Welcome to Our Community

Registration on our forums are now open for some days! Feel free to sign up today.

How to secure your Xenforo forum

Secure Xenforo

  1. crash_king
    Compatible XF Versions:
    • 1.0
    • 1.1
    • 1.2
    • 1.3
    • 1.4
    • 1.5
    This tutorial will show you how to secure your XF forum.
    Please don't forget to like if you think it's a good topic.
    EVERY TIPS is important for the security of your XenForo forum

    1) Always get the last version of xenforo

    2) Put a .htaccess file inside your library folder to protect it and put in the htaccess

    Code:
    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
    Order allow,deny
    Deny from all
    </Files>
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    :relievedface: If you're the owner of the website please use different passwords for your :
    1. FTP
    2. Forum Login
    3. Cpanel Access
    If you want to generate a password try this website :
    Code:
    http://strongpasswordgenerator.com/
    And if you want to see how strong is your password go on this website :
    Code:
    https://howsecureismypassword.net/
    4) Put a .htaccess file on your root directory normally there is already one (a htaccess.txt) rename it by .htaccess if not, create one and inside put :

    Code:
    #THIS IS NOT ON THE DEFAULT XF HTACCESS PLEASE A IT
    Options -Indexes
    
    #NO NEED TO ADD THIS IF YOU ARE ALREADY USING THE XF HTACCESS DEFAULT FILE
    #    Mod_security can interfere with uploading of content such as attachments. If you
    #    cannot attach files, remove the "#" from the lines below.
    #<IfModule mod_security.c>
    #    SecFilterEngine Off
    #    SecFilterScanPOST Off
    #</IfModule>
    
    ErrorDocument 401 default
    ErrorDocument 403 default
    ErrorDocument 404 default
    ErrorDocument 500 default
    
    <IfModule mod_rewrite.c>
        RewriteEngine On
    
        #    If you are having problems with the rewrite rules, remove the "#" from the
        #    line that begins "RewriteBase" below. You will also have to change the path
        #    of the rewrite to reflect the path to your XenForo installation.
        #RewriteBase /xenforo
    
        #    This line may be needed to enable WebDAV editing with PHP as a CGI.
        #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    
        RewriteCond %{REQUEST_FILENAME} -f [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>
    
    #THIS IS NOT ON THE DEFAULT XF HTACCESS PLEASE A IT
    <IfModule mod_rewrite.c>
    Options -MultiViews
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    #THIS IS NOT ON THE DEFAULT XF HTACCESS PLEASE A IT
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://yourwebsite.com.*$      [NC]
    RewriteCond %{HTTP_REFERER} !^http://yourwebsite.com$      [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.yourwebsite.com/.*$      [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.yourwebsite.com$      [NC]
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ yourwebsite.com [R,NC]
    Please modify : http://yourwebsite.com and yourwebsite.com to your website link.

    5) DELETE your "install" folder

    6) Look up if your Xenforo files are on Chmoder 0644 (some on 0755) and never on 0777

    7) Try not install no important add-ons, put add-ons which are importants for the community. Or create your own code to do what you want instead of using add-ons.

    8) Never authorise HTML in the posts/messages

    9) Always scan your PC against virus etc ...

    10) If you suspect an attack from hackers change your pass of you forum/ftp/cpanel account

    11) Regularly do backups of your forum on your PC

    12) For DDOS protection see more here :
    Code:
    http://www.cloudflare.com/
    Or here

    Code:
    http://www.incapsula.com/
    1:relievedface: If you want MySQL injection protection see more here :

    Code:
    http://www.crawltrack.fr/crawlprotect/

Recent Reviews

  1. braymen
    braymen
    5/5,
    the best thnx
  2. bobisback
    bobisback
    5/5,
    Good Info ;D
  3. 4/5,
    good
  4. Andro
    Andro
    5/5,
    great