How to Improve PhpBB Security

Security Tips for Your PHPBB Forum

The new branch of PHPBB - PHPBB 3 is quite secure. After some major security flaws in PHPBB 2 the PHPBB developers have paid great attention to the security of their product's new branch - PHPBB 3. According to the script's changelog and the users' reports there have been just several minor security issues. They have been resolved quite fast.

Still, in this article we will list useful practices that will additionally improve the security of your PHPBB 3 forum.

  • Keep your software up--to-date

    This rule is valid for all the applications that you use. Keep your local computer software (OS, anti-virus program, firewall, web browsers, etc.) and web applications (scripts, extensions, components, modules,plugins) upgraded to the corresponding latest stable versions.

  • Custom Database tables prefix

    A wise solution is to set a custom database tables prefix during the PHPBB 3 installation. If your hosting provider supports an auto-installer like Softaculous just enter the new value in the "Table Prefix" field. The manual phpBB3 installation also allows to enter the chosen table prefix in the "Prefix for tables in database:" field.

    The change of the tables prefix in an existing phpBB 3 installation is more difficult. First, you should edit the config.php file and replace the new prefix in the following field:

    $table_prefix = 'phpbb_';

    If you have custom modules integrated in your forum check whether they have additional configuration files. You might need to complete the same change in them.

    Next, you should rename all the tables in the database. You can run the queries through a tool like phpMyAdmin.

    The query for each table should be:

    RENAME TABLE phpbb_table_name TO newprefix_table_name;

    where you should enter the correct table name and the chosen new prefix.

  • Additional admin login page

    To add a new layer of security to your admin login functionality you should password protect the admin folder. In PHPBB 3 the default admin folder is called "adm". Usually the hosting providers have a password protection tool embedded in their control panels. If your hosting provider uses cPanel you can password protect the folder through the [url=http://www.siteground.com/tutorials/cpanel/pass_protected_directories.htm]Password Protect Directories[/url] tool. The tool will create a .htaccess file under the "adm" folder. Make sure that the used password is different from the one set during the initial PHPBB 3 installation

    Always use strong passwords that contain random sequence of letters, numbers and special characters.

  • Restrict the admin folder access

    If you are using a computer with static IP to access your forum you can restrict the access to the admin area. Enter the code listed below in the .htaccess file under the "adm" folder. It will allow access only from your local computer.

    Order Deny,Allow
    Deny from all
    Allow from 123.123.123.123

    Instead of 123.123.123.123 use your IP. It can be checked at: http://whatismyipaddress.com/

    The file can be edited either with FTP or with cPanel->File Manager. You can add more IPs to the list, separated with blank spaces.

  • Backup your forum

    Often, keeping backups of your script will allow you fast and easy to restore the stable functionality of your web site. It does not matter if the script has been compromised by hackers or it has been broken by a custom code modification performed from your end. The backup restore will bring the web site to its normal state. Usually the hosting providers create daily or weekly backups of your account. Still, you can additionally take care of this task. Detailed instructions can be found in this knowledge base article.

  • Enhance the users registration

    PHPBB 3 has some useful options which will stop most of the malicious users' registrations attempts. Open your forum's admin area and load the "User registration settings" section.

    For the "Account activation" option pick "By user (email verification)". During the registration the user will have to provide a valid e-mail account and approve the registration through a confirmation link message delivered to it.

    For "Password complexity" select "Must contain symbols". In this way the user will have to enter letters, numbers and symbols in the chosen password.

    Leave the default values of the other options.

Forums that follow the above-mentioned tips experience 80% less security problems. If despite the measures taken, your forum gets hacked, you should contact your host for assistance and try to get more specific security tips from the community via the discussions boards.

PhpBB hosting by SiteGround includes:

When hosted by SiteGround your forum is faster and more secure!

  • Free phpBB Installation
  • Free Domain Name
  • Expert 24/7 Forum Support
  • Special Security Hardening
  • FREE Daily Backup
  • FREE CDN service
Get PhpBB Hosting