• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

What security do you use? Hacker protection...

RoldanLT

Well-known member
#4
Basic steps:
  • Password protect /admin.php and /install/ via .htaccess.
Server Level:
  • Using CSF or any Software Firewall

By the way XenForo is already 99% secured compare to other forum software.
 

arn

Active member
#6
I like Sucuri. It's far easier to configure than a server-level security pattern matching. If you can set that up your self, then that's probably a better choice. But if you can't or don't want to take the time, I like using something like Sucuri.

arn
 

Liam W

Well-known member
#10
You should fully delete /install. Once your install is completed, it is not required to use until an upgrade, which comes with an install folder.
What if the need to restore master data arises? They'll have to re-upload.

Personally, I either 404 the /install directory via htaccess, or 0000 the permissions. I never use it anyway (I always use the CLI upgrader).

However, @Chassey Group I can't look at that service, because three thinks it's an adult site and has blocked it :rolleyes:, however I do believe that basic security measures such as using SSL where available and htaccess (digest) protecting the admin.php file (IP protection if you have a static IP), is the best way to go.

Liam
 

arn

Active member
#11
Here's a partial list of things I did to improve my security after we were hacked last year. This was written with vBulletin in mind, but should mostly carry over to Xenforo.

- Only give absolutely needed permissions to your mods and admins
- Create a separate admin account that is the "super admin" (in config) with plugin and theme permissions. Your day to day admin user should not have any of these permissions.
- Require password changes to your Mods and Admins every XX days
- I'm paying for password manager software for my mods/admins
- htaccess password protect both AdminCP and ModCP. Don't give out the password via the forums or through pm.
- Use a Web Application Firewall. SAAS versions include https://www.cloudflare.com , http://cloudproxy.sucuri.net , http://www.incapsula.com
- Two factor authentication for moderators and admins.
- Consider globally disabling more dangerous PHP functions
 

RoldanLT

Well-known member
#12
Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.
Two factor authentication for moderators and admins.
I hope there is a stable plugin available.
Consider globally disabling more dangerous PHP functions
I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.
 

arn

Active member
#13
Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.
I've used Sucuri on vBulletin. It's not perfect and probably won't stop a targeted attack. Also there are false positives you have to monitor for. The main reason I like it (or other services like it) is that they will virtually patch (block) new exploits -- which helps block automated scans of new vulnerabilities, giving you a little extra time to patch yourself.

I think a proper server-side WAF will do the same with regularly updated definitions.

I hope there is a stable plugin available.
Ya, I was looking around for one.

I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.
Certainly low yield and a bit whack-a-mole to provide you with much comfort, but there are some really insecure PHP functions out there, including show_source(), which will output the source of a local php file.

arn
 

Fred.

Well-known member
#14
Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.

I hope there is a stable plugin available.

I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.
There is a stable Two factor authentication add-on available
https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

Works like a charm. I'm using it for a year now.

They don't recommend to disable php functions. But I also have the dangerous functions disabled.