What security do you use? Hacker protection...

C

Chassey Group

Member
Licensed customer
Can anyone offer advice on what we should do to protect our forum? We are new to this & want to be safe.

Looking at this: http://sucuri.net/

But, have no idea if it is good or not. What do you do/use?

Thanks for any help!
 
Basic steps:
  • Password protect /admin.php and /install/ via .htaccess.
Server Level:
  • Using CSF or any Software Firewall

By the way XenForo is already 99% secured compare to other forum software.
 
I like Sucuri. It's far easier to configure than a server-level security pattern matching. If you can set that up your self, then that's probably a better choice. But if you can't or don't want to take the time, I like using something like Sucuri.

arn
 
It is not necessary to delete the install directory and we don't advise it.
 
Mike Edge said:
You should fully delete /install. Once your install is completed, it is not required to use until an upgrade, which comes with an install folder.
Click to expand...

What if the need to restore master data arises? They'll have to re-upload.

Personally, I either 404 the /install directory via htaccess, or 0000 the permissions. I never use it anyway (I always use the CLI upgrader).

However, @Chassey Group I can't look at that service, because three thinks it's an adult site and has blocked it :rolleyes:, however I do believe that basic security measures such as using SSL where available and htaccess (digest) protecting the admin.php file (IP protection if you have a static IP), is the best way to go.

Liam
 
Here's a partial list of things I did to improve my security after we were hacked last year. This was written with vBulletin in mind, but should mostly carry over to Xenforo.

- Only give absolutely needed permissions to your mods and admins
- Create a separate admin account that is the "super admin" (in config) with plugin and theme permissions. Your day to day admin user should not have any of these permissions.
- Require password changes to your Mods and Admins every XX days
- I'm paying for password manager software for my mods/admins
- htaccess password protect both AdminCP and ModCP. Don't give out the password via the forums or through pm.
- Use a Web Application Firewall. SAAS versions include https://www.cloudflare.com , http://cloudproxy.sucuri.net , http://www.incapsula.com
- Two factor authentication for moderators and admins.
- Consider globally disabling more dangerous PHP functions
Click to expand...
 
Use a Web Application Firewall. SAAS versions include https://www.cloudflare.com ,http://cloudproxy.sucuri.net , http://www.incapsula.com
Click to expand...
Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.
Two factor authentication for moderators and admins.
Click to expand...
I hope there is a stable plugin available.
Consider globally disabling more dangerous PHP functions
Click to expand...
I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.
 
RoldanLT said:
Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.
Click to expand...

I've used Sucuri on vBulletin. It's not perfect and probably won't stop a targeted attack. Also there are false positives you have to monitor for. The main reason I like it (or other services like it) is that they will virtually patch (block) new exploits -- which helps block automated scans of new vulnerabilities, giving you a little extra time to patch yourself.

I think a proper server-side WAF will do the same with regularly updated definitions.

I hope there is a stable plugin available.
Click to expand...

Ya, I was looking around for one.

I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.
Click to expand...

Certainly low yield and a bit whack-a-mole to provide you with much comfort, but there are some really insecure PHP functions out there, including show_source(), which will output the source of a local php file.

arn
 
RoldanLT said:
Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.

I hope there is a stable plugin available.

I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.
Click to expand...

There is a stable Two factor authentication add-on available
https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

Works like a charm. I'm using it for a year now.

They don't recommend to disable php functions. But I also have the dangerous functions disabled.
 
You must log in or register to reply here.

Similar threads

MapleOne
Who's addons do you use the most?
Replies
4
Views
190
Opus X
Opus X
Bob de Bouwer
What do you use for VIP members?
Replies
9
Views
220
Paul B
P
Ariel Schnee
  • Locked
What Addons Do You Use On Your XenForo 1 Forum Now?
Replies
6
Views
158
Paul B
P
drastic
What email marketing solutions do you use?
Replies
10
Views
1K
drastic
drastic
arn
Photography Heavy Sites: What settings / addons do you use?
2
Replies
23
Views
2K
Chromaniac
Chromaniac
Back
Top Bottom