How to keep phpBB secure?

When speaking about security, you should have in mind that phpBB is an open source software, which means that its code can be accessed by everyone. On the other hand, it is the opinion of many experts that paid scripts are as vulnerable as the open source ones nowadays, due to the widespread piracy to get the code.


As regards to phpBB, one of the team’s top priorities is security and it is taken very seriously. The new phpBB3 version of the script has major security enhancements when compared to the old phpBB2, and once in awhile minor security issues are being resolved relatively fast. Some of the key new security features, developed to protect your online forum from malicious attacks are:


More advanced system of authorization
Efficacious encryption, whose purpose is to keep the passwords safe in the database
Running simultaneously URL and cookie-based sessions
Even though these and many more important features are implemented within the latest version of the script and that the developers are continuing to work to make sure the products are as secure as possible, no script can guarantee absolute protection.


There are ways though, through which you can keep an even better level of online security for your phpBB forum. Here is a list of some of them and a description of their implementation:


Update regularly – Always keep your phpBB with the most up-to-date version. For this script applies the general rule for any other software that the newer the version – the better protection it will offer because it is going to include the latest measures, implemented by the developers.


SPAM protection – While the SPAM is not considered to be a security threat, it might prove to be consistently hard to tackle and have, in some cases, a very negative projection onto the popularity of your forum among your target audience. We recommend you to first see how the built-in SPAM protection of phpBB works and if you want to improve it – to proceed with installing MODs then and test them out to find out the best combination for your needs.


Set activation confirmation – Make sure you set the feature of sending an activation email to either the users or the administrator. If your forum is not exclusive and you are not going to be the one, who will approve/deny membership, it is better to let the user receive an activation email. Whenever the user receives it on a valid email address, stated when signing up, the membership is going to be activated. In this way, you will stop automatic bot registrations because they use fake emails. You will also discourage many spammers because they would need time to register valid new emails for every new account.


Enable visual confirmation – This feature will help you stop most of the bots registering and while it cannot help against human SPAM it will greatly reduce the automatic one, having in mind that you have updated to the latest version of phpBB with the CVS system, which provides vastly improved visual confirmation security.


Disable guest posting – By doing so you are going to effectively forbid all the bots and spammers to post directly into your forum and thus would put the obstacle of the mandatory registration.


We wish to remind you again of the importance of the regular updates for the security and the overall performance of your website as an imperative first step to strengthening your online defense.