phpBB3 Security Tutorial

How to improve the security of your phpBB3 board

In this tutorial we'll make some suggestions on how to harden phpBB3 and make your board less vulnerable.

Update

Update your board when there's a new phpBB3 version. Upgrades make different improvements, including in terms of security. You can check for new updates from the administration control panel of your board. The process is automatic and if there's a new version you should be informed with a text on a red background at the top of the page.

However, if you want to, you can re-check just in case. To do this, click on the System tab and then on the Check for updates link on the left. In case you need help to update your phpBB3 board, check out the tutorial on updating phpBB3 using the automatic updater, or the tutorial on updating phpBB3 via SSH, if you want to do it through SSH.

Backup

This is something general that's always worth reminding: make regular backups of your phpBB3 files and of the database used by the application. In case something happens to your board and you lose some valuable content, you'll be able to restore it using the most recent, undamaged backup. It's also a good idea to keep several backups from different dates. If you need more information on how to make a backup, read the tutorial on backing up your site.

Administrator Password

As an administrator make sure your password is long and complex enough. Preferably, it should be over 8 characters long and should consist of upper and lower case letters, numbers, and symbols (e.g. H5f&p:7D<q). Don't use dictionary words but a random string of characters. This will ensure that the password is more difficult to crack with brute force (guessing). Don't use the same password for different things (e.g. FTP accounts, database passwords).

You can change your password (and that of any user) from the administration control panel. On the General page click on the Manage users link, type your admin name in the field for Find a member and click on Submit. On the page with the settings that opens just type your new password in the fields for New password and Confirm password, and click on Submit. It's not a bad idea to change your password periodically.

User Password and Registration

There are also some settings that you can configure from the administration control panel to make sure that the accounts of your users are better protected and more difficult to hack. From the User registration settings (General tab>User registration settings) you can change the password length and its complexity.

By default, the minimum password characters are set to six, and there are no requirements in terms of complexity. You can increase the minimum password characters to eight or ten, for example, and increase the password complexity by requiring those who register to include numbers, symbols, and mixed case letters in their passwords. This will make the passwords of your users more difficult to guess. Note that if you select Must contain symbols from the Password complexity drop-down menu, the password will have the highest level of complexity, meaning that it also must contain letters in mixed case and numbers.

From the same page of the administration panel you can also change the account activation settings. By default, no activation is required, meaning that after users register they can access their accounts immediately. It's a good idea to set the account activation to be performed by the user. This will ensure that the user has a valid email address. This is more of an anti-spam measure, which will help prevent bots from registering on your board. There are also other anti-spam measures that you can take; for some more information read the tutorial on stopping spam in phpBB3.

User Registration Settings

If you change the required password length and complexity, these requirements won't affect registered users who are already members of your board.

From the user registration settings you can also force password changes, so that after a certain period of time registered users have to change their passwords.

Other Security Settings

There are some other security settings that you can change from the administration control panel (General tab>Security settings):

Security Settings

For example, you can set the session to be validated using the whole IP address of the user. The default is to use the first three blocks of the IP address. You can also enable the checking of the IP address against a DNS Blackhole List (it's disabled by default). You can also change the maximum number of login attempts per username and per IP address before CAPTCHA (visual confirmation) is triggered. The default attempts per username are three, and per IP address they are fifty. In this way you can make it more difficult for people and computers trying to guess the passwords of registered users, or of bots attempting to register.

Block Access to Admin Directory

You can add an additional layer of defense to the admin directory, and respectively to the administration control panel, by blocking the access to it for all IP addresses except yours. The administrator directory is called adm and it's located in the root phpBB3 folder on your hosting account.

For example, if your board is installed in a folder called phpbb3 in the root public_html directory on your account, the path to the admin directory would be public_html/phpbb3/adm. You can block the access to this directory by putting some rules in an .htaccess, which itself should located in the directory you want to protect.

By default, there's no .htaccess file in the adm directory, so you'll have to create it first. To learn how to do it and what rules you have to put in the file, read the article on protecting directories by blocking IP addresses.

Rename Admin Directory

Another thing you can do with the admin directory is to rename it from the default adm to something else. Needless to say, everyone who has used phpBB3 knows that the admin directory is named adm by default. You can rename it to something more obscure that's difficult for other people to guess. In this way you can change the path, and the URL address respectively, to the administration control panel.

To rename the adm directory, you just have to change its name and to change the link to it in the functions.php file. For some more details on how to do it read the article on renaming the phpBB3 admin directory.

If you install MODs with AutoMOD and files in the admin directory have to be modified, AutoMOD won't succeed in modifying these files because the adm directory has another name. In this case you can either modify the files in the admin directory manually, or you can rename the directory back to adm before the installation, and after that you can rename it again. Of course, this concerns only MODs that require modifications to be made to the files in the admin directory.

Disable Dangerous PHP Functions

There are PHP functions that you don't need for your board and that people can use to do damage to it. Such functions can be disabled by putting some rules in the php.ini file for your account. The rule that can be inserted in php.ini with some example functions to be disabled looks like this:

disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen

If you are a HostKnox client, you can ask our support team to perform this for you by submitting a ticket through the Support Portal.

Database

There are some things worth mentioning when it comes to the MySQL database used by your phpBB3 application. It's advisable to keep each application in a separate database. Each application, including phpBB3, should be in its own database. In this way if something happens to one of your databases, only one application will be damaged.

Also for security reasons it's recommended to create a different user with a different password for each database. Don't use the same password for all your databases.

When you make a new phpBB3 installation, change the default phpbb_ database prefix. By default, the database prefix is phpbb_, and if you don't change it, that's what the database prefix for your phpBB3 board will be. You can change the prefix during the installation process, at the step where you have to configure the database settings.

File Permissions

Check the file and folder permissions of your phpBB3. Usually, files should have permissions of 644 (rw-r--r--) and folders of 755 (rwxr-xr-x). Make sure there are no world-writable permissions (e.g. 777, 666). HostKnox clients can use the Fix Incorrect Permissions feature of the Files section of the Pixie control panel. Just click on the Fix Incorrect Permissions link on the right and it will check the files. If there are any world-writable permissions it will fix the world-writable bit.

A possible exception is the folder where users can upload their avatars (e.g. public_html/phpbb3/images/avatars/upload). It's permissions by default are 777. If it's not world-writable, users may not be able to upload their avatars.

You can also fix permissions yourself with an FTP client, for example. To learn how to do it and to learn more about file permissions, read the tutorial on file permissions and how to change them.