Forum and Blog Safety

Why installing isn't the end of the job.

So you have your PHP/MySQL driven forum, cms website, estore,and or blog up and running. You are feeling pretty good, but the job is not done yet!

Let's go through some basic things important to all dynamically generated content on a website. Some dos, and don'ts.

  1. Re-read those install instructions (and act on them). Usually, for safety, there are some steps you need to take after installation, to make sure someone can't easily come along and mess up all your hard work. For instance, with phpBB, this involves removing the install directory from the site, or at least renaming it. Also, some directory permissions must be set to avoid hackers uploading scripts to your site. Failure to do this most basic step almost guarantees you will be pwned very soon.


  2. Keep it updated. In all complex programs, there are constantly bugs being found that need attention. Some of these bugs are referred to as "'sploits" or "exploits" that hackers can use to get the upper-hand and take control of you site. Not what either of us want to see. So be mindful of updates for your forum, blog, or CMS software. Also be mindful of your server software if that is your responsibility to keep updated, including any updates for the OS.

  3. Wrap that rascal! Use a site-wrapping tool like ZB Block . By placing a php pre-parser on your site that watches for common attacks, such as MySQL injection, remote file includes, directory traversals, and null variable truncation attempts, you can "shunt" most attacks away before they even reach your sensitive program. Not a replacement for step 2, but today, a new exploit on a common php script can spread like wildfire, and before you even get notification of it, your site can be compromised.

  4. Use a service to check registering email addresses and browsers for being known spammers. StopForumSpam is the best I've seen so far, run by the most innovative, and hard working people I know. This is an awesome way to back up the next step in case a human eyeball with bad intent decodes your tricky captcha. (There are banks of people in India who do nothing all day but enter captchas to get bots over the registration hurdle).

  5. Fiddle with your CAPTCHA. Most spambots will easily register on a forum that has left the captcha in the default setting mode. They do this by optical character recognition, and other little nasty tricks. You need to feed them something they are not expecting, elsewise you will come back to find your board filled with spam and browser exploits! Either mess with the settings, or try our captchas for phpBB. Backscatter is the one we modified for phpBB2. and CASPER is the new project for phpBB3 (currently only a port of Backscatter). Neither has ever been bypassed by a robot yet.

  6. Always use e-mail confirmation of the registration! Step 4 above is worthless without it. Most spammers can't be bothered to do this step, because they don't want any path of action traceable back to them. The few that do seem to be idiots and easily dealt with.

  7. Be VIGILANT! Look at all new messages in your forums. Sometimes a spammer will go through hell, just to put his bunk on your blog or forum. The reason for this is, a forum not known to have spam, is surely going to get their tripe spread a lot faster by Google sucking it into their database. Sadly, for all their hard work, they ofttimes stupidly put it on places like stopforumspam.com . Yes, really, the idiots have posted there!


  8. Back up everything. And I do mean everything. If you have access to your MySQL database manager, backup your whole schemas. Back those up again from the board/blog software itself. Then back up ALL the files on the board to a drive off site from the server. Be paranoid.

  9. Keep your schemas apart! (if your scripts play together, some weird perverted demons will rise up and take your machine to the schema world! That was humor, now back to being serious.) If you have direct control of your server, each function on your server, board, blog, guestbook, talkback, page jottings, your calendar application, your email applications, etc... Each should have their own schema table, and each table should have only 1 user, which is the script. No script should have access to more than one database. None should have access to any database with a default name.

  10. Beware of untested add-ons. Oh my, yes, even your board can fall victim to a trojan horse. Bar being able to read, decipher, and safe the source-code of the add-on... you should at least get it from a trusted site. But, even this is no guarantee. I have found even Google Gadgets that have been either hacked, or written with the intent of exploiting the user's browser (usually though they are very quick to remove the offending program). Worse, if you merge a script into your site, and it should have a buried "back door" in it that writes in the creator as a board admin, you can lose everything.

  11. Be selective in who you get to help run your site. Yes, the last, and one of the most dangerous things to watch out for is the social engineering hack. Accidentally get the wrong person nestled into your co-admins, and you may never trust someone you have not met again. So be sure you know the person, and have known him/her for a long long time before you hand them the keys to the palace. It should be someone you trust, and never a girlfriend/boyfriend you haven't known for at least a few years. Better yet, it should be someone you have actual face-time with. Someone who messes you over from half way around the planet is kinda hard to get your pound of flesh back from. Someone across town can pay the price in many inventive and gruesome ways.

Final words.

I commend you for your willingness to take time out of your life to run a service for the world. I am sure someone will appreciate it. Just remember, hackers and spammers just don't care. To them, you are a hard shelled nut. If they crack you, they get their reward, if they don't, there's always more nuts. Common sense, some good armor, and wise choices can make the difference between an eternal hell of rebuilding your site, and sleeping soundly at night. ~Mike