Administrating MyBB - good practices

[Peter]

While the flow of MyBB exploits has gotten significantly smaller late, there are still boards that are vulnerable to the latest exploits. Even though we provide patches for every exploit, new exploits are still being found. To counter the misuse of MyBB vulnerabilities, the MyBB group encourages all MyBB users to change the URL of the admin control panel. By default, this is /admin, but with some small and easy adjustments, this directory can be changed to a different directory, which is very hard for hackers to find and therefore gain access to.

Change the admin control panel directory
There are a few steps that you will need to take before the directory is successfully changed. To follow these instructions, you will need a text editor and an FTP client (such as SmartFTP).

Step 1
Using an FTP client, download [mybbroot]/inc/config.php from your server, whereby [mybbroot] is the folder you have installed MyBB in. Then, open that file using any text editor (Notepad will do just fine if you do not have a professional code editor installed).

Step 2
In the file you just opened, look for the following code:

PHP Code:

$config['admin_dir'] = "admin"; 


Then, replace it with this:

PHP Code:

$config['admin_dir'] = "newdir"; 


Whereby you do not enter "newdir", but a custom directory of your own. Try to make the new directory name include both letters and numbers (for example "no629" is a great name), for maximum safety. Now, save the file.

Step 3
Using your FTP client, upload the file to the location where it came from ([mybbroot]/inc/). Make sure to choose "overwrite", so the old file gets overwritten with the new configuration. When that is done, MyBB will have automatically changed all links to the admin panel for you, but it has not changed the actual directory yet.

Step 4
Still in your FTP client, change the directory of the "admin" folder to the name you just specified in the file. Depending on your FTP client, you can either right-click the directory and select "change name" or do this via the client menu.

Step 5
Once you have completed all previous steps, go to your MyBB installation. Click the "admin panel" link on the main page and see if it still loads correctly. If it does, you have successfully changed your admin panel directory. You can check this by looking in the address bar of the browser, where the new directory will be displayed.

Upgrade to latest MyBB version
If you have not yet upgraded all of your boards to the latest MyBB version, please do so as soon as possible. You can always obtain the latest MyBB version from the MyBB website. You are encouraged to watch the MyBB community board for announcements about patches and new version as well. Full patching instructions will be provided in announcements.

Remove the version number from the ACP
Some hackers search the internet for MyBB boards of a specific version number. If you remove the version number from the ACP, your board is less likely to be found by a hacker. This does not, however, make your board immune to hacking! To switch off the version number in the ACP, log in to the ACP, go to Board Settings -> Change -> General Configuration. Set "Show Version Numbers" to "Off" and the version number will no longer be displayed.

Reminder: back-up your database regularly
In the unlucky case that a hacker does find a way to exploit your MyBB and removes and/or changes valuable data, it is best to have a database back-up ready, to restore as many of the board's threads, posts and other data as you can.

Minor edit from MattR.

[DrPoodle]

Done, done, and done!

I always make backups at least once every 2 days, and I upgrade to the latest version of MyBB as soon as it comes out, but I haven't changed my Admin directory till now...

Thanks for this Peter, very informative!

[destroyer]

I changed it a few days ago.

[Protoman]

Thanks for the info, though I do a lot of these already!

But it is a good guide for newbies.

[Justin S.]

Another good hint would be to disable the display of your MyBB version number. If you do this, it prevents hackers from attacking your forum because of a vulnerability in a previous version. To do this, go to Board Settings -> Change -> General Configuration in your Admin CP. Set "Show Version Numbers" to Off.

[Martin M.]

If you really wanna be sure that people cannot see the current version number.
go to admin/adminfunctions.php
find:

Code:

echo "<font size=\"1\" face=\"Verdana,Arial,Helvetica\">".$lang->footer_powered_by." <b>MyBB $mybboard[internalver]</b><br>".$lang->footer_copyright." &copy; 2005 MyBB Group<br />".$lang->footer_stats."</font></center>\n";

change it to.

Code:

echo "<font size=\"1\" face=\"Verdana,Arial,Helvetica\">".$lang->footer_powered_by." <b>MyBB</b><br>".$lang->footer_copyright." &copy; 2005 MyBB Group<br />".$lang->footer_stats."</font></center>\n";

errr, wrong name of file

[Galen]

I've said it before and I'll say it again. Take a screen cap of your board's copyright. Open the screen cap and crop it down so that it's just a pic of the copyright. Now, replace the default text copyright with that image. This prevents script kiddies from finding your site by googling "Powered by MyBB" but it still leaves the copyright in tact for all to see.

I should note that I have not gotten an official answer on whether or not it's "Ok" to do this. I would think so, though, and unless Chris or someone else with MyBB Group specifically says "don't do that" then I'm going to keep doing it and I recommend that the rest of you do it as well.

[Dale Hay]

I used to backup by a cron job script. Used to be wonderful... don't have it anymore though.

[Galen]

Another good idea is to never use the default database prefix (mybb_). The scripts used by script kiddies to make database changes assume that the default prefix is in use.

[Ryan Ashbrook]

Galen Wrote:I've said it before and I'll say it again. Take a screen cap of your board's copyright. Open the screen cap and crop it down so that it's just a pic of the copyright. Now, replace the default text copyright with that image. This prevents script kiddies from finding your site by googling "Powered by MyBB" but it still leaves the copyright in tact for all to see.

I should note that I have not gotten an official answer on whether or not it's "Ok" to do this. I would think so, though, and unless Chris or someone else with MyBB Group specifically says "don't do that" then I'm going to keep doing it and I recommend that the rest of you do it as well.

If we haven't said anything by now, then I'm pretty sure it's ok.