• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Protecting your Xenforo site?

sophie1204

Active member
#1
I have a wordpress site that was just hacked, so I'm taking steps to improve security. So I was wondering -- anyone have any tips for protecting Xenforo sites, too?
 

Slavik

XenForo moderator
Staff member
#2
Make sure your admin password is strong.

.htaccess password protect the Admin CP with a seperate password.

XenForo itself has no known exploits (as far as i'm aware). If a breach would happen it would be due to having it connected to a vunerable system or a vunerable addon.
 

Chris D

XenForo developer
Staff member
#4
I have a wordpress site that was just hacked, so I'm taking steps to improve security. So I was wondering -- anyone have any tips for protecting Xenforo sites, too?
What was the nature of the hack? Was it a known software exploit, or a weakness in security?
 
#5
Currently i am using naxsi with nginx + php-fpm, it's the 'mod security' for nginx, the idea of it is acting as a protection front end before fetching into your backend, so in theory even though your web app is vulnerable, in most cases naxsi will block the attempt.
 

Floren

Well-known member
#7
Currently i am using naxsi with nginx + php-fpm, it's the 'mod security' for nginx, the idea of it is acting as a protection front end before fetching into your backend, so in theory even though your web app is vulnerable, in most cases naxsi will block the attempt.
Glad to see you use that, so far only Axivo has naxsi packages for CentOS/Redhat. :)
# yum --enablerepo=axivodev list nginx*
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.ubiquityservers.com
* extras: mirror.science.uottawa.ca
* updates: yum.singlehop.com
Installed Packages
nginx-common.x86_64 1.2.0-1.el5 installed
nginx-naxsi.x86_64 1.2.0-1.el5 installed
Available Packages
nginx.x86_64 1.2.0-1.el5 axivodev
nginx-debug.x86_64 1.2.0-1.el5 axivodev
I did not released them to public as I'm still testing everything internally. If you want, I would appreciate if you can contact me and discuss further about the naxsi rules. So far, I'm using the basic stuff. I'm in the process or writing the missing CentOS 5 packages needed for the sweet naxsi UI. :)

If is easier for you, please start a thread into Server related forum and we can continue this discussion there.
Reply into conversation with the thread link, thank you.