I like Sucuri. It's far easier to configure than a server-level security pattern matching. If you can set that up your self, then that's probably a better choice. But if you can't or don't want to take the time, I like using something like Sucuri.
What if the need to restore master data arises? They'll have to re-upload.
Personally, I either 404 the /install directory via htaccess, or 0000 the permissions. I never use it anyway (I always use the CLI upgrader).
However, @Chassey Group I can't look at that service, because three thinks it's an adult site and has blocked it , however I do believe that basic security measures such as using SSL where available and htaccess (digest) protecting the admin.php file (IP protection if you have a static IP), is the best way to go.
Here's a partial list of things I did to improve my security after we were hacked last year. This was written with vBulletin in mind, but should mostly carry over to Xenforo.
- Only give absolutely needed permissions to your mods and admins
- Create a separate admin account that is the "super admin" (in config) with plugin and theme permissions. Your day to day admin user should not have any of these permissions.
- Require password changes to your Mods and Admins every XX days
- I'm paying for password manager software for my mods/admins
- htaccess password protect both AdminCP and ModCP. Don't give out the password via the forums or through pm.
- Use a Web Application Firewall. SAAS versions include https://www.cloudflare.com , http://cloudproxy.sucuri.net , http://www.incapsula.com
- Two factor authentication for moderators and admins.
- Consider globally disabling more dangerous PHP functions
I've used Sucuri on vBulletin. It's not perfect and probably won't stop a targeted attack. Also there are false positives you have to monitor for. The main reason I like it (or other services like it) is that they will virtually patch (block) new exploits -- which helps block automated scans of new vulnerabilities, giving you a little extra time to patch yourself.
I think a proper server-side WAF will do the same with regularly updated definitions.
Certainly low yield and a bit whack-a-mole to provide you with much comfort, but there are some really insecure PHP functions out there, including show_source(), which will output the source of a local php file.