This article describes how a FUDforum installation can be hardened or secured to prevent unauthorized access and even data loss. FUDforum was designed to be extremely secure, however, it is the forum administrator's responsibility to ensure the server and components FUDforum depends on are properly secured as well.
- When you install FUDforum, ensure that the Forum Data Root is not stored within a web browsable directory, since sensitive files such as messages bodies will be stored in it.
- The last step of the installer asks for an administrator login name. Please do not use an easily guessable login name like "admin" or "administrator".
- Pick a sufficiently complex password containing upper-case, lower-case, digits and special characters. Not the one you normally use all over the Internet!
- Only use your forum's admin account to configure your forum. Create yourself another user (with moderator access) for normal forum use.
- Disable URL sessions in the forum's Global Settings Manager. If it is enabled, and someone captures your URL's, they will have (potentially admin) access to forum. If you must enable it, reduce your Session Timeout setting.
- Delete temporary files such as install.php, upgrade.php, converters, etc.
- Ensure that your forum's files are always locked (Unix/Linux only). After locking, all files will have minimalistic permissions (0600 for files and 0700 for directories), allowing only the web server to access them. To lock your forum, navigate to the Admin Control Panel -> Lock/Unlock Forum Files.
- If you allow people to attach files to messages, please configure the File Filter to prevent uses from uploading "unsecure" files.
- Take daily backups of both your database and forum files. Keep at least a weekly or monthly backup off-site (not on the same server as your forum). For more info, see forum datadump.
Server & DB securing
- Always upgrade your forum and server software to recent versions as they usually contain security fixes.
- Regularly monitor your site's log files for suspicious activity.
- Disable remote access to your database server. For example, MySQL users should add "skip-networking" to their my.cnf file.
- Install a firewall and disable all unsecure services on the server, including FTP and TELNET.
- Use complex passwords and change them regularly.
- If your server is compromised, move to a new host immediately. Don't wait for it to happen again.
- If you host, choose a hosting provider with a good reputation and security track record.