How to secure your XenForo forum

AwesomeForo

Administrator
Staff member
Messages
22
Reaction score
4
XenForo is becoming popular in building a community. So it is no surprise that a lot of hackers keep an eye on that. To protect your site out of the danger zone, today we introduce you certain effective tips to against hidden dangers.
1. Update your XenForo site instantly
Subscribe to XenForo Security updates via email or RSS Feed. Update your site whenever a new release comes out. This should be done as soon as possible. A new release for XenForo also comes with an explanation of all the security holes that were fixed, thus giving hackers a roadmap for getting into. If you do nothing else, update your XenForo site as soon as possible.

2. Change your Admin user
The default ID for the admin user in XenForo is usually “admin” “administrator” “root”, and a hacker may use this to attack your site. To avoid this, do the following steps:

  • Login into AdminCP
  • Switch to the tab User > User Admin > Click on “Admin” and change the name in the username.
Note: Must enter the current password.

3. Use a strong password and change it regularly
Change you XenForo administrative passwords as well as your panel and FTP passwords. This is particularly important if you login from different computers that other people have access to. Create a unique passwords from a combination of upper- and lowercase letters, numbers and symbols. Besides that, change your username and password at least every 2 months.

4. Don’t use the root user in MySQL as the user of your database
You should always create a new database user when installing a new site, and give rights to the new database only. This way, the user will only have access to the specific site. If not, you can have one site hacked and the rest is wide open as well.

5. Protect admin.php file by .htpasswd
Below there we guide you to create file .htpasswd on two common Hosting Controller now (Cpanel and Directadmin).
A. With cPanel:

  • Logging into cPanel
  • Choose "Password Protect Directories" >> "Web Root" >> Choose the mother folder of your site.
  • Tick in "Password protect this directory"
  • In the section "Name the protected directory", fill: Admin Control Panel Protected
  • Click Save.
  • In the part "Create User" fill in Username & Password yours.
  • Click "Add/modify authorised user"
  • Okay, so now you have a file passwd at: /.htpasswds/public_html/name_folder_forum
B. With Directadmin:

  • Login into Directadmin
  • Choose "Password Protected Directories" >> "Find a Directory to Password Protect" >> Choose the mother folder of your site.
  • Tick in "Protection Enabled".
  • Fill the parameters into: "Protected Directory Prompt" - "Set/Update User" - "Password" - "Re-Enter Password"
  • Click Save.
  • Okay, now you have a passwd file at: .htpasswd/public_html/name_folder_forum
After you created htpasswd above, you should open the file.htaccess (in the original folder of your forum) and find this code:
Code:
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile path/to/passwd/file
AuthName "ACP Protected"
Require valid-user
Replace with this code:
Code:
<Files admin.php>
AuthType Basic
AuthName "ACP Protected"
AuthUserFile "path/to/passwd/file"
Require valid-user
</Files>
Note: path/to/passwd/file will be formed
- /home/demosite.org/domains/demosite.org/.htpasswd/public_html/.htpasswd (With Directadmin)
- /home/demosite.org/.htpasswds/public_html/passwd (With cPanel)

6. Protect folder /install by .htpasswd
Create a file .htaccess inside the folder /install with this code:
Code:
AuthType Basic
AuthName "Install Protected"
AuthUserFile "path/to/passwd/file"
Require valid-user
At path/to/passwd/file you could use at this path file htpasswd to protect admin.php above or create a new account.

7. Using IP Address to admin.php file and folder /install
You could use IP Address to protect admin.php and the folder /install instead of using passwd. In this case, you need to change file .htaccess (In the original folder of your site) to protect the file admin.php like:
Code:
<Files admin.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
And create file .htaccess in the folder /install like below:
Code:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Replace 127.0.0.1 by your current IP Address. You could enter http://whoer.net to check your IP Address.
You could add more IP Address by adding this line:
Code:
Allow from 127.0.0.1
There is a rising problem here, the Code above is only active if your IP address is a static IP address. If you use a dynamic IP, instead of updating the IP Address at the file.htaccess on each of IP address changing. You could add a code paragraph below file .htaccess like:
Code:
Allow from 127.0
8. Create a Back-up Plan for your site
This is so crucial. You never expect to be hacked, but when you are, a backup of your site could get you up and running within an hour. Check to see if your hosting company does daily or weekly backups. Even if they do, it's better insurance to take your own backup of the site. You can do this manually by copying down the files and exporting a copy of the mySQL database. It's easier to use a 3rd party backup extension like CodeGuard.

These are 8 tips for protecting your XenForo. If you have any useful tips, do not hesitate to share with us through the comment box below.
 

AwesomeForo

Administrator
Staff member
Messages
22
Reaction score
4
Don't get left behind, have us upgrade your XenForo installation to the latest & greatest.
We strongly recommend that you keep your XenForo installation up-to-date at all times to ensure you get the best possible experience with all the latest features and bug fixes, as well as any security related updates.

Our team can upgrade your XenForo installation and help ensure things go smoothly:
- Take a full system backup.
- Keep downtime to a minimum.
- Preserve template customisations whenever possible.
- Includes 12-months free support with this service as well to make sure that our team is here to help you if you need assistance.

Our upgrade service is available 24/7, and has a 12-48 hours turn around time.
 
Looking for a great add-on?
Top