|
| |
|
|
BobbyDouglas
Posts: 5470
Joined: 5/15/2003
From: Arizona
Status: offline
 |
Steps to ensure forum security! - 10/21/2005 13:55:28
Note: If you cannot follow every part below, make sure that you do follow part 3. Part 3 will stop most exploits.
By following these simply steps, you will be able to better secure your forum against hacker attacks and help protect your users:
1. All admins must change their password monthly, mods must change theirs on a regular basis as well.
2. Admins/mods must have passwords that are hard to guess, and do not use common words. Example of a bad password: hello2you Example of a good password: ro0jUjun39jFdu.
3. Require a user/pass to access the admin folders, as well as an IP restriction on the folders/pages. Meaning, if your IP is not on the allow list, you cannot access the page.
4. Use complex database passwords such as: ro0jUjun39jFdu.
5. NEVER use default prefixes for table names and DB names. (You will be able to set the DB and table names when you are installing the software)
6. NEVER leave files on the server that will show what version of the forum software is being used. (Find out what files they are by contacting your forum's support)
7. Require users to signup using a valid e-mail.
8. Tell your users to never use the same password for the forum, as the password used for the e-mail registered on the forum. If your e-mail is hello@example.com with password hello1, do not use hello1 as your password on the forum.
9. If you ever become a victim of a hacker, contact your host and request that all logs are saved during the period of the attack.
10. Keep an eye on security fixes. Some people have made modifications to their forum, so they no longer can do an easy upgrade. This doesn't mean you should ignore updates, some updates might be required, and others might not be. Review the change log of your forum software to find out if you need to implement a security fix.
By following the above points, you will make sure that your forum is as secure as it can be.
Back in the day, I ran across a few of these "Win a free PS2" deals, where you entered your e-mail address, and created a password so you could check the status on your trial. Well, did you know that most of these forms (that weren't from large websites), just had a simple form that e-mailed the e-mail address and password to another account? Did you know that 80% of the time that password was the same password used for the e-mail address?
Another thing. Once someone hacks into a forum, and downloads the databse, they will have the e-mail address you signed up with on the forum, and the password you use to log in.
But wait! "I thought my password was stored encrypted?" Most of the time, it is stored in MD5 encryption, which is easily decrypted so it is rather useless. What does that mean to you? Well, if you used the same password you do on the forum, as the password for your e-mail address, then the hacker can log into your e-mail account. From their, they can look at your e-mails and goto websites that they see have sent you e-mails, and try the exact same password. If that password does not work, they can submit a "request for password via e-mail" form, and find out your password that way.
Basically, if you use the same password as you do on the forums, be prepared to be in trouble if the database is ever hacked.
Now what are the actual chances that your website will be hacked? Well, they are very limited, but that doesn't mean it doesn't happen. Did you know that the latest version of VB (paid software) still contains an exploit that allows the database to be downloaded? Most likely not, not event he developers have issued a fix for it.
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
