Security Tips: Difference between revisions From Online Manual

Jump to: navigation, search
No edit summary
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Keep your SMF version up to date and be on the lookout for security updates. You can also heed the following advice.
{{TOC right}}


==Password Security==
Keep your SMF version up-to-date and make sure you install security updates. This is done by [[patching]] your forum.
Be sure to change your passwords often and don't use the same password for everything. You should have different passwords for each of the following.
 
* FTP
The best way to be informed about new SMF versions is to subscribe to the [http://www.simplemachines.org/community/index.php?board=1.0 News and Updates] board at the SMF Community Forum. The most important announcements also appear directly within the [[{{Latest docs}}Administration Center|Administration Center]], in the information panel "Live from Simple Machines".
 
==Password Security for Administrators==
 
Be sure to change your passwords often and do not use the same password for everything. You should have different passwords for each of the following:
 
* [[FTP_-_How_do_I_use_FTP|FTP]]
* Database (MySQL, PostgreSQL, or SQLite)
* Database (MySQL, PostgreSQL, or SQLite)
* PhpMyAdmin
* [[phpMyAdmin]]
* SMF Administrator Account
* SMF Administrator Account


The most important password is the database password. This is the same password you use with PhpMyAdmin or any other database management control panel. This password is stored in the Settings.php file. Don't re-use this password for your FTP or your forum administrator account.
The most important password is the database password. This is the same password you use with phpMyAdmin or any other database management control panel. This password is stored in the ''[[Settings.php]]'' file. Do not re-use this password for your FTP or your forum administrator account.
 
The best passwords:
 
#use letters, numbers, and special characters
#vary in upper and lower case
#do not use dictionary words or common names
#are not easy to guess
#are fairly long
#are something you can remember without needing to write it down
 
You can choose the minimum password strength for your users. The higher the level, the less likely that it will be brute forced.
 
==Additional Security Tips for Your Forum==


===Additional Security Tips for your forum===
*To keep anyone from taking over your forum, make sure your passwords are difficult to guess. You can do this by making sure your passwords do not relate to you (for example, your spouse's name), by mixing capital and lower-case letters with numbers, and by using special characters where applicable.
*To keep anyone from taking over your forum, make sure your passwords are difficult to guess. You can do this by making sure your passwords do not relate to you (i.e. your spouses name), by mixing capital and lowercase letters with numbers, and by using special characters where applicable.
*Frequently [[Backup|back up]] your database and FTP files and make sure you understand how to restore these backups.
*Frequently backup your database and FTP files and make sure you understand how to restore these backups.
*Delete temporary files such as ''install.php'', converters and recovery tools.
*Delete temporary files such as install.php, converters, recovery tools, etc.
*Frequently check your error log for any suspicious or unusual errors.
*Frequently check your error log for any suspicious or unusual errors
*Delete any login failures made by administrators from the error log.
*Delete any login failures made by administrators from the error log.


===Additional Security Tips to protect your users===
==Additional Security Tips to Protect Your Users==
*Do not allow guests to upload executable files (extensions .php, .js..., etc.) -- guests could upload things you don't want on your forum.
*Do not allow .exe or Flash files to be uploaded or displayed -- you don't want users to upload malware and persuade other users to download and open/execute it.


====Backups with tilde (~)====
*Do not allow guests to upload files -- guests could upload things you do not want on your forum.
Whenever some file is modified (by the mod operation for example) SMF creates a backup of it with a tilde (~). For example if some mod has modified index.template.php, SMF will create this file: index.template.php~. Notice that those files can be accessed through the browser, so it can be a possible vulnerability. To prevent these you can either disable this option in [[Administration Center]] or you can periodically delete them.  
*Do not allow Flash files to be uploaded or displayed -- you do not want users to upload malware and persuade other users to download and open/execute it.


==Backups with Tilde (~)==


{{As an administrator}}
Whenever some file is modified (by a [[Modification|mod]] operation for example) SMF creates a backup of it with a tilde (~). For example, if some mod has modified ''index.template.php'', SMF will create this file: ''index.template.php'''~'''''. Notice that these files can be accessed through the browser, so it can be a possible vulnerability. To prevent that, you can either disable this option in the [[Administration Center]] or you can periodically delete them.
{{ {{Localized|As an administrator}}}}

Latest revision as of 23:40, 23 April 2015

Keep your SMF version up-to-date and make sure you install security updates. This is done by patching your forum.

The best way to be informed about new SMF versions is to subscribe to the News and Updates board at the SMF Community Forum. The most important announcements also appear directly within the Administration Center, in the information panel "Live from Simple Machines".

Password Security for Administrators

Be sure to change your passwords often and do not use the same password for everything. You should have different passwords for each of the following:

  • FTP
  • Database (MySQL, PostgreSQL, or SQLite)
  • phpMyAdmin
  • SMF Administrator Account

The most important password is the database password. This is the same password you use with phpMyAdmin or any other database management control panel. This password is stored in the Settings.php file. Do not re-use this password for your FTP or your forum administrator account.

The best passwords:

  1. use letters, numbers, and special characters
  2. vary in upper and lower case
  3. do not use dictionary words or common names
  4. are not easy to guess
  5. are fairly long
  6. are something you can remember without needing to write it down

You can choose the minimum password strength for your users. The higher the level, the less likely that it will be brute forced.

Additional Security Tips for Your Forum

  • To keep anyone from taking over your forum, make sure your passwords are difficult to guess. You can do this by making sure your passwords do not relate to you (for example, your spouse's name), by mixing capital and lower-case letters with numbers, and by using special characters where applicable.
  • Frequently back up your database and FTP files and make sure you understand how to restore these backups.
  • Delete temporary files such as install.php, converters and recovery tools.
  • Frequently check your error log for any suspicious or unusual errors.
  • Delete any login failures made by administrators from the error log.

Additional Security Tips to Protect Your Users

  • Do not allow guests to upload files -- guests could upload things you do not want on your forum.
  • Do not allow Flash files to be uploaded or displayed -- you do not want users to upload malware and persuade other users to download and open/execute it.

Backups with Tilde (~)

Whenever some file is modified (by a mod operation for example) SMF creates a backup of it with a tilde (~). For example, if some mod has modified index.template.php, SMF will create this file: index.template.php~. Notice that these files can be accessed through the browser, so it can be a possible vulnerability. To prevent that, you can either disable this option in the Administration Center or you can periodically delete them.

Main

Configuration

Forum

Members

Maintenance

Miscellaneous




Advertisement: