This is my post on securing your phpBB2 forums. I have had several clients who have had their forums spammed. By spammed I mean a couple of things:
- They allowed everyone to join without any form of account activation (either my the user clicking a link to confirm in their e-mail or my client manually approving the user)
- They left their forums open so that anyone can post to their forums. This is the default behavior of phpBB.
- They show their memberlist thus making their site more attractive to shady SEO because the memberlist shows the members homepage.
- Not keeping their phpBB up to date with the latest release. You can’t just install and forget it.
The first 2 options are done through the admin area of phpBB. The third topic is taken care of by editing a couple of phpBB files, and the fouth topic is taken care of by updating the sites phpBB code and running the upgrade scripts.
Step 1: hardening of the joining process
To make it so that the user has to click a link in their e-mail or so that the site administrator has to approve the user go to the admin area and click on Configuration under the General Admin area on the left. Look for the Enable account activation property and set it to either user or admin. The second step is to enable the random generated image for signups that is called Enable Visual Confirmation.
After doing the two steps above users will have to enter a randomly generated string PLUS they will have to either approve by a link in their e-mail or be approved by a board admin.
Next step, removing the member list for users not logged in.
Open /phpBB2/templates/YOURTEMPLATE/overall_header.tpl and find Code:
<img xsrc=”templates/fisubsilversh/images/arrow.gif” mce_src=”templates/fisubsilversh/images/arrow.gif” alt=”{L_MEMBERLIST}” width=”14″ height=”9″ /> <a xhref=”{U_MEMBERLIST}” mce_href=”{U_MEMBERLIST}” >{L_MEMBERLIST}</a><br />
Before, Add Code:
<!– BEGIN switch_user_logged_in –>
After, Add Code:
<!– END switch_user_logged_in –>
Next, in your phpBB2/memberlist.php file find this line:
//
// End session management
//
After that add this code:
if ( !$userdata['session_logged_in'] ) {
redirect(append_sid(“login.$phpEx?redirect=memberlist.$phpEx”, true));
}
The above code will make it so that if someone manually tries to view your memberlist and they are not logged in they will be redirected to the login page.
Well that’s it for now. I hope you enjoy the tips. Feel free to post comments with your security tips and tricks.
Need help with your phpBB forums? Justin can help you! Click here to contact Justin Rains with Portal Planet.
{ 1 comment… read it below or add one }
Also, go into the admin area and do this:
Under general admin -> configuration
“Enable account activation” set that to admin.
Unfortunately the spammers have too much time on their hands and can figure out how to activate themself. Now each new signup must be approved by the administrator.