vBulletin Security Overview and Best Practices

While the methods of exploiting forum software may seem limited only by the imagination, vBulletin has robust security features that protect it from malicious intent and exploitation on many levels, from registration to logout. For the uninitiated, vBulletin is a commercial juggernaut in its niche and they have always invested ample time and resources in ensuring their product runs securely. The only responsibility they leave to their customer is keeping the software updated and being aware of the security risks involved in migrating away from their default settings.

Following is an overview of some additional, native security and anti-spam features every forum owner should be familiar with , as well as other optimal settings and recommendations.

Registration:

This is usually the first point of entry for certain malicious users, specifically spammers, spambots, and those looking to use a valid member account to embed HTML redirects (basically, a page refresh that loads a link to their website or script). Spammers are humans who trawl the web and post links to their websites or services in order to build exposure and back links. As they are (arguably) humans, there is nothing one can do to prevent them from spamming a forum, but their posts are usually noticed or reported quickly by the user base for moderators or administrators to delete.

Spambots, on the other hand can be stopped, which is very fortunate as they make up the vast majority of spam posts on insecure forums. Aside from using third party plugins, vBulletin has a few features that when used in conjunction with other methods can bring the "robot generated" spam to nil, or thereabouts. First and most obvious to first time forum owners is the CAPTCHA and reCAPTCHA implementation. New users need to look at an image randomly generated by the server and discern letters and numbers and enter that information correctly to be able to register. The problem with this is that there are "high-end" spamming software that can now also solve these verification images. For that reason, one should use a regular expression in a custom profile field to ask a question that only humans can answer. For example, the person registering would be asked the question, "What is the color of milk?" While even a small child could answer this question correctly, and thus be able to register an account, computers (i.e. spambots), unless they are pre-programmed with both the question and the answer, will not be able to answer this, and thus will not be able to register. Note, though vBulletin 3.7 lets you use the Human Verification Manager to set Q&A challenges, this author recommends sticking with CAPTCHA or reCAPTCHA and using regular expressions as well. Best of both worlds.

Here, you might also want to set some illegal usernames. For example, you would not want someone with a username containing profanity to register. Further reading on protecting against spam can be found here:

Fighting Spam with vBulletin - ForumMonkeys

Anti-Spam Redux:

vBulletin 3.7 includes new anti-spam functionality, such as (vBulletin Options -> Spam Management) an Akismet (popular 3^rd party spam filter) implementation and great "manual" tools such as the Delete As Spam option in the post moderation drop down that lets you delete the spammer’s post, as well every other post by the same member if you want, and even lets you ban the spammer, all in one fell swoop. Talk about a time saver.

Forum Permission System:

The forum permission system has a few features that help you to limit the power of a user on your forum, which is a security necessity. For example, you can allow only certain usergroups (e.g. Registered Members, or Moderators , or a custom group) to submit certain content. Along those lines, one can only allow registered members to upload attachments. Furthermore, on the actual forum you can (and should) disable members from using HTML, set all attachments uploaded to require moderator approval, and can also disable the use of BBCode or embedded images (image tags).

Censored Words:

Every forum open to the public hoping to seem respectable will censor certain words, profanity being the obvious reason. Less obvious words might be the names of competitors.

Config.php:

Additional permissions and safeguards can be set in the config.php file. For example, a user can be set as non-editable/deletable. Protect key accounts, such as the administrator account.

Flood Checks:

vBulletin has features that prevent users from flooding (any act that produces too much data, too fast) that are turned on by default. This can be email floods (if email is enabled, which it shouldn’t, users can send emails via vBulletin to other users), search floods (under vBulletin Options "Minimum Time Between Searches" - searching is server intensive), post floods, and so on.

Content Moderation:

All content should be moderated to some extent. Most forum owners elevate particularly active and helpful members to moderator status. By adding them to the pre-configured user group, they are given extra powers, such as the ability to delete and edit other member’s posts. This way, members police members, leaving forum owners to their own devices. Those forum owners who want to be more proactive can set themselves or their moderators to be notified by email as soon as there is ANY new post, or even set the entire forum to moderated status, which entails every post to be approved before it can be seen by the public. The whole premise of forums is the interaction between its members, so limiting that interaction with moderated forums is usually a bad idea and should only be used when necessary.

File System:

The actual file system should have the right file permissions. For example, a forum administrator that sets every folder to CHMOD 777 has just allowed all and sundry to view the forum’s configuration file and thus granting any old Joe unfettered access to the forum’s database. Be careful what you CHMOD your files and double check them every once in a while. Generally speaking, folders with a CHMOD of 755 and files with a CHMOD of 644 are okay.

Contingency Plan:

All forums should have a cron job or similar that automatically backs up the forum database every X number of days. Databases have been known to become corrupt, rare though it might be, and then there are malicious users or damage-prone forum administrators who clicked the wrong candy-red button and accidently blew the works to smithereens, even despite the best intentions. If you are backing up to file system, be sure the backup is being saved outside of the web root directory.

RECOMMENDED SECURITY CHECKLIST:

1) Forums are up-to-date with the latest stable version.

2) Don’t change any default settings unless you know what the consequences are.

3) If you have access to encryption/obfuscation software such as Ioncube, Zend Guard, etc, encrypt config.php and any other file that contains sensitive information.

4) Make sure you and your staff all use strong passwords: combinations of alpha, numeric, lower and uppercase, and special characters (e.g. !@#$)

5) Remove all plugins, keeping only what is absolutely necessary.

6) CAPTCHA or reCAPTCHA set to highest level, configured, tested (vBulletin Options, Human Verification Manager)

7) Custom registration profile field with a regular expression set up to be used in conjunction with CAPTCHA

8) Make sure HTML is disabled on ALL forums (disabled by default)

9) Set up forum permissions, granting each group the absolute minimum of freedoms you want them to have. You can later reward long standing members with more freedoms/features.

10) Protect key accounts and set additional permissions in the Config.php file.

11) Set the minimum extensions you want to allow as attachments and accompanying attributes (file size, etc), and set further limits in vBulletin Options, Message Attachment Options

12) Set a list of censored words, illegal usernames, and censored words in user titles ("admin forum moderator vbulletin leader" are there by default).

13) Make sure Strikes System (vBulletin Options, General Settings) is on and kept on. It is on by default.

14) (only if necessary) disable custom avatars if users are abusing with questionable images, perhaps grant it as a perk to high posters only

15) (only if necessary) use a third party plugin on vBulletin.org that also adds a level of anti-spam protection

RECOMMENDED SECURITY CHECKLIST (PARANOID LEVEL):

1) Rename your AdminCp and ModCP folders to something a potential hacker would never guess.

2) Setup .htaccess on the AdminCp, ModCp, and install folders.

3) If users can use the attachments system, set them to be moderated.

4) If you have a large, popular forum, especially one with high PR, you might not even notice yourself becoming the victim of "Memberlist spam", wherein people register on your forum just to get a free link on the Memberlist page. You can disable the homepage link (vBulletin Options -> User Listing Options -> Member List Field Options), but a better option, allowing users to share their homepages without sucking on your PR, is to just add the lines below to a robots.txt file in your forum root directory. Search engines always look for and adhere to the rules in this file, which means these "Memberlist spammers" won’t get any benefit from listing their websites on your Memberlist page.