4 Ways To Protect Your MyBB Forums

[Cyb3rShot]

1. Rename Admin Directory – 

While there are many best practices recommended for the security of MyBB software, one highly recommend practice is to use a unique URL for MyBB admin rather than using the default URL.

To make it a little more difficult for hackers to attack your MyBB Admin area, changing the admin folder URL is always a best security practice.

To do this, you need to first rename the admin directory to something else and edit the config.php (located at /inc/config.php) and change the following code:

$config[‘admin_dir’] = ‘adminlogin’;

2. .htaccess Protection – 

.htaccess is a configuration file used by the Apache web server. .htaccess rules override global settings for the directory in which the file is placed.

The below snippet will check for somebody’s IP Address. If their IP Address doesn’t match the one that you specify, they will be redirected to your index.

Create an .htaccess file under Admin Directory and add the following into it:

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^192\.168\.1\.3
RewriteRule .* http://192.168.1.3 [R=301,L]

Note: Make sure that you must write the IP Address which you want to allow for admin access (192.168.1.3) in proper format.

3. Password Protect Admin Directory – 

The basic HTTP Authentication created with .htaccess and .htpasswd files works pretty well on online real server. However implementing them locally on our XAMPP server (on Windows) may be a little problematic.

If you are running MyBB Forums online, then you can easily protect your admin directory by navigating “Password Protect Directories” link under Security Tab.

This method actually adds an additional security to getting access into admin directory.

But If you running MyBB on locally on XAMPP then you need to create first .htpasswd file with the help of CMD as shown below: (/xampp/apache/bin)

Code: htpasswd.exe -c -m -b .htpasswd username password

After that you need to create an .htaccess file in your admin directory and add the following code into it:

AuthName “Secured Members Area”
AuthType Basic
AuthUserFile “C:\xampp\security\.htpasswd”
require valid-user

4. Deny External Access To Config File – 

Sometimes read/write permissions are not enough to protection the config file which actually contains your database information such as username, password, database name etc.

With the help of .htaccess file, you can easily protect your config.php file which redirects to 403 Error page when someone tries to access the file directly from the browser.

Create an .htaccess file under /inc/ directory and copy-paste the following code:

<files config.php>
Order deny,allow
deny from all
</files>

The above code will block external access to config.php file.

Note: Allow and Order are deprecated in Apache 2.4. You should use Require all denied instead.