End phpBB update styling rework with a custom style

Updated February 15, 2018 to add a few things.

Has this happened to you? You update phpBB to the latest version and find out that your custom logo or various style changes that you tediously made to phpBB are gone, or partially gone. It’s a common problem and one reason many forum owners defer updating phpBB.

You can end this hassle by creating and installing your own custom style. Using this approach your custom style inherits most of its styling from a primary phpBB style. You then selectively override the primary style’s CSS, HTML or Javascript with your own changes. This way when the primary style you use is changed, you don’t lose your custom changes. This also ensures that your styles and templates use the most current and approved code, which often includes security patches.

In this tutorial I will show how you can do this. I will keep my example simple by using my custom style to swap out the default phpBB logo with my own logo, sized to the new logo’s dimensions. In principle though you can go way beyond this simple use. For example, your custom style can overwrite the inherited style’s colors, padding and margins, or container widths and heights. You can also overwrite HTML and Javascript files.

Overview of steps required

The basic approach is:

  1. Make a note of all the changes you made to your style
  2. Reload your preferred style
  3. Create a custom style that inherits from your preferred style
  4. Override the preferred style’s stylesheet directives. This is best done by creating a stylesheet.css file for your custom style and placing your style customizations there.
  5. If you changed some templates, place the custom version of these templates in your custom style’s template directory. Frequently, forum owners will make changes to overall_header.html and overall_footer.html.
  6. Install the custom style
  7. Make the custom style the primary style
  8. Test and refine

Let’s delve into each step to see how this is done.

Make a note of all the changes you made to your style

You probably know what these changes are, but if you have any questions you can use a file comparison tool like WinMerge (for Windows) or kdiff3 (for pretty much any operating system) to compare your files with a reference version.

  1. Download your current style folder where you made all your custom changes, such as /styles/prosilver
  2. Download a reference version of your style for your current release of phpBB. phpBB keeps a list of its releases here. If your styles are based on prosilver then you would use the reference /styles/prosilver folder for your current release of phpBB. If using a different style, find the style version you used. You may have to download it from phpbb.com or from the style author’s website.
  3. Run the file comparison tool and note the changes you made so they can be reapplied in the custom style.

Reload your preferred style

  1. Make certain you have documented all the changes you made to your style. Once they are overwritten, you may not be able to recover them.
  2. Since you made changes to your preferred style, it’s a good time to undo them. The simplest way to upload the reference version of your style, replacing anything that’s there. Purge the cache. If you don’t see the style changes afterward, clear your browser’s cache and reload the page.

Create a custom style that inherits from your preferred style

  1. First review phpBB’s Creating & Modifying Styles page.
  2. Create a folder in the styles folder for the name of your style. In this example I keep it simple and call the folder “custom”, i.e. /styles/custom.
  3. Create a style.cfg file in this folder. Copy the style.cfg contents from your parent style’s style.cfg file. Below is the code in /styles/prosilver/style.cfg for phpBB 3.2, which I used because my “custom” style inherits from prosilver.
# phpBB Style Configuration File
# This file is part of the phpBB Forum Software package.
# @copyright (c) phpBB Limited <https://www.phpbb.com>
# @license GNU General Public License, version 2 (GPL-2.0)
# For full copyright and license information, please see
# the docs/CREDITS.txt file.
# At the left is the name, please do not change this
# At the right the value is entered
# Values get trimmed, if you want to add a space in front or at the end of
# the value, then enclose the value with single or double quotes.
# Single and double quotes do not need to be escaped.

# General Information about this style
name = prosilver
copyright = © phpBB Limited, 2007
style_version = 3.2.0
phpbb_version = 3.2.0

# Defining a different template bitfield
# template_bitfield = lNg=

# Parent style
# Set value to empty or to this style's name
# if this style does not have a parent style
parent = prosilver
  1. In my example I changed “name = prosilver” to “name = custom”. Since I want to inherit from prosilver I left the “parent = prosilver” line unchanged. If you are changing a style other than prosilver as the primary style, you need to change the parent style to the correct style name. It must match the parent folder name in the styles folder. You might also want to edit the copyright, style_version and phpbb_version lines. If it’s only for your own use, this is not necessary. Here are my changes:
# General Information about this style
name = custom
copyright = © Mark D. Hamill
style_version = 1.0.0
phpbb_version = 3.2.2

# Defining a different template bitfield
# template_bitfield = lNg=

# Parent style
# Set value to empty or to this style's name
# if this style does not have a parent style
parent = prosilver
  1. Save the file, making sure it is in the root folder for the custom style, e.g.: /styles/custom/style.cfg.

Override the preferred style’s stylesheet directives

  1. Create a theme folder for your style. In my example, this would be /styles/custom/theme.
  2. Create an images folder inside the theme folder. In my example, this would be /styles/custom/theme/images.
  3. If changing the logo, upload the logo you will use to /styles/custom/theme/images. Make a note of the image’s height and width as you will need this later.
  4. Create a file called stylesheet.css in the theme folder.
  5. To inherit styles from your parent style, you need an @import statement at the top of this file. For example, if prosilver is the preferred style, this line would be at the top of the file. Generally you just need to reference the stylesheet.css file in the parent style. You will have to amend the path so it finds the parent style’s stylesheet files. In my case for the @import line, I added “../../prosilver/theme/”. The ?v=3.2 indicates the version of phpBB expected, so it may have to be changed.
@import url("../../prosilver/theme/stylesheet.css?v=3.2");
  1. Any style changes that you want to override should now be appended to the end of this file. In the example of replacing the logo, in the prosilver style you would normally edit the .site_logo class in colours.css and common.css. In my case I added these lines at the end of my /styles/custom/theme/stylesheet.css file, which provides the correct image to use for the logo and its proper dimensions:
.site_logo {
    background-image: url("./images/mark.jpg");
    width: 181px;
    height: 229px;
  1. I then saved the file stylesheet.css with my changes.

Changing templates

In my example, since I am only replacing the logo so no template changes were needed. If you need to change templates there are two approaches.

  1. The simplest is to copy the template, for example, /styles/prosilver/template/overall_header.html to /styles/custom/template/overall_header.html. Then make the changes that you need to make and save the file. This has a downside: if there are changes made to this template with an update, your version won’t have them unless you manually inspect for any changes and apply them to your custom version.
  2. In many cases you want to insert some HTML or Javascript rather than change existing HTML or Javascript. In this case it’s better to use template events, if you can “hook into” an appropriate event. This way if the parent style is changed with an update, you don’t have to worry about replicating any changes to it in your style. For example, overall_header.html has a template event in it marked as <!– EVENT overall_header_head_append –>. In this case you could create an event folder in your template folder then create a file called /styles/custom/template/event/overall_header_head_append.html. Add whatever HTML you want inserted when this event is encountered into this file. A list of template events can be found here.

Install the custom style

  1. ACP > Customise > Style management > Install Styles
  2. Select the new style you created (“custom” in my example) by pressing the corresponding Install style link.

Make the custom style the primary style

ACP > General > Board configuration > Board settings. Generally you set the default style to your new custom style, the guest style to your new custom style and you may optionally want to set the override user style option to Yes. Submit the form.

Test and refine

You should not need to purge the cache if you make any stylesheet changes. However, if you make subsequent changes to any templates first purge the cache then test.

Approach when upgrading

This approach is unlikely to work correctly when upgrading. An upgrade is when you go from one minor release of phpBB to another, such as from 3.2 to 3.3. You can of course go through the process of creating a new custom style again. As for updates, this should work.


Professionalizing your forum, part two

Since I wrote my first post about professionalizing your forum, I realized there are some other actions that will up your game in this area.

Monitor your domain for blacklisting

Blacklisting happens when users report to one or more blacklist sites that your site is sending out spam or contains malware. Generally you don’t get put on a blacklist inadvertently, so your site may have been hacked. It’s also possible that some email sent or reportedly sent from your domain were judged as spam or spam-like. It’s also possible of course that someone is falsely reporting your site to a blacklist. In any event being on a blacklist is not a mark of distinction. You need to monitor blacklists and take corrective action if your domain shows up on a list. Being on a blacklist can get your dropped from search engines or move way down in the rankings, as well as dramatically reduce site traffic.

Since you probably don’t want to check all the blacklists out there individually, there are services out there that can help you. If you have just one domain and getting one email a week is sufficient, you can use this site for free. They offer paid plans for multiple domains and more frequent checks, and there are other similar services so shop around.

To get yourself off a blacklist usually requires some explicit action on your part where you appeal or prove that the content does not or no longer exists.

Monitor, find and fix issues with Google Webmaster Tools

Google of course is constantly searching the web and indexing as much content on your site as you allow it to index. Google Webmaster Tools can find security issues with your site too, as well as tell you of issues like links that are bad that should be fixed.

To see reports about your domain you must take the time to register the site with Google, which can be done using a number of methods. Google will tell you if there are any critical issues but to do things like fix broken links you have to dig into their reports. Since most links on your site are going to be in posts posted by users to your forum, fixing these links is probably not worth the effort. However, there may be other links that are worth fixing.

Periodically check your WOT Rating

Browsers generally support a Web of Trust (WOT) extension. The extension allows users to easily say whether they trust your site or not. Since it’s an extension, you can install it in your favorite browser and when you are on your site monitor your reported trust status. If you notice your site trust level going down, you might want to see if there is a root cause and take appropriate actions.

There is some controversy about whether WOT can itself be trusted, since it was reported its developers were collecting your browser history without identifying information.

Use a sitemap

A sitemap indexes your forum’s content into a file that search engines like Google can read. It’s an authoritative way of describing the content on your site to search engines. There is a sitemap extension that works for phpBB 3.1 and reputedly 3.2 as well. Since it is simple to install, installing this one should be a no-brainer, providing you know about it!

Moderate, or take out the trash

A lot of administrators don’t even read their forums, or not all parts of it. It could be because the forum gets a lot of traffic and it’s a lot to keep up on. All forums should at least be moderated, either by an administrator or one or more global or forum-specific moderators. The moderation tools in phpBB are pretty good. They let users do a lot of the moderation for you by at least being able to report a post as inappropriate, spam or whatever. They won’t do this though unless you encourage them, so if this is important to you post a global announcement to this effect.

Disk space is cheap these days so moderation may seem like a lot of work. Why not just let people post whatever they want in whatever rambling way they want? For many forums this is fine, but for certain forums it’s not appropriate. You want the content to be relevant and that can be done by removing posts and topics that aren’t relevant.

Posts that seek to troll other users, inflame conversations and such are rarely desired. Here’s where you moderators can be of help, perhaps by empowering them to set up moderation guidelines for their forums setting the rules and then letting them wield the power. Hopefully this will translate into a better reputation for your forum and topics as search engines decide the content is more relevant.

As long as your moderation rules are clear, a well moderated forum where irrelevant stuff is regularly pruned is a good idea. It’s unlikely your readers want to read irrelevant content anyhow.

You might want to set up an off-topic forum for general banter, so your main forums can stay clean. Moderators may choose to move these topics into such a forum rather than remove them.

Consider pruning

phpBB has a rarely used pruning feature. It lets administrators throw out old content. This is rarely used for obvious reasons: old content is not necessarily irrelevant and it’s unlikely that you will hit some sort of quota for the size of your database. It’s possible that search engines will rank you higher if the old stuff is regularly pruned. Global pruning is an administrator responsibility. Topics can be pruned on various common sense criteria: days since there was a posting and days since someone last viewed the topic. You can prune announcements, stickies and old polls as part of pruning or not. To prune: ACP > Forums > Manage forums > Prune forums.

There is likely more to this topic that may generate future posts.


Professionalizing your forum

For many forum owners, their forum becomes a bit more than important. It may be a big feature of their website. It may be their website. It may contain crucial information to a very specific community. It may generate income. Or maybe its purpose is pure vanity but for whatever reason it means a lot to them. If you are one of these forum owners, you want it to gleam, seem always new and shiny, serve lots of users robustly and be reliable 24/7/365. How do you take your forum to the next level? How do you professionalize your forum?

This is not a discussion of how to better market your forum. I leave that for SEO experts with more expertise in the topic than I have. In truth most phpBB forums serve very specialized markets so they probably won’t grow beyond a certain size. Most of the forums I work on have under 100,000 posts, even if they have been around for a decade or more. I get plenty of forums in the 200,000-300,000 posts range, but it’s rare to see a forum with 500,000 or more posts.

You may already be doing some of these practices. If you have the time, energy and money you might want to implement all of these suggestions.


Your style presents a first impression. The default style for phpBB is prosilver. It looks nice, if you like a blue style with a hint of grey. There are plenty of free styles to choose from, but also paid styles as well. The paid styles may be worth investing some money in. Some are extra slick, using advanced CSS practices so that styles not only look good, but are applied quickly and intelligently. For more information, see my styling post. Going the extra mile here might be to pay one of these style vendors to custom fit a style so that it integrates slickly into your larger website or to give your forum a unique look. It may be worth the extra cost.

Collect metrics

If you are not collecting metrics on the usage of your website, you probably should be. Yes, you can see the number of new topics and posts by visiting the forum but it doesn’t tell you (at least not easily) which topics are most popular or answer other questions. Google Analytics is the 800-pound gorilla in the web analytics area. There is an extension you can add to phpBB that will report your forum’s usage to Google Analytics. But there are plenty of alternatives. Some like to keep it simple, using a service like Statcounter. Quantcast offers a more Google-Analytics experience. There are plenty of other analytic services you can use too. However, to add the code needed to capture this information usually requires editing your forum’s overall_header.html template, overall_footer.html template or both.

Understanding these reports can be too much information, but all handle the basics such as showing popular posts, visitors and common search engine terms. A careful analysis may reveal trends that you may want to exploit. For example, popular search term might suggest creating additional topics in this area to help build site traffic.

Extend your forum

phpBB Extensions allow you to offer additional functionality beyond what comes “out of the box” with phpBB. Installing extensions isn’t hard and official extensions are free and rigorously tested by the phpBB group, so you know they are unlikely to have vulnerabilities. You might want to read my post on extensions. While you should not install extensions willy nilly as they comes with some cost and risks, there are many top-notch extensions such as the recently released Advertisement Management extension that makes it easy to place ads on your forum.

Change your hosting

If you are happy with your hosting and neither users nor you are noticing any issues with performance or page speed, by all means keep your current host. Rehosting a forum is not simple as it involved moving both files and the database, plus changing your DNS to point to the new hosting. There are also costs to acquire a new hosting contract. The phpBB group has a rehosting knowledge base article if you want to try it yourself.

I have some hosting recommendations on my services page. The phpBB group has some more, but bear in mind they get some revenue if you get hosting by following their links. New hosts will often move a forum for free to get your business, at least if you ask them nicely. I also offer a rehosting service with prices starting at $50.

Monitor your forum

You obviously can’t be on your forum all the time to see if it is up and working correctly. You might want to know if there is a problem accessing the forum. Site monitoring services can do this for you. Some are free, some not, and the features vary a bit.

I like Uptime Robot because it is free and has proved reliable, but it checks at a maximum of every five minutes. It sends me emails when my site is down and another email when it is up. Most of these services provide basic tests, with the most basic test being does the index page come up. It’s possible that there problems might affect a particular part of the website, like posting or the Administration Control Panel. These services can’t usually be configured to do these kinds of tests, but they do provide some basic service to let you know if the site is up or down.

I have found many of the times my site is “down” it comes “up” minutes later. These are usually problems related to brief patches being applied by the web host and they are hoping no one will notice. If there is a major incident underway, these services will at least let you know. Your web host may not know there is a problem.

Hint: make sure you choose a HTTP test if offered. You want to know if a web page can be returned, like the index.php page. Simply having a service ping your domain is a poor test.

Update the forum regularly

Just like it’s a good idea to get your car’s oil changed regularly, it’s a good idea to update your forum when new micro versions are released. Bugs get fixed but more importantly there are occasional security issues that get fixed too. The phpBB group keeps trying to simplify the update process but it seems to be an uphill climb. There are little landmines that can trip you up. You can read the official update instructions. An upgrade is moving from one minor version of phpBB to another (like 3.1 to 3.2). Here you don’t need to be one of the first to upgrade. Upgrades sometimes have issues with the first version, so lagging a bit behind may be a virtue. You might want to wait for the 3.x.1 release.

Most of my business is upgrades, so I am happy to do these for you if you want. Or you can try the official upgrade instructions.

When you go into the Administration Control Panel, it will tell you if there is a new update or upgrade to phpBB. If you don’t often go into the ACP, you may prefer to get official notifications instead. You can subscribe to the phpBB blog with your favorite newsreader where new releases are announced. phpBB also has a Twitter feed and is on Facebook.

Keep your web server properly maintained

Typically you do not own and manage the web server on which your forum resides. If you have shared hosting, it’s the responsibility of the web host to update the software on which phpBB depends. You can monitor the key software needed to run the forum and complain or rehost if the web host gets too far behind. A lot of this information is available in the Administration Control Panel under PHP Information. Check your version of MySQL (if you are using it as your database) with the current generally available community edition available from Oracle and complain if you are a few versions behind. If using MariaDB, you can see community editions here.

If you have a virtual server or a dedicated server, you may need a hosting contract to provide these updates as a service. This can get pricey. A good system administrator will keep your operating system, database, control panel and PHP up to date and regularly patched.

One easy way to increase performance if you have phpBB 3.2 or above is to use PHP 7. It should add about a 50% increase in performance compared with PHP 5.x. You can usually change this in the web host control panel, but it may require a support ticket with your web host. Be careful though to ensure that other software you use on your site can handle PHP 7.

Backup your files and database

Most web host control panels provide built-in solutions for backing up your site, including your database. Sometimes this can only be done manually. Ideally you would like an automated backup, storing multiple versions. At a minimum, back up your site monthly and ideally keep two other previous versions.

phpBB does let you backup your database manually: ACP > Maintenance > Database > Backup. You can store the backup on your server or download it. This won’t backup your forum’s file too. There is a useful extension to backup your database using phpBB’s cron process. As of this writing though it works on phpBB 3.1 only.

The key items to backup are the /files, /images and /store folders and the config.php file. The rest of the files and folders are software and can be recreated from a reference if needed.


Hiding your phpBB forums


Not every forum administrator wants their forum to be public. Some want to have a members-only forum. In fact, it’s not unusual to want the forum to be completely hidden or wholly inaccessible by the public. Some forum administrators realize it’s important not only to keep humans out, but search engines as well.

The good news is that phpBB can keep your forum private, although there are some steps you might want to take outside of phpBB. The bad news is that the procedures for doing so are pretty obscure. Let’s look at some common ways of limiting access.

Keeping everyone out using your web server’s security system

Pros: about as secure as you can get

Cons: shared passwords are often used, ugly interface, and it works separately from the forum

The most effective way to keep everyone out but specified users is to use a security mechanism that is built into your web server. The technique originated with the Apache web server. Not all web servers use Apache, but most do. IIS is Microsoft’s web server, if you are using Windows hosting. nginx (pronounced “Engine X”) is another web server gaining in popularity that is slowly replacing Apache.

With this approach, the first step is to determine what web server software you are running. This site makes it easy.

The idea is to use the web server to challenge the user trying to get into the forum’s folder by requiring the user to successfully provide some credentials, usually a username and password. Typically you get an ugly black and white screen with these fields and a submit button. So this approach is not pretty, but it is highly secure.

If you want to go with this approach, first look at your web host control panel. Control panels like cPanel often have a feature that lets you password protect folders, in this case your phpBB root folder. Here are cPanel’s instructions. Failing that you can do this yourself.

You can use these instructions if you are using Apache and these instructions for nginx. IIS being a Microsoft product operates quite differently. You can use these instructions for IIS.

You can make it easy and use a shared username and/or password or create one for each member of the forum. Note that this happens outside of the forum, so any usernames and passwords used with this approach will probably not be the username and password used to login to the forum. You will have to pass the username and password to use to the user, perhaps using email. This approach simply allows access to the forum so a second step is needed: you must also login to the forum.

This approach not only keeps out humans, but also search engines.

Although not covered here, there are even more secure ways to limit access if you limit access to specific IP addresses. A search engine query will provide instructions if this approach interests you. Since most IP addresses are generated dynamically, this approach usually requires allowing a range of IP addresses and is somewhat fragile.

Stopping search engines from indexing your site with a robots.txt file

Pros: Simple and probably 99% effective

Cons: Malicious search engines can choose to ignore your policy

You can instruct search engines not to search your site. While you can provide instructions, this approach doesn’t keep malicious search engine agents from indexing your site anyhow. Essentially you create a robots.txt file in a plain editor like Notepad and upload it to your forum’s root folder. Its contents should look like this:

User-agent: *
Disallow: /

Disallowing search engines using phpBB

Pros: Effectively stops search engines that phpBB knows about, which are most of them. With the permissions properly set these search engines cannot index your content because the permissions won’t allow it.

Cons: Limited to the 46 search engines that phpBB handles by default


  1. ACP > Permissions > Permission roles > Forum roles
  2. Click on the green wheel on the Bot Access row
  3. Go to the bottom of the page and select the Actions tab
  4. Click on the No column header link which easily makes all these permissions no. Then Submit.

By changing the properties of the Bots role it will affect all existing bots plus any additional bots you create manually later on.

If you want to add bots manually, you can do it this way: ACP > System > General tasks > Spiders/Robots. Where would you discover new robots that might be hitting your site? You would need to periodically review your web server access log.

The phpBB group periodically adds new robots so when you update or upgrade these new robots will appear and will inherit privileges for the bots role.

You can certainly add a robots.txt file disallowing access to your forum root folder and use these procedures too.

Disallowing guest access to forums

Pros: Removes guest read privileges

Cons: A little complex to set up and message to guests is misleading


  1. ACP > Forums > Forum based permissions > Group forum permissions
  2. Select the Guests usergroup and press Submit
  3. Select the forums that you don’t want guests to read or access. For all, check All Forums. Then press Submit.
  4. If you want guests to neither read the forum nor see its name, for each forum change Read Only Access to No Access then the press the Apply All Permission button at the bottom of the page. Note: if all forums were changed then at this point guests accessing the index will see a “No forums” message. This is misleading because the forums are there, you just have to be registered, logged in and have appropriate permissions to see them.
  5. If you want guests to see the forum name but not be able to see or read any topics, first complete step 4. Then for each forum click on Advanced permissions, select the Actions tab and select Yes to Can see forum. When applied to all applicable forums, press the Apply All Permission button at the bottom of the page.

Bonus tip

If security is a concern, consider also using HTTPS to encrypt all traffic going to and from your forum. More is on this post.

New official Advertisement Management extension announced

I have installed the Advertising Management modification for phpBB 3.0 countless times. It’s very popular to serve ads, obviously and to have easy ways to place them within phpBB. There was a development extension for phpBB 3.1 that I was able to get working for some clients.

Now an extension for phpBB 3.2 is available but even better it’s being supported as an official extension of the phpBB group. So from now on it should always be available. It has a slightly different name but was obviously built on top of the old modification. It’s now called the Advertisement Management extension.

See the announcement and video here.

Fixing phpBB emailing problems

Having trouble sending out emails such as mass emails or email notifications using phpBB? If so, you are not alone. Sending mass emails is a feature of phpBB (ACP > System > General tasks > Mass email). Users can also sign up for various email notifications in the User Control Panel. For some boards though these email notifications just doesn’t seem to work reliably, and sometimes don’t work at all. Perhaps some but not all of these emails go out.

Even if you don’t send out mass email regularly, phpBB has a number of features that depend on outgoing email servers to send out emails in a timely manner to all intended recipients. It’s been my experience that solving these issues is hard. This is particularly hard on shared hosting where there are quotas on the limits of outgoing emails. It’s made more confusing by phpBB’s inelegant interface for dealing with emails.

Thus these problems are very hard to troubleshoot. phpBB hands off email, generally to your host’s email server. Generally you have no idea where this email server is, what its policies are and how to determine if the email server is actually sending the emails. It often requires a support ticket to your web host, who may or may not provide accurate information.

Sorting this out can be very confusing which is why you might want to hire me. In most cases though I will have to work with your web host to fix these problems. Here are some useful techniques that can often solve these issues.

Setting phpBB’s email settings correctly

You can find your forum’s email settings in the Administration Control Panel: ACP > General > Client communications > Email settings. Things to check:

  • Enable board-wide emails. This should be Yes. Obviously if set to No, no emails will go out.
  • SMTP settings > Use SMTP server for email.
    • This is normally set to No. PHP is configured to send emails through your web host’s email server. This makes emailing simple in that you don’t need to know anything about the configuration of the email server.
    • If you have Windows hosting, you usually have to set this to Yes. In addition you will have to configure the SMTP server information fields appropriately using information provided by your web host. Getting SMTP email configured correctly is often challenging so SMTP should be avoided if possible. In addition, some web hosts don’t allow their servers to connect with external SMTP email servers. If you see in phpBB’s error log (ACP > Maintenance > Forum logs > Error log) messages like “Could not connect to smtp host : 110 : Connection timed out” this is probably because your host won’t allow external SMTP connections. If they provide an internal SMTP server, that is usually allowed.
  • Email package size. This is the maximum number of emails that will go out in one batch. So if you have 40 emails to send out and this is set to 20, the first 20 go out as a group. What happens to the other 20? They go into a queue. The next time there is traffic on your forum, phpBB will attempt to send out the next 20 emails in the queue. Set this to 0 and the queue goes away. There are some problems with this approach:
    • It’s slower because it takes time to send out an email to one user, wait for an acknowledgement from the mail server, then send the next
    • It’s possible that this will take so long that the process will time out, something more likely on shared hosting
    • If you hit some sort of outgoing email quota, not all emails will go out and you may not be aware there is a problem
  • Contact email address and return email address. These email addresses should exist as real mailboxes. Your web host control panel should have a feature allowing you to create email accounts. (You can also set up forwarders to send any email these accounts receive to one you will read.) In addition, it is highly advisable that these email addresses use your domain. Why? It lessens the likelihood that the email will be considered spam because:
    • It’s coming from an email address associated with the IP address of your domain
    • Because these email addresses actually exist it suggests the email is legitimate
  • Hide email addresses. If the same email is going to multiple recipients, the email addresses will be BCCed (Blind Carbon Copied) instead of placed on the TO field. Unless your host has a policy of not allowing BCCed emails to be sent, you should leave this set to Yes.

Verify your site name

ACP > General > Board configuration > Board settings. Verify that the Site name field is filled in. Some administrators will blank this out because they don’t want it to appear on their style, as they have substituted a logo for their site name. This is a mistake because outgoing emails, such as email notifications are not distinct. They look like spam because your site name is not in the subject. These emails will often be blocked from being sent at all, or placed in a spam folder if they are received by the recipient. If necessary, you can edit the overall_header.html file in your style’s template folder to hide or remove the site name. (Purge the cache afterward for the change to take effect.)

Verify your web host’s email policies

Since most phpBB forums are on shared servers, it’s important to know what limits there are if any for sending out emails. This can often be found buried in the host’s knowledge base but sometimes it takes a support ticket to know exactly what policies apply. Based on this information you can tune phpBB’s emailing algorithm to match your web host’s policies. Policies often have constraints like:

  • Only X emails can be sent over Y minutes or hours and/or
  • A maximum of Z distinct email addresses can be sent over Y minutes or hours and/or
  • Email FROM addresses must be real email addresses associated with your domain and/or
  • Sending emails using BCC is/is not allowed

With virtual private servers or dedicated servers these rules may be relaxed or not exist. In any event, email spam is obviously a huge issue. It’s reasonable to assume that your web host will be examining outgoing email and blocking any email it thinks is spam.

Setting the correct email package size

Based on knowing your host’s email policies you can figure out a correct email package size. For example, if a maximum of 25 emails can be sent every 5 minutes, a good email package size would be 25, although it might be better to set it a bit lower, perhaps to 20. If 25 are allowed and you set it to 40, then it’s possible 25 will go out and 15 will not.

Using a system cron

If your email package size is greater than 0, then phpBB will create a queue of emails if necessary. So if you have 25 to go out but specify 20 in a package, 20 will go out and 5 will go into a queue. When do the next five go out? Here’s the rub: by default they will go out the next time there is web traffic to your forum. (ACP traffic doesn’t count.) So if your board doesn’t get much traffic, it could be hours or days later before the next 5 emails go out. This is not good if your users expect timely notifications.

A better way is to use a system cron. This helps send emails out on a timely basis plus it allows you to be congruent with your web host’s email policies. Creating a system cron is a bit tricky and may require someone with these skills to set it up. Of course you can hire me to do this for you. Procedures are outlined on phpBB’s Wiki.

To enable a system cron, go to ACP > General > Server configuration > Server settings. Set Run periodic tasks from system cron to Yes, then program the necessary cron job on your web server. This will disable phpBB’s default cron that depends on board traffic. Instead, depending on the interval you set with the cron job, a system cron built into your web server’s operating system will trigger periodic events that will process the email queue and other phpBB work.

In the above example, if we know the policy is not to permit more than 25 emails per five minutes, a cron job like this could be programmed to run every five minutes:

*/5 * * * * cd "/path/to/board"; ./bin/phpbbcli.php cron:run

On shared hosting this often won’t work. See the Wiki for details, but something like this might work instead. (Note in this case you would not want to set Run periodic tasks from system cron to Yes.)

*/5 * * * * curl -A=Mozilla/4.0 http://www.yourforum.com/forum/cron.php?cron_type=cron.task.cron_task

Troubleshooting outgoing email issues

If there are errors sending out emails, phpBB may trap these in its Error log: ACP > Maintenance > Forum logs > Error log

Sometimes though phpBB cannot detect problems. You may find clues in your web server error log, if one exists and you can read it. Sometimes you will see an error_log file in your phpBB root folder, or in the website’s root folder, or in a /log directory that can be found with the web host’s File Manager. Looking at it or downloading it for examination may show error messages that will point to the root of the problem.

In many cases though you can’t solve them. You will have to get your web host involved. They will have to look at email server logs to see if anything shows there and provide guidance.

Troubleshooting recipient email issues

If you are confident that emails are being sent to users, then most likely they are being received but not seen because they are ending up in a spam folder. In most cases there is not much you can do about this problem.

Most email programs allow users to create rules to automatically move certain emails in the spam folder into their inbox instead.

It’s possible that your domain has been blacklisted for sending spam, or what others think is spam. You can check to see if this is a problem. In many cases you can appeal to the blacklist site and get the block removed. blacklistalert.org is one such site.

Changing phpBB’s default language for all users

This post was updated 13 Feb 2018 to bring it up to date.

When you install phpBB, it installs the default British English language pack. It’s possible to install additional language packs for your users. They can be downloaded here. Instructions for installing a language pack are here.

Users can switch to the language pack they prefer in the User Control Panel. The last link demonstrates how users can do this. The language pack changes phpBB’s default text. It does not change the language of posts and private messages.

Particularly after an upgrade or conversion, you may be left with hundreds of users who used to use a different language pack but now must use the British English language pack. Suppose you want to change it so that all users are using a different language pack. Is this possible?

Yes, there are two ways of doing this:

Delete British English Language Pack so a new default language pack can be used

This approach assumes you have already loaded the new language pack and enabled it. It also assumes aside from British English you only have one other language pack installed. Warnings:

  • Make the language pack is up to date for your version of phpBB. You can download current language packs here.
  • Make sure the language pack contains language settings for the Administration Control Panel. You can examine the archive or check it on your file system after it is installed. Look for a /language/<lang_code>/acp folder
  • The British English language pack is not physically removed if you use this approach, it is just disabled.

Here are the steps:

  1. ACP > General > Board configuration > Board settings
  2. Change the default language from British English and press Submit
  3. ACP > Customise > Language Management > Language Packs
  4. Delete the British English language pack.

This makes the other language pack the default for all users. If you need to reenable the British English language pack do it on the Language Packs page by clicking on the Installer link.

Keep the British English Language Pack as the default and change users’ languages on the back end

You can manipulate the database using a tool like phpMyAdmin you can change it with a database SQL command.

  1. Look for a database manipulation tool like phpMyAdmin in your web host control panel and open it. Sometimes you will get a pop up window asking for a username and password. If this happens use the database username and database password in the config.php in your forum’s root directory.
  2. Select your forum’s database. You can also see the database name and the machine the database is on (the machine is usually localhost, or the server you are using) in the forum’s config.php file.
  3. Your table prefix may not be phpbb_. The forum’s config.php file will indicate if another table prefix is used.
  4. Verify the language code you need. Use a tool like phpMyAdmin to browse the phpbb_lang table. Make note of the value in the lang_iso column for the row containing the preferred language. In this example, I will assume French, which uses the fr language code.
  5. Now enter the the database command (SQL). In phpMyAdmin this is done by clicking on the SQL tab for a table in your forum’s database. Change the table name to use your correct table prefix if necessary. Also make sure the language code you use is correct based on what you saw in step 4 and change as necessary:
UPDATE phpbb_users SET user_lang = 'fr'
  1. Execute the query.
  2. Now go into phpBB and purge the cache.

That’s it!

Session hijacking: what’s (probably) going on

Over the last couple of months I’ve had a number of clients come to me because of mysterious things happening on their forums. Going to a forum they find that they are logged in as someone else and can see things they definitely should not see, such as private messages and forums they don’t have privileges to see. I’ve spent a lot of time trying to figure this out talking to client’s web host support teams and scouting phpbb.com for a solution.

The good news is that this is not due to some deficiencies in phpBB. The bad news is that this is due to the way your web host has configured their servers and it’s affecting phpBB.

phpBB is the #1 forum solution, with something like 70% of the market. But as a percentage of popular software installed on websites, phpBB is tiny, on about 1% of websites. What’s the 800 pound gorilla? It’s WordPress, which runs 27% of websites. So web hosts will meticulously tune their servers to optimize for WordPress, giving short shrift to much of the rest of the open source software out there. Most web hosts now say they are optimized for WordPress and market WordPress-specific hosting. phpBB is being left behind along with lots of other software. Because phpBB gets most of its content from a database to be presented on the fly, more than most open source solutions it is not amenable to static content.

The problem is most acute if you have Bluehost shared hosting. The underlying issue is some software called Varnish, more specifically Varnish HTTP Cache. Varnish helps dynamically driven sites perform more efficiently by caching content in your server’s virtual memory. Web hosts can make more money if they can get more utilization off one one web server. Varnish is one way they keep costs down as it allows them to stuff more websites on one machine.

Varnish is kind of pointless with phpBB since phpBB already has its own cache, which you can find in your forum’s cache folder. Essentially phpBB programs, templates, stylesheets and SQL calls are all compiled into .php programs in the cache folder so they can be executed more quickly. So it’s duplicitous but more importantly interferes with phpBB’s default behavior. So if you have the issue, contact your web host to find if they are using Varnish and if so have them turn it off. As for Bluehost, as of this writing they will tell you they can’t turn it off. You have shared hosting so one size fits all. They will however be happy to move you to their cloud product. Varnish is not installed there, so you won’t be affected. However you may have to pay a higher hosting fee.

It’s unclear if Varnish is the sole cause. Other potential problems may be due to Content Delivery Networks (CDNs). This is most typically CloudFlare, since it is bundled free by most web hosts. CDNs attempt to move content closer to the user by having it fetched from server farms geographically close to the site viewer, thus speeding up page load time. This is usually fine with phpBB since CDNs generally only store static files like images. So a CDN shouldn’t cause issues like this, but if you have a CDN you might want to disable it to see if the problem goes away. Note: the one time you do need to do something with your CDN is when you add a style or significantly change the look of your site. Then it’s a good idea to tell the CDN to delete all its cached content. Otherwise, the experience by end users might be mixed or odd.

I also suspect that ModSecurity may be causing issues like this, but I don’t have enough proof yet. If it is enabled, disabling ModSecurity may make your problem go away. As I blogged recently, disabling ModSecurity in general tends to solve a lot of weird phpBB issues, while it may introduce others by potentially making it easier for your site to propagate malware and viruses.

ModSecurity can cause problems with phpBB

If you are noticing weird errors on your phpBB forum which otherwise has been running well for years, ModSecurity may be causing them. I’ve been noticing a lot of issues with phpBB forums lately that have ModSecurity as the root cause.

What is ModSecurity?

It’s a web application firewall, wholly open source. As its name implies, it’s job is to tighten up the security of a web server. Web servers are prominent targets for hackers, of course. ModSecurity was originally written as a module for the Apache web server. It has lots of functions of course but its main job is to prevent hackers from damaging web servers and the websites that reside on them. Started in 2002 for Apache, it now serves all principal web servers on the web, including NGINX and IIS.

How does ModSecurity cause problems with phpBB?

It appears that ModSecurity and phpBB don’t get along very well. These problems may be occurring because the web host added it or turned it on for you and didn’t tell you. ModSecurity can generate various application errors causing the behavior of phpBB to change. In one recent example, when a client tried to click on the Administration Control Panel link, he was redirected to his website homepage instead. Disabling ModSecurity solved his problem.

Here are some other symptoms caused by ModSecurity intercepting and redirecting web traffic that my clients experienced recently:

  • In phpBB 3.2, the Viglink and share forum statistics screen come up in the Administration Control Panel by default after you update to that version. There are checkboxes that allow you to uncheck these. In this case unchecking these and submitting the form generated an unfriendly error message: “Unused” and reported an internal error. This made it impossible to get to the General tab and do things like purge the cache.
  • A forum would not come up at all. Only a white screen appeared. Disabling ModSecurity solved the problem. Note: other issues can cause this, including malware or syntax errors introduced into your forum’s phpBB code.
  • In phpBB’s /cache/production folder, files are created by phpBB with an “autoload_” prefix. These were getting deleted outside of phpBB, triggering PHP warnings. Turning off ModSecurity caused the problem to go away (after purging the cache).

How do I know if I am using ModSecurity?

Administration Control Panel > PHP Information. If your web server is Apache, search for “apache2handler” and look at the loaded modules. Scan for “mod_security” or “mod_security2”. If it’s there, it’s enabled. If you can view your web server error log, scan it for “mod_security”. If you find it, it’s enabled. You can also ask your web host if they have it enabled for your site.

Is it safe to disable ModSecurity?

Perhaps not but you may not be able to have anyone access your forum unless you disable it. Most likely ModSecurity’s rules are not optimally written to accommodate phpBB forums.

Can I disable ModSecurity just inside my forum and leave it enabled on the rest of my website?

Perhaps. Try adding this to the top or bottom your forum’s .htaccess file. If the problem goes away, you are done! (The IIS web server does not use the .htaccess file.)

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off

How do I turn off ModSecurity for my domain?

Look in your web host control panel. If there is a security section, there may be a feature there to enable or disable ModSecurity. Disable it if you can find it. You may have to ask your web host.

Where should you be hosting?

It’s not unusual for forum owners to want to rehost. Rehosting though is a big decision. You generally pay for a year or more of hosting up front and you have no assurance that the new host will be better, or even as good, as your current host. In addition, moving a forum to a new host is a pain, which is why a significant part of my business is helping clients move their forums. If you’d like me to help, send me an inquiry.

It does beg the question of where you should move to. Generally the pain level has to be pretty high to move to a new host. It’s often easier to renew what you have or pick a higher level of service with your current host than tackle the time and expense of rehosting.

Hosting is in flux

For the most part you are left to sifting through the general hosting market to figure out a good host. And the hosting market like much in the IT world is in flux. Thus, my recommendations to clients has changed over time. For example, I used to recommend HostGator to my clients and even hosted my sites there too. Then Hostgator became a victim of its own success. It got bought out and is now just another company that is part of the Endurance International Group portfolio. About the time they were bought out, the quality of their hosting declined. I noticed a marked decline in their technical support. Needless to say I don’t recommend Hostgator anymore.

High usage solutions

Certain forums fall into a specialized class of hosting. If you are one of these forums, you are already probably on specialized hosting. Mostly these are highly trafficked forums. To deal with the hundred or thousands of posts per day, you are likely on a dedicated or virtual private server, and are probably paying handsomely for the privilege. If you fall into this category but are on shared hosting, you probably are having issues and need to pay for one of these solutions.

Stick with commodity software

One thing for sure: get generic web hosting. This means you need a cheap LAMP stack: Linux (operating system), Apache (web server, although nginx is acceptable), MySQL or MariaDB (its clone) for the database and PHP for the scripting language. phpBB of course is written in PHP so it must be available. Don’t pay for Windows hosting. It’s more expensive, you don’t need it, it adds complications and you will probably get poorer performance.

My guess is less than 2% of forums fall into the high usage category, which means generally that inexpensive shared hosting is where most forums belong. Okay then, which shared hosting? There are lots of hosting guides on the web, most of dubious value. Working with lots of clients though I can tell you my own personal opinions. The final choice may come down to which services you value the most, such as fast and convenient technical support. As a general rule this is not available for shared hosting.

Here are my current ratings for popular web hosts with notes as applicable. I have no axe to grind and I make no money from these opinions so at least you know they are unbiased.

Shared Hosting

  • Grade A
    • Siteground – No telephone support but chat and ticket support. Nonetheless it is smartly engineered and well thought out with features like automatically managed Let’s Encrypt security certificates.
    • Bluehost – Technical support is a bit slow but you can usually get a hold of someone within half an hour or so. Great support once you get a representative. On par with Siteground. You might want to choose between them based on price or features.
    • MediaTemple (Grid service) – Proprietary control panel (not cPanel or Plesk) but uses all solid state drives. A bit harder to use than cPanel-based sites but much more reliable and fault tolerant than what is typically available, as well as faster-serving due to the solid state drives and the built in Content Delivery Network (CDN). Stay away if you are not particularly technically inclined. Redundancy is built in making it a great choice if you need high availability. This is actually Amazon Web Services under the hood but made much less geeky for us less technical people. Terrific and fast technical support but you have to understand their boundaries of what’s available on the Grid service.
  • Grade B
    • Hostpapa
    • 1and1 – Available in many countries including UK and much of Europe.
  • Grade C
    • Hostgator – See above
    • GoDaddy – Much better than they were a few years ago, decent technical support but sometimes there are frustrating issues with how they have their shared hosting configured. Lately I’ve been having users complain about poor integration with phpBB 3.2.
  • Grade D
    • Web.com – Really poor technical support with Level 1 techs who know very little and work hard to make you just go away. Their web hosting configuration is suboptimal, confusing, nonstandard and often causes problems as a result. If it’s anything beyond the most routine issue they will want to forward you to their Level 2 service for which they will charge a $75 fee.
    • Network Solutions – Part of the same conglomerate that owns web.com. It’s ironic considering Network Solutions used to be the center of the Internet, responsible for maintaining the whole Domain Name system. As a host though they suck and are expensive.
  • Grade F

Virtual Private and Dedicated Servers

For highly trafficked forums only. You basically need to be a system administrator or can hire one to use these solutions. Don’t expect any handholding because you will be lucky if you get any.

  • Grade A
    • MediaTemple – a premium web host worth paying for with terrific technical support
    • Rackspace – services more the business community with prices accordingly, but top notch
  • Grade B
    • Digital Ocean – nice fancy infrastructure with all solid state drive but you are basically on your own. You need to be a techie. Their host control panel can be baffling if you are used to cPanel.
  • Grade C
    • 1and1 – great prices for this class of service, but servers seem to be old and underperforming. Technical support is above average for this tier.

Specialized solutions

  • Amazon Web Services EC2 – only for geeks, but it allows scalable cloud computing. There are AMI (Amazon Machine Instances) for phpBB that you can install.

Obviously I left out lots of hosts as there are hundreds out there. I reference the ones I work with most frequently with clients. Please leave comments about your experiences so others can benefit or avoid mistakes.