Going Live - Prevent Hacking Tips/Tools

M

mikiliste

Member
Hello Everyone,

I am planning to go live with my site and I was wondering if there are any security tips or addons that I can install to protect/prevent the site being hacked.
Thank you very much!
 
Stop any and all bots from registering:
xenforo.com

[OzzModz] Registration Spaminator Stop Spam Bot Registrations [Paid]

ozzy47 submitted a new resource: [OzzModz] Registration Spaminator - Registration Spam Bot Fighting Tool This addon is another tool in fighting spam bot registrations at your forum. How it works Read more about this resource...
xenforo.com xenforo.com

Stop any and all bot login attempts (great for brute force attacks):
xenforo.com

[OzzModz] Login Spaminator [Paid]

ozzy47 submitted a new resource: [OzzModz] Login Spaminator - This addon is a weapon in fighting spam bot logins at your forum. Do you have lots of spammer accounts existing at your forum? Just little time bombs waiting to go off any time? Stop automated login attempts with the [OzzModz] Login...
xenforo.com xenforo.com

Stop any and all bots from flooding your inbox via the "Contact Us" form:
xenforo.com

[OzzModz] Contact Us Spaminator [Paid]

ozzy47 submitted a new resource: [OzzModz] Contact Us Spaminator - Contact Us Form Spam Bot Fighting Tool Sick and tired of your inbox getting flooded with spam coming from the "Contact Us" system on your xenforo install(s)? You've tried everything and still it persists? You even shut off the...
xenforo.com xenforo.com

Log all legitimate queries via "Contact Us" for viewing without leaving your site:
xenforo.com

[OzzModz] Contact Us Form Log [Paid]

ozzy47 submitted a new resource: [OzzModz] Contact Us Form Log - Log all contact us form submissions Always wanted to check contact emails without leaving your forum? Then the Ozzmodz Contacts Log is for you. This is a relatively simple addon that will log all contact-form submissions to the...
xenforo.com xenforo.com

None of these really fight "hacking" per se, but do stop bot invasion activity. And are really cool.
 
XF is extremely secure. I haven't seen a single case of hacked XF installation in all those years.

Unless you run something else on your server, like Wordpress, which then gets hacked (happens sometimes because of WP Addons), for XF you don't need extra measures.

But what you could do is to enable Two-Factor Authentication (2FA) to have better password protection (I would say 99% of "hacked" stuff on the internet is due to people finding out passwords). You can enable it in ACP in permissions.
Another thing is you could enable password protection with htaccess for ACP.

But mostly, you don't need to do those stuff, unless you are very popular and you are targeted very often.
 
Thank you very much @sbj very much appreciate your input. I have already unable 2FA for Admins. I will see how it goes, if I need to take the other steps.
 
Manster54 said:
Stop any and all bots from registering

Stop any and all bot login attempts (great for brute force attacks)

Stop any and all bots from flooding your inbox via the "Contact Us" form
Click to expand...
No Add-on will ever be able to stop all those bot activities, the max. you can do is to slow down bots and filter the majority.

The only 100% bulletproff solution would be to turn those festures off.
 
sbj said:
XF is extremely secure. I haven't seen a single case of hacked XF installation in all those years.

Unless you run something else on your server, like Wordpress, which then gets hacked (happens sometimes because of WP Addons), for XF you don't need extra measures.

But what you could do is to enable Two-Factor Authentication (2FA) to have better password protection (I would say 99% of "hacked" stuff on the internet is due to people finding out passwords). You can enable it in ACP in permissions.
Another thing is you could enable password protection with htaccess for ACP.

But mostly, you don't need to do those stuff, unless you are very popular and you are targeted very often.
Click to expand...
I get that XF might be secure, but can’t your FTP account/cPanel be hacked regardless?

Sorry if that is a dumb question.
 
sixlxvi said:
I get that XF might be secure, but can’t your FTP account/cPanel be hacked regardless?
Click to expand...
Well the server on which you are hosted can be hacked of course.
But unless you give your passwords away, that is highly unlikely that any 3rd person will have access to your environment. Even if they gained access through you, they can't just have access to everyone, but you could be screwed then.
If you are on a host which has cPanel, it means you are on a managed environment. Those guys have all the standard protections one can have in the business. So, if they get hacked, any of us can get hacked basically, which is of course very unlikely.

Again, most of the time there is no real hacking involved. Everything is standardized and protected on a deep level. Maybe 20 years ago this would have been the case, not today. Today, mostly people gain access because of password guessing or finding it out somehow.
Usually root user and password is "admin" or "root" or something easy like that.
 
If you are hosting XF via a VPS (not managed hosting) IMHO you would be crazy to allow direct root access over ssh + ftp.

At least disable direct logins via the root acoount, and perhaps even bump up security by using encrypted key pairs rather than just passwords and logins. Key pairs will always. Be more secure than passwords.

Add your admin accounts on the VPS to the sudo group. If you need root access you can always get it temporarily via the su - command.

Implement Fail2Ban on your VPS server to prevent against brute force attacks.
 
sbj said:
Well the server on which you are hosted can be hacked of course.
But unless you give your passwords away, that is highly unlikely that any 3rd person will have access to your environment. Even if they gained access through you, they can't just have access to everyone, but you could be screwed then.
If you are on a host which has cPanel, it means you are on a managed environment. Those guys have all the standard protections one can have in the business. So, if they get hacked, any of us can get hacked basically, which is of course very unlikely.

Again, most of the time there is no real hacking involved. Everything is standardized and protected on a deep level. Maybe 20 years ago this would have been the case, not today. Today, mostly people gain access because of password guessing or finding it out somehow.
Usually root user and password is "admin" or "root" or something easy like that.
Click to expand...
I suppose this is reassuring, thanks.
Iggy said:
you can always opt to not use those features ;P
sorry if that is a dumb answer lol, its the path we chose anyway ;)
Click to expand...
If I don't use cPanel/FTP, I wouldn't know how to manage my site. (noob alert)
gerryvz said:
If you are hosting XF via a VPS (not managed hosting) IMHO you would be crazy to allow direct root access over ssh + ftp.

At least disable direct logins via the root acoount, and perhaps even bump up security by using encrypted key pairs rather than just passwords and logins. Key pairs will always. Be more secure than passwords.

Add your admin accounts on the VPS to the sudo group. If you need root access you can always get it temporarily via the su - command.

Implement Fail2Ban on your VPS server to prevent against brute force attacks.
Click to expand...
As I stated above about being a noob, this is above my level of server experience. I suppose I could look into a server admin for this stuff.
 
sixlxvi said:
As I stated above about being a noob, this is above my level of server experience. I suppose I could look into a server admin for this stuff.
Click to expand...
You shouldn't need to. You can find everything you need via Google, and plenty of examples and HOW-TOs.

You don't have to worry much at all about XenForo's security. More important that your server/environment is secure(d).
 
You must log in or register to reply here.

Similar threads

CavySpirit
  • Question Question
XF 2.2 Test site to new test site before going live
Replies
7
Views
761
CavySpirit
CavySpirit
Blue chummer
When to start the Social media before going live.
Replies
5
Views
829
DBA
DBA
msolano
  • Question Question
XF 1.2 Some questions for test site before going live
Replies
5
Views
574
Jeremy
Jeremy
speedway
  • Question Question
Checking before going live
Replies
19
Views
1K
speedway
speedway
Back
Top Bottom