Top 3 Reasons a Forum gets Hacked

Discussion in 'Member Articles & Tutorials' started by Wayne Luke, Jun 6, 2009.

  1. Wayne Luke

    Wayne Luke Regular Member

    Joined:
    Apr 2, 2009
    Messages:
    992
    Likes Received:
    276
    The three top reasons forums get hacked:
    1. Lack of Security
    2. Faulty Software
    3. Compromised Server.
    Security
    Security for a site starts in the chair in front of the monitor. If you are not proactive about security than you will have problems. Security should always be handled by first removing all permissions unless absolutely necessary and then only giving permissions as needed.

    This starts with your local computer. If friends use your computer than create a guest account and only allow what they would need to use. Don’t let them use your account. Make sure you have the latest security applications and protocols in place on your computer regardless of the OS. When making a connection to your web server, you need to make sure it is as secure as possible and you use an account with only the permissions required. Logging into SSH via a root account is foolish. You need to use a wheel group to get super user access. Same for email, FTP, or any other protocol.

    Once you are connected to your server, you need to make sure your forum follows the same policies. If you’re moderators don’t need delete permission than don’t give it to them. The barest minimum of permissions to get the job done.

    Passwords should be unique and gibberish. They should be 14-20 characters long. If you cannot remember your passwords than use a tool like Keepass to store them on a removable flash drive that you can take with you. Here is a suitable password:
    lksad@!rj39#W04uri5

    Make sure that critical areas are secure. Do not rely on the software layer to protect your investment. Make sure permissions are at the barest minimum to work and that people do not have access to folders they don’t need access to. Move your configuration files above the web root so they are not acceptable. Turn off directory indexing, error reports and other notices. Don’t display version numbers if at all possible.
    When installing addons or hacks, have them reviewed for potential vulnerabilities. Most hacks are called that because they are copied and pasted bits of information put together by people with no real programming experience. They just want something that works.


    Software Flaws
    Make sure your software is always up to date. This not only includes your forum software but the webserver, PHP, MySQL, your Operating System, any utilities you use, etc… If you’re running Windows than make sure your security software is up to date. Updating daily is a good idea. A flaw in anything can cause issues. The Gumblar virus is an example of what can happen with faulty software. When is the last time you updated Adobe Reader?

    Make sure your software works together. Mismatched versions of software can introduce vulnerabilities.


    Server Compromises
    Least case scenario. If you’re on a share server your at the mercy of every single site owner on that server for maximum security. This means that you should operate as if there is no security whatsoever. Sad but true. I bet in a apartment building with with 30 units, 2 people never lock their doors and 6 more use passwords that are 8 digits long and a variant of their name, the word password, their birthday or their dog’s name. You cannot rely on others to be secure. There are 300-400 websites on that server. There are probably 80 exposing you to security risks.

    Ask your hosting provider what their security measures are and how they are implemented. Make sure they follow them.

    To ward off the hackers, you need to be secure and confident in your security measures. You need to learn as much as you can about your systems and how they are protected. Otherwise you will be at risk. This doesn’t mean you’ll be attacked but you’ll be at risk.


    By Wayne Luke of vBCodex.com

    This post has been promoted to an article
     
  2. Soliloquy

    Soliloquy Regular Member

    Joined:
    Jun 3, 2009
    Messages:
    2,402
    Likes Received:
    66
    Location:
    New York City
    This was a classic, informative post. Thanks Wayne Luke!
     
  3. Chris

    Chris Regular Member

    Joined:
    Dec 27, 2007
    Messages:
    5,422
    Likes Received:
    86
    Indeed. Very nice, Wayne. :thumbup:
     
  4. Wayne Luke

    Wayne Luke Regular Member

    Joined:
    Apr 2, 2009
    Messages:
    992
    Likes Received:
    276
    Kind of spur of the moment as I was just writing an answer to a post. A few years ago, I wrote documentation for security in the vBulletin Manual. While focused on vBulletin, the concepts and ideas in the documentation can be applied to a large variety of web systems. If you want to look at it see here:
    vBulletin Manual

    Thanks for the compliments. They are appreciated.
     
  5. Nick

    Nick Regular Member

    Joined:
    Jul 27, 2008
    Messages:
    7,444
    Likes Received:
    219
    Wayne, to be honest, a lot of your spur-of-the-moment posts are of article-quality. Not too many people have that talent. ;)
     
  6. GCSkye

    GCSkye Novice

    Joined:
    Jun 4, 2009
    Messages:
    31
    Likes Received:
    2
    First Name:
    GCSkye
    I'm starting to notice that myself.

    Seems the only thing that was left out was putting a bullseye on your own back. Avoiding negative confrentation when possible with others is a must.
     
  7. Tyler

    Tyler The Badministrator

    Joined:
    Dec 23, 2007
    Messages:
    3,079
    Likes Received:
    63
    Location:
    Long Island, NY
    First Name:
    Tyler
    It's true, Wayne. :)

    This was no different - great read. Thanks for the submission. ;)
     
  8. Soliloquy

    Soliloquy Regular Member

    Joined:
    Jun 3, 2009
    Messages:
    2,402
    Likes Received:
    66
    Location:
    New York City
    This is true; if you act like a jerk online, someone eventually is going to try to return the favor. (Though the couple of times I've had my forum hacked it was from not up dating in a timely fashion; they find you through search engines and hack thousands of forums at once)
     
  9. Green Cat

    Green Cat Adept

    Joined:
    May 25, 2009
    Messages:
    102
    Likes Received:
    6
    Very good article Wayne ;).
    Never got any of my forums or sites hacked though.
     
  10. Bandit

    Bandit Addict

    Joined:
    May 28, 2009
    Messages:
    51
    Likes Received:
    0
    First Name:
    Mark
    Very Informative Article. Thanx.
     
  11. MomCafe

    MomCafe Adept

    Joined:
    Jun 7, 2009
    Messages:
    136
    Likes Received:
    14
    First Name:
    Sonya

    I agree the times I have been hacked was when I didn't update when I was suppose to or had a program such as Joomla running where they could access my site through the poor security type of program.
     
  12. Tyler

    Tyler The Badministrator

    Joined:
    Dec 23, 2007
    Messages:
    3,079
    Likes Received:
    63
    Location:
    Long Island, NY
    First Name:
    Tyler
    Ouch! :killpc2:
     
    2 people like this.

Share This Page