Securing your vBulletin 4 installation

Securing your vBulletin forum should be one of the first few things you should do after you installed your forum.
I will provide a list of things you should do:

Change the admin control panel directory
Change the directory of your admin control panel on the server and then modify the /includes/config.php file and look for $config[‘Misc’][‘admincpdir’].
Modify this variable to the updated location of your admin control panel.

Protecting your admin control panel
There are many different ways to restrict access to your admin control panel.
The thing I recommend is an IP restriction, simply by uploading a .htaccess file to the admincp with something like:

order deny,allow
deny from all
allow from 111.222.333.444

This will block all requests to the admincp, but only allow the IP address 111.222.333.444.
Alternatively, you could use a plugin like

Setting the right permissions
You should also CHMOD all of your files to 644, except your signature/avatar folder in case you have configured vBulletin to upload everything to the server.
This will prevent anyone from modifying your files

Delete your /install/ folder
It’s very important to delete the install folder after installation.
Someone could potentially exploit this and mess up your forum.

Check your plugins and keep them up-to-date
You should always be sure that your plugins are up-to-date. You never know if an author of a plugin released a critical security patch.
Also don’t just install plugins without looking at the comments first, it may happen that users made comments on the plugin that the plugin is vulnerable.

Check for suspicious files
The vBulletin admin control panel has a nice function under the maintenance > diagnostics tab which allows you to check all vBulletin directories for suspicious files.

In case vBulletin found suspicious .php files, open the files with a FTP client or through SSH and check the source code for things like system, eval, shell_exec, exec, base64_decode and popen. If a file contains something like this, it’s highly likely that it’s a shell and that you are or will be a victim of a hack.

HTML in posts/signatures
Be sure that HTML is turned off at all locations. You don’t want users to have the possibility to inject HTML into their signatures or posts.
If you don’t, users may be able to include a Java drive-by, clickjacking and session hijacking scripts on the page.

If possible, do not use shared hosting but get your own VPS.
A VPS can be very cheap these days and has a lot more capacity and less limitations than a shared website host. Your site will probably even load faster because of this.
The downside is that this is usually un-managed, you will need someone to install a web-server, the PHP-CGI, secure it, etc.

Leave a Reply

Your email address will not be published / Required fields are marked *