Best practices to protect xenforo

rosal

Member
Hi can someone point me in the right direction, what is the best practices to protect xenforo?

I really need to install Third-Party Add-Ons to really be protected or just the core futures of xenforo is ok?
 

Teapot

Well-known member
While there are third-party add-ons you can use to improve security, I don't really use them so I couldn't comment – XenForo is secure enough out of the box. Some steps you might want to take to protect your board are:
  1. Ensure that all privileged members (administrators, moderators, any other staff) have strong, unique passwords – password reuse and easily-guessable passwords are the easiest way for your forum to be compromised.
  2. Ensure that privileged members only have the permissions they absolutely need – if you have an admin who isn't technical, consider not allowing them to manage add-ons; if you have staff who don't need to manage nodes, don't give them the permission to, and so on. This limits the scope of the damage if their accounts are broken into.
  3. Be careful who you give super administrator status to – super administrators are all-powerful, and thus very dangerous in the wrong hands. Ideally, create a separate user (not user ID 1) with an extremely strong password, and make them the only super administrator.
  4. For extra protection, ensure your staff use two-step verification, or 2FA. If necessary, you can force it on their user group using the permissions system.
  5. An extreme measure would be to use an .htpassword file to password-protect admin.php, so that an attacker requires two sets of credentials to access the ACP – the user's details (username, password) plus a separate set of details to get through the HTTP authentication dialog.
Really, securing a XenForo forum is mostly just the absolute basics – there's very little that can be exploited in the software itself, so it's mostly a case of protecting your user accounts, server logins, and so on.
 

Martok

Well-known member
The xenforo have in the core any to force strong unique passwords?
No.

I agree with what @Teapot said.

Personally I'd password protect admin.php and also the install directory in addition to 2FA. It gives an extra bit of protection, plus for the latter it prevents nosey people from seeing what version of XenForo you are running. A guide to do this is here:

https://xenforo.com/community/resources/protecting-admin-php-and-the-install-directory-using-htaccess.353/

The devs also put out a guide recently on security:

https://xenforo.com/community/threads/reminder-account-password-security-best-practices.121824/
 
Top