so there is very little to add. There are always three different versions available for each update - Full Version, Changed Files Only and a patch file. The names are self-explanatory, but make sure you fully read and understand the documentation before you go ahead. The patch file is the most powerful of the three, especially if you have a heavily-modified board, but you will need command-line access to your server as well as some knowledge of using Unix commands.

The key to a successful update is documentation. When you modify your board, it is vital to document every change you make, however minor. That means, when it comes to update time, if you have to rebuild your board from scratch by reapplying the mods to the basic board, you will be able to do so much more easily.

2. Mods

2.1 Choosing the right mods

Choosing mods from unreliable sources, or using untested or unverified mods can be dangerous: unless you are an expert in PHP you can't be sure of their reliability, security or even whether there are backdoors intentionally inserted by the mod developers. Unless you are sure of the source or you really know what you are doing, you should stick to the mods listed in the phpbb.com mod database - in particular, those mods which have been reviewed and approved by the phpBB Security Team. Bear in mind that even approved mods might still contain security holes, and these are not patched within the main reease - so make sure you regularly check the database for new versions of the mods you use, and if possible, sign up to the mod developer's mailing list if they have one.

2.2 Don't over-modify

Every mod you add to your basic installation, the more complex becomes the update process. So, along with choosing your mods carefully, only use mods that you need rather than adding everything including the kitchen sink.

I should also mention style templates: usually, style templates don't pose a security risk in themselves (although there are a lot of pre-built templates which are of poor quality, with broken markup and incorrect image paths). However, the more templates you have, the longer it takes to do an update - it is a pain to manually alter a dozen template files with every update. Stick to the minimum number you feel is required for your board.

3. Modifications you can make

There are some changes you can make to your phpBB installation to better secure it against attack by spambots, automated signups, etc. This is not a comprehensive list:

3.1 CAPTCHA image verification

phpBB version 2.0.11 onwards uses the CAPTCHA image verification system which requires a new member to enter a set of letters and numbers from a generated image before being able to sign up. Switch it on in the Admin Control Panel under in the Configuration menu (thanks to androidtech for the reminder). If and only if you have a significant membership comprising the visually-disabled, then there are mods available to slightly alter the signup process enough to fool most bots. This will kill automated signups stone dead. You will still have the problem of manual spam signups, but we're getting to that... ;)

3.2 memberlist.php

The standard phpBB installation includes a file called "memberlist.php" which (guess what!) provides a full list of the members of the board. By default, this is readable by all (not just members).

The presence of this page is one of the big motivators for spam signups: the page is a great way for the unscrupulous to get a load of backlinks to their site(s) via the link in the member profile which is displayed on this page. Often, the signups will use names starting with exclamation marks so as to get on the first page of the list.

Rather than modifying or hiding this page, I propose simply to get rid of it altogether. Once you have more than about 50 members, the page is unusable by real visitors - it is just too inefficient for finding information. On a busy board, it is a total waste of bandwidth, and only serves as spam-bait. What's more, your member list is precious information - why give it away to anyone? Your real users can still get at all the information they want for another user by viewing that member's profile via the link next to one of their posts. Of course, if anyone signs up and doesn't post, their profile is unlinked - so even if they have put a link to their site in their profile, it is not visible.

Here's how to get rid of it simply:

1. Install the "User List" mod from the phpBB mod database. This will give the forum administrators a full member list within the admin control panel for easy maintenance.
2. Edit the template file overall_header.tpl and remove the link and image for the member list.
3. Delete memberlist.php from your server, burn all copies, ban it in robots.txt and if you are feeling so inclined, replace it with a spider trap.

If for some unfathomable reason, you are getting referrals directly to your memberlist.php page from the SEs, then redirect it to a more appropriate page, or the forum index.

3.3 Basic settings

The following modifications don't directly affect the real, direct security of the forum, but will help the admins as well as the users.

# Disallow all HTML at all times. No exceptions, ever.

# Disallow remote avatars.

# Require user email address verification before being able to sign in.

# Edit overall_footer.tpl and remove the version number (as suggested by webwit). Make sure, however, that you always fully respect the license requirements for the software by leaving at least the minumum required link to the phpBB site: it's a minuscule price to pay for the forum software and it is respectful to the developers. The version number will still display at the foot of the pages in the admin control panel.

3.4 Editing templates

You should edit the style templates to reduce the information displayed by default when a user is not logged in to the system. You should make the following available only to those who are logged in:

1. Members currently online
2. Newest member
3. Search
4. All member avatars and signatures
5. All member profiles

On my board, the only header links are for the FAQ, Register and Login.

Using some of the SEO mods not only greatly improve usability (as well as spiderability), they can help in other ways too. On new boards (ie. boards which have not been indexed yet), then you should look at using mod_rewrite to change the default file names. Why? Want a good list of phpBB forums on which to try out your 7337 haxor skills? Do a Google search for "viewtopic.php".

4. Conclusion

This list is primarily aimed at phpBB users, but much of it applies to users of other boards too. The basic rules are: keep things updated, keep thigs simple, put barriers to spamming and hacking attempts and reduce the level of interest for your board to anyone other than your intended audience.

mgraves
web counter beginner
Posts: 1
Joined: Sat Mar 20, 2010 9:01 pm

Re: phpBB Security Best Practices

Post by mgraves » Sat Mar 20, 2010 9:06 pm

grelmar wrote:This article recently made the cover of http://www.webmasterworld.com - and is being reprinted here by permision of encyclo, of http://www.encyclo.caBest Free Web Hosting - the author of the article. Thanks to him for giving his permision to re-post the article here.
If you were to follow the guidelines he presents, you would have been immune to the recent Santy worm outbreak, not to mention your board will be much easier to maintain and moderate in the long run.
...Security is not just protecting your forum against specific hacks, but also reducing or eliminating other menaces - not just to the software, but also the personal data and information contained within, as well as the integrity of your community and member list. Problems include email address harvesting, automated signups, dropping links, member list abuses and other such annoyances which take up valuable moderator and admin time.
So, what are the most important steps you should be taking as a forum administrator when securing your installation? Here are a few ideas:
1. Installation Security
1.1 Keeping informed
The first important step to take is to make sure your installation is fully patched and up to date at all times. To do this, you need to subscribe to the appropriate phpBB mailing lists, as well as monitor the phpbb.com site as well as the phpBB Sourceforge page.
Currently, although there is a "phpbb-announce" mailing list at Sourceforge, it is unused by the developers - which is very unfortunate. The current recommended way of getting notifications of new releases is to to use the "Monitoring" feature at Sourceforge. According to the phpbb.com site, the notification process is going to be improved in the near future - which will be a very good thing, as the current method is clearly insufficient.
1.2 Installing the updates
The phpBB documentation is excellent in this regard, so there is very little to add. There are always three different versions available for each update - Full Version, Changed Files Only and a patch file. The names are self-explanatory, but make sure you fully read and understand the documentation before you go ahead. The patch file is the most powerful of the three, especially if you have a heavily-modified board, but you will need command-line access to your server as well as some knowledge of using Unix commands.
The key to a successful update is documentation. When you modify your board, it is vital to document every change you make, however minor. That means, when it comes to update time, if you have to rebuild your board from scratch by reapplying the mods to the basic board, you will be able to do so much more easily.
2. Mods
2.1 Choosing the right mods
Choosing mods from unreliable sources, or using untested or unverified mods can be dangerous: unless you are an expert in PHP you can't be sure of their reliability, security or even whether there are backdoors intentionally inserted by the mod developers. Unless you are sure of the source or you really know what you are doing, you should stick to the mods listed in the phpbb.com mod database - in particular, those mods which have been reviewed and approved by the phpBB Security Team. Bear in mind that even approved mods might still contain security holes, and these are not patched within the main reease - so make sure you regularly check the database for new versions of the mods you use, and if possible, sign up to the mod developer's mailing list if they have one.
2.2 Don't over-modify
Every mod you add to your basic installation, the more complex becomes the update process. So, along with choosing your mods carefully, only use mods that you need rather than adding everything including the kitchen sink.
I should also mention style templates: usually, style templates don't pose a security risk in themselves (although there are a lot of pre-built templates which are of poor quality, with broken markup and incorrect image paths). However, the more templates you have, the longer it takes to do an update - it is a pain to manually alter a dozen template files with every update. Stick to the minimum number you feel is required for your board.
3. Modifications you can make
There are some changes you can make to your phpBB installation to better secure it against attack by spambots, automated signups, etc. This is not a comprehensive list:
3.1 CAPTCHA image verification
phpBB version 2.0.11 onwards uses the CAPTCHA image verification system which requires a new member to enter a set of letters and numbers from a generated image before being able to sign up. Switch it on in the Admin Control Panel under in the Configuration menu (thanks to androidtech for the reminder). If and only if you have a significant membership comprising the visually-disabled, then there are mods available to slightly alter the signup process enough to fool most bots. This will kill automated signups stone dead. You will still have the problem of manual spam signups, but we're getting to that... ;)
3.2 memberlist.php
The standard phpBB installation includes a file called "memberlist.php" which (guess what!) provides a full list of the members of the board. By default, this is readable by all (not just members).
The presence of this page is one of the big motivators for spam signups: the page is a great way for the unscrupulous to get a load of backlinks to their site(s) via the link in the member profile which is displayed on this page. Often, the signups will use names starting with exclamation marks so as to get on the first page of the list.
Rather than modifying or hiding this page, I propose simply to get rid of it altogether. Once you have more than about 50 members, the page is unusable by real visitors - it is just too inefficient for finding information. On a busy board, it is a total waste of bandwidth, and only serves as spam-bait. What's more, your member list is precious information - why give it away to anyone? Your real users can still get at all the information they want for another user by viewing that member's profile via the link next to one of their posts. Of course, if anyone signs up and doesn't post, their profile is unlinked - so even if they have put a link to their site in their profile, it is not visible.
Here's how to get rid of it simply:
1. Install the "User List" mod from the phpBB mod database. This will give the forum administrators a full member list within the admin control panel for easy maintenance.
2. Edit the template file overall_header.tpl and remove the link and image for the member list.
3. Delete memberlist.php from your server, burn all copies, ban it in robots.txt and if you are feeling so inclined, replace it with a spider trap.
If for some unfathomable reason, you are getting referrals directly to your memberlist.php page from the SEs, then redirect it to a more appropriate page, or the forum index.
3.3 Basic settings
The following modifications don't directly affect the real, direct security of the forum, but will help the admins as well as the users.
# Disallow all HTML at all times. No exceptions, ever.
# Disallow remote avatars.
# Require user email address verification before being able to sign in.
# Edit overall_footer.tpl and remove the version number (as suggested by webwit). Make sure, however, that you always fully respect the license requirements for the software by leaving at least the minumum required link to the phpBB site: it's a minuscule price to pay for the forum software and it is respectful to the developers. The version number will still display at the foot of the pages in the admin control panel.
3.4 Editing templates
You should edit the style templates to reduce the information displayed by default when a user is not logged in to the system. You should make the following available only to those who are logged in:
1. Members currently online
2. Newest member
3. Search
4. All member avatars and signatures
5. All member profiles
On my board, the only header links are for the FAQ, Register and Login.
Using some of the SEO mods not only greatly improve usability (as well as spiderability), they can help in other ways too. On new boards (ie. boards which have not been indexed yet), then you should look at using mod_rewrite to change the default file names. Why? Want a good list of phpBB forums on which to try out your 7337 haxor skills? Do a Google search for "viewtopic.php".
4. Conclusion
This list is primarily aimed at phpBB users, but much of it applies to users of other boards too. The basic rules are: keep things updated, keep thigs simple, put barriers to spamming and hacking attempts and reduce the level of interest for your board to anyone other than your intended audience.
[/size]
Excellent article. Hopefully all will take into consideration!
Warm Regards,
M.Graves

Joono
web counter beginner
Posts: 1
Joined: Wed Dec 07, 2011 8:07 am

Re: phpBB Security Best Practices

Post by Joono » Wed Dec 07, 2011 9:16 am

Thank for this will keep it in mind on our new forum.

Gleedaniel13
tabulator
Posts: 22
Joined: Sun Jul 28, 2013 10:05 am
Contact:

Re: phpBB Security Best Practices

Post by Gleedaniel13 » Fri Oct 18, 2013 10:14 am

This article recently made the cover of www.webmasterworld.com - and is being reprinted here by permision of encyclo, of www.encyclo.ca - the author of the article. Thanks to him for giving his permision to re-post the article here.

If you were to follow the guidelines he presents, you would have been immune to the recent Santy worm outbreak, not to mention your board will be much easier to maintain and moderate in the long run.
He is so good for allowing it to re-post here. This is a very informative and would be very useful for us.
Web Design Integration

lindseynicole010
web counter beginner
Posts: 1
Joined: Fri Feb 10, 2017 6:31 am

Re: phpBB Security Best Practices

Post by lindseynicole010 » Fri Feb 10, 2017 6:32 am

thanks

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest