Fixing insecure content issues in phpBB

So you’ve decided to use HTTPS for your forum to show your content securely. This is good and it’s not too hard a thing to do in most cases. Everything looks good but sometimes you notice on browsers like Chrome the little green lock icon up on the URL field disappears. What’s going on? If you investigate by clicking on the icon you can usually figure out what’s going on: there is some insecure content on the web page.

What is insecure content?

Insecure content is content embedded on a web page that is delivered insecurely, i.e. from a web server using http instead of https. Usually these come from external sources, and are typically externally hosted images that are served insecurely.

One way to investigate these is to view the HTML source of the web page. Use the Find feature to scan for URLs with http:// instead of https://. The issue occurs with embedded images like this:

<img src="http://www.externalwebsite.com/myavatar.jpg />

If all these URLs could be changed to something like:

<img src="https://www.externalwebsite.com/myavatar.jpg />

then all would be well, that is if the external website supports https.

How do you fix these problems? There are typically two places where these problems manifest:

  • In post text
  • In the user’s avatar

Here are some approaches you can use to solve to fix the problem:

Use the Image Redirect extension

As of this writing the Image Redirect extension is a Beta release, so it is not recommended that you install it on a production system. This extension also requires that you set up a proxy server on your web server, not a trivial tasks and something you may not be able to do on your class of hosting. Camo Proxy is one example of a proxy server you can install. What this extension does is scan the page for these external image URLs, fetches them using a proxy and changes the URL so that it is served from your proxy copy, which will be on your machine and served securely. In theory this extension should solve all issues like this. Note that it takes some time to create a proxy image if it is not cached and this adds some small overhead, which may slow page rendering.

Fix the embedded URLs in your database

This works by changing the URLs in your database. You scan for http:// and replace it with https://. Using this approach has some limitations:

  • The server serving the remote content may not have https installed. What generally happens is the image is not served and a white box appears instead. This could make lots of posts look off or unacceptable, particularly if these images are large.
  • While it corrects existing URLs, it doesn’t prevent someone from doing the same thing in the future.

If you can live with these limitations, you can fix it in the database. This approach assumes you have MySQL or MariaDB as your database and that the REPLACE function is available. It also assumes you have phpMyAdmin or a similar way to issue SQL (Structure Query Language) commands to the database. In phpMyAdmin, there is a SQL tab where you can type in and execute SQL. Just make sure you use a SQL tab for your database.

There are two tables that typically need fixing: phpbb_posts and phpbb_users. Steps:

  1. Disable the forum
  2. Backup the forum’s tables. Make sure it is a complete backup by downloading the extract, uncompressing if if necessary and looking at the end of the file. There should be SQL in there populating the phpbb_zebra table at the bottom of the file.
  3. Use phpMyAdmin or a similar tool to go into your database. If you are not sure which database you need to modify, look at your forum’s config.php file. The database name is in the file.
  4. You can examine the extent of the problem by first looking at each table. In these examples I assume your table prefix is phpbb_. The config.php file contains the actual table prefix, which may be different.
SELECT post_text FROM phpbb_posts WHERE post_text like '%IMG src="http://%';
SELECT user_avatar FROM phpbb_users WHERE user_avatar like '%http://%'
  1. To actually fix these, use the following SQL:
UPDATE phpbb_posts set post_text = replace(post_text, 'http://','https://') WHERE post_text like '%IMG src="http://%';
UPDATE phpbb_users set user_avatar = replace(user_avatar, 'http://', 'https://') WHERE user_avatar like '%http://%'
  1. Reenable the board
  2. You might need to purge the cache, but it should not be necessary.

After these steps, some users may notice that their avatar no longer serves and there is a big, ugly white space instead. They may try to change the URL in their Avatar settings back to http:// to restore it, in which case the problem may recur. This option can be disabled (see below). In general they should be encouraged to upload an avatar so it can be served from your web server, which will then serve it securely.

Preventing future insecure content

For avatars, the issue is due to allowing remote avatars. This can be changed: ACP > Board configuration > Avatar settings > Enable remote avatars > No

For posts: ACP > Posting > Post settings > Allowed schemes in links. Remove http from the comma delimited list. Note that this may affect non-images that are pasted into the post, so consider carefully if you choose this approach.

 

Should I install phpBB?

What are you getting into when you install phpBB? phpBB, open-source forum software for the web, is often simple to install. Most web hosts have a scripting center that allows you to install it on a domain in a few clicks. But should you?

It’s not like there aren’t other forum solutions out there, although arguably phpBB is the one that has survived the longest. To name a few, there is commercial vBulletin software, myBB, Xenforo, Phorum and pUNbb. There are also forum plugins. For example, WordPress has BBPress and BuddyPress. Since I specialize in phpBB I can’t speak with much authority about other forum solutions. However, as a software engineer I can highlight what I think some of phpBB’s strengths and weaknesses are, the subject of today’s posts.

What is forum software exactly?

Before you decide on any forum solution, understand what forum software is. Forum software is not blog software. It’s not a place that you use to rant about stuff that interests you and which others can comment. It is software that allows lots of disparate people to discuss certain topic areas elegantly. It imposes discipline on the content it manages by keeping things organized in forums, topics and posts.

Forum software is used by discrete communities that have something in common and want to share that information in an open manner. Usually what they are discussing is pretty specialized. For example, it might be a support forum for a commercial or open-source product (phpBB.com uses phpBB for its support forum), or a fan site, a bunch on people who own a particular type of boat or plane, whatever! Forum software allows people to create and reply to topics. It’s designed to run independently of a framework. For example, the BBPress plugin for WordPress requires it to work as an add on to WordPress, which means that to use BBPress you must also be a WordPress user on the site. Similarly, Facebook groups can act a bit like a forum, but it requires you to join the Facebook enclave. Facebook however does not organize content in its groups into forums and topics. Most forum software is designed to be standalone, at this is certainly the case of phpBB. It’s not designed to work with WordPress or any other content management system. In our social media age, this is sometimes a drawback.

phpBB’s emergence

phpBB has a long and proud legacy. Version 1.0 was released in 2000, at just the moment that the PHP language became dominant on the web, replacing mostly a lot of Perl scripts. Timing was everything. It was written in PHP, used the popular free MySQL database and was free and open-source. “Open source” was kind of a new thing back then, but it was essential to its growth. Not only was it free, anyone could modify it.  So it got downloaded and installed like crazy. It’s still widely used today. Most support sites run on phpBB. This means you have probably used phpBB already, even if you aren’t aware of it. So it will seem comfortable and familiar, even if you don’t understand why.

Version 2 came a year later in 2001 and is still being used today by many sites because it is fast and lightweight. Version 3 was released in 2007, which thoroughly modernized it. Version 3.1 arrived belatedly in 2016. It’s big feature was extensions, similar to WordPress plugins plus responsive styles, so things looked good on mobile devices. Prior to 3.1 if you wanted to extend phpBB’s functionality you installed “mods” that was code changes inside the source code, which made upgrading phpBB difficult. 2016 saw the release of version 3.2, the current version, which looks and behaves a lot like 3.1 but addressed some annoying issues mostly on the backend.

While phpBB was undoubtedly popular, updates were infrequent and its huge legacy base made it hard to push out new versions. Its team of core developers worked inefficiently together, in part because the tools for doing so were relatively primitive at the time. This allowed many other forum solutions to emerge to fill the feature gap while the phpBB group lumbered awkwardly forward into the future.

phpBB’s strengths

I first installed phpBB 2.0 in 2002 and have followed it since then. I have developed modifications and extensions, as well as generating good income from helping users upgrade and migrate their forums. In spite of the phpBB Group’s sometimes lumbering organization, it’s got some major strengths:

  • Institutional legacy. Simply because it’s been around so long, it tends to get widely installed and used. Those who have phpBB forums rarely move to other forum solutions.
  • Familiarity. Most likely you already know how to use phpBB because you have used it on various sites. While the forum/topic/post metaphor is hardly new, phpBB’s implementation of it garnered it a lot of attention and traction, so most forum solutions try to imitate it while addressing its perceived deficiencies.
  • A fanatical devotion to open source. The phpBB Group developers walk the walk on open source. They are really quite devoted to the whole idea of open source software, quite fanatical and arguably more than a little obsessed about it. They don’t give preference to any particular technology (except PHP and web standards like HTML, CSS and Javascript) and try to give you flexibility. For example, most forum solutions are written only for the MySQL database. Despite the fact that hardly anyone who has a phpBB forum uses databases other than MySQL, they support a whole host of other databases including Postgres, SQLite and Oracle.
  • Terrific support. phpBB’s support forums are phenomenal. You will likely find a dozen answers to your question with a simple search but if not a quick post will generate fast response, often from dozens of highly experienced support members, all volunteers. They are so good that in most cases the problems I encounter I don’t have to solve. I can find the solution on their support forums.
  • An anal obsession to standards. This is both a strength and a weakness. WordPress has now something like 40% of the web site market, but WordPress runs fast and loose. It’s not hard at all for people to create buggy plugins and non-optimal themes and WordPress will approve a lot of these. WordPress is a Wild West place where you are never quite sure if what you are adding on is crap or gold. That’s not a problem with phpBB. They go to extraordinary lengths to check their releases for bugs, running them against a host of security tools and making the base code pass thousands of detailed automated tests. I doubt there is an open source project that releases higher quality code. As an extension author, I am impressed and sometimes annoyed by how difficult it is to get my extensions approved. They inspect everything with incredible care and make sure you adhere to their voluminous and often somewhat obscure coding standards. This also makes things slow as there are plenty of extensions and styles in the review queue and reviews can take months. Rest assured though that officially approved extensions and styles are top quality.

phpBB’s weaknesses

  • Lack of agility. The phpBB Group’s tendency toward being anal also means they are not agile. It’s hard to bring out new versions of phpBB since everything must be nitpicked to death. Arguably this is also because there are tons of features and options in phpBB; look through all the Administration Control Panel’s various screens sometimes to get an idea of how many features can be changed, enabled and disabled. Its permissions system alone is awesomely powerful while awesomely obscure. When finally released, new versions tend to be very stable and rock solid but if you are an impatient person, your patience will definitely be tested and then some. On the other hand, their development practices are top notch. They use state-of-the-art testing, development and bug tracking tools. They have daily builds of their software to see what breaks.
  • Legacy architectureAdding new features tends to be excruciatingly difficult not because their code is not modular enough (this problem largely went away with phpBB 3.1) but because the database is so baked in. Many features would mean large changes to the database. Business logic is baked into many different programs, although phpBB 3.1 introduced classes (the whole /phpbb folder) that addressed a fair amount of this problem.
  • No multi-threaded topics. This means you can’t see a set of replies to a particular post within a topic, or get a hierarchical view of replies to a topic.
  • Standalone. It doesn’t integrate with anything, at least not elegantly. It won’t work seamlessly with your content management system, like WordPress. The closest it comes to this is that it supports authentication via LDAP (Lightweight Directory Access Protocol), but even so users must still create accounts on the forum to use it.

There is a lot more to this topic that I may delve into in future posts. But this post at least gives you a heads up. phpBB is great software: stable, reliable, well tested and industrial strength. If you can live with its functionality and limitations and are okay if the features change slowly at best, it’s still a terrific solution. If you need more agility from your forum solution, you might have to look elsewhere. However, any other solution you pick may not hang around. phpBB is eighteen years old and is likely to survive another eighteen years without a sweat.

 

You probably don’t want to host phpBB on Amazon EC2

Occasionally I do something new. This month something new meant helping to rehost a client on Amazon Web Services (AWS). AWS provides cloud computing services, and its EC2 service (EC = Elastic Computing) is probably its most popular service.

Cloud services provide scalable services. Also, you pay for what you use. They can be configured so that if there are spikes in demand the service will become “elastic”, scaling to meet demand.

I did not do this rehosting by myself. The client had another technical guy that set up and configured his AWS EC2 workspace. The forum is very large with 2.6M posts. In addition to rehosting the forum, I had to upgrade the client at the same time to the newest version of phpBB and move his WordPress site. This project literally took months to complete, although I was not working on it all the time.

I don’t know what Amazon Machine Instance (AMI) was set up in this case. I don’t think the AMI chosen was ideal because WordPress had technical issues that required fine tuning EC2 to get things to work. One thing I took away from the project though is that there is a “tax” if you move to AWS. The learning curve is steep and the tools available to you are miniscule.

Some lessons learned:

  • AWS doesn’t do any handholding. While you get a console to configure EC2, you don’t get any rich control panel like cPanel or Plesk to allow you to easily do complex things. So there is no File Manager, no phpMyAdmin (unless you want to install it yourself), no easy way to create mailboxes or send email. Instead, you need a UNIX geek. I was given a SSH key file and I had to use that to do my work. This meant doing pretty much everything from the command line.
  • Connecting to the AWS workspace was complex since I had to use SSH. The command lines used to connect with SSH were long to type in and easy to get wrong. I had to reference an argument to use the key (.pem) file I was given. When you work from the command line, it’s easy to type something incorrectly. So you often end up typing the command multiple times until you get it right. Closing and opening sessions becomes time consuming and a hassle.
  • To access the database, I had to do it from the command line. It took a while to get database credentials and since I had to do things from the command line again I had to type statements very carefully. I had to export and import databases but getting the syntax just right was challenging. I frequently had to go into the database to tweak things, which meant typing a lot of SQL statements. It’s a good thing I am very fluent in SQL. This really slowed me down. Had I had phpMyAdmin, I would have saved hours of time and hassle.
  • File permissions were a pain. The default user did not have the permissions to the web root folder, which meant becoming root and granting correct group and file permissions. Then secure FTP would work. These problems kept recurring which made the process quite tedious and time consuming.
  • The Apache web server was not configured correctly for WordPress. The AMI was apparently not tuned for WordPress, so it took research and carefully editing of a httpd.conf file to get the settings right. Then the web server had to be restarted from the command line, which is not intuitive, particularly since it had to be done as root.
  • Editing files became a pain. There was a lot of this, mostly tweaking forum styles, templates and configuration files. Since I had only the command line, I had to use a command line text editor. I chose nano, but it was still tedious. There is also a lot of command line navigation to get to the right folders where you needed to do stuff. This would have been easier if I had an editor on my computer that worked with SSH and .pem files. I had the former but not that latter, as I use an old copy of Dreamweaver to more easily edit files remotely.
  • I often had to become root to do things, like read the error_log file to troubleshoot issues.
  • The database import for the forum failed three times. I finally figured out the issue from the obscure error message. I had written two triggers for the client and that required CREATE TRIGGER privileges that were not granted to the default MySQL DBA. I had to snip these lines out of a 2GB+ export file to get the import to succeed. This has never been a problem on other hosts I have worked on.
  • Setting up HTTPS was a pain. It too required special permissions to create public and private key files, on the command line only, of course. It took many attempts before it worked and a valid certificate was installed. While we were waiting to test WordPress and the forum, it required using the long URL provided by AWS, which meant changing the configuration of WordPress and phpBB via the database.

I suspect that the wrong AMI was used or that using a better one would have prevented a lot of problems. In any event, the move to AWS turned out to be tricky, time consuming and a large hassle. For my client, it was an expensive endeavor. It turned out that all this work turned into my largest bill ever. In that sense it was good, although I would have been happier if it had spent a lot less time and a lot less of his money.

Now that my client is on AWS though, as long as it is tuned properly there will be some big advantages. Hosting may cost less in the long run, and the service should be more predictable and scalable.

If you take up a project like this, you will definitely need someone who has set up AWS EC2 instances successfully and will work through all these issues with you. Even so he could not do it alone. The migration took four days to complete, although the forum was functional in less than twenty four hours.

For very large forums that need scalability and high reliability, using a cloud service like AWS makes a lot of sense. However, a project like this should not be taken lightly. Most forum owners will probably be much more comfortable on a good shared host, or a good virtual or dedicated server. 

 

Avoid hosts owned by the Endurance International Group

As I have noted before, since I work with many clients I have developed hopefully informed opinions about many web hosts. Perhaps I should not paint with a broad brush but I do have one suggestion: avoid any web hosts owned by the Endurance International Group.

Web hosting tends to be a low profit business. With so much competition, customers will shop around for the best deal. This results in many hosts offering cheap plans for $5 or $10 per month. Web hosts can hope to find profitability in volume but since there is a lot of competition profitability usually comes from consolidation. The Endurance International Group buys web hosts. It looks like they find profitability through throwing all these companies under one umbrella and one hosting center.

I used to host with Hostgator. I found their support good and their infrastructure above average, yet their pricing was very reasonable. Then they were bought out by the Endurance International Group. Almost immediately afterward their support became crappy and I noticed delays accessing my domain as well as infrastructure related issues. When my hosting contract was over, I was happy to move somewhere else.

When you call these companies for support, you are immediately placed into a third-level support queue. After you finally connect with a human, these brain-dead support people follow scripts that are designed basically to not solve your problem and make you go away. Moreover, I found myself far more knowledgable about hosting and how to solve problems than they were. They could rarely even cover the basics. If you needed real help I found I had to badger for second-tier support.

All this is to keep their costs low since one support center for dozens of companies is obviously cheaper. But it results in inferior service, as evidenced by my experience with hostgator.com.

Endurance International Group own a lot of hosts, most pretty obscure. Among those they purchased you may be familiar with include Hostgator, Bluehost, Hostcentric, iPage and Site5. You can see a full list of the brands they bought on this Wikipedia page.

Given the low margins, the hosting business is likely to continue consolidating. There is certainly a lot of smoke and mirrors in this business. What used to be good hosting can turn into poor hosting pretty quickly when they get acquired. This is true of MediaTemple, at least it’s Grid Service, based on my latest experience since it was bought by GoDaddy. Right now my recommended hosts include Siteground for most hosting and Rackspace for dedicated and virtual server hosting.

It’s quite clear to me though that you are likely to be unhappy with any hosting owned by the Endurance International Group. So avoid.

Why you might want to use SMTP to make emailing more reliable

Emailing from phpBB is often problematic. In a previous post I looked at various ways to make sending email from phpBB more reliable.

In this post I look at why you might want to configure phpBB to use SMTP (Simple Mail Transfer Protocol) to send emails. If you are using a Windows web server (IIS), this is usually required. You can change these settings in ACP > General > Client communications > Email settings, which can be set halfway down the page.

By default, phpBB hands off email to PHP using PHP’s mail function and hopes for the best. If the mail function returns FALSE, the email should not have gone out. You won’t necessarily be know if it fails, however. Known email sending failures appear in phpBB’s error log: ACP > Maintenance > Error log.

Even if the PHP mail function returns TRUE, it may be a false report. In many cases TRUE only means that the mail was accepted. Whether TRUE means “accepted” or “successfully sent” depends on how your host’s email server is configured.

Once accepted by the email server, the email is likely to be closely examined. If it has some of the markers of being spam, it will probably get blocked from actually being sent out. In this case, you probably won’t know about it. You can greatly improve the odds that emails will go out successfully if you:

  • Create an email account that uses your forum’s domain, ex: admin@mydomain.com
  • Assert this email address in phpBB: ACP > General > Client communications > Email settings. Set this email address for Contact email address and From email address.

By default on Linux web servers (most typical kind of hosting), PHP’s mail function sends outgoing email to a sendmail process. Essentially, emailing is the job of your server’s operating system, so you can’t control it. Because you can’t control it, sendmail will be configured generically. Any other domains on the server you are using will send email out through the same sendmail process.

However, if you use SMTP to send email instead, you have to authenticate yourself with the SMTP mail server. By properly authenticating yourself, emails are likelier to go out. The downside is that it’s a bit of a hassle to set up SMTP. I discovered this on this site when I moved my hosting to siteground.com. It uses WordPress which by default also uses sendmail. Emails weren’t going out. A call to Siteground’s tech support revealed that SMTP was a better way to go. They provided the credentials to use and now my WordPress email notifications go out quickly and reliably. This should work for phpBB too.

Don’t assume that you can use an external SMTP server like GMail. Many web hosts will block outgoing SMTP email. If it’s allowed, by all means go ahead. You should check with your web host for the proper email settings to use.

One possible downside is that outgoing email quotas are likely, but that’s probably also true if your host uses sendmail. Your web host can tell you what policies if any apply to your hosting. See the previous post for instructions on how to properly set your email package size and to set up a system cron, if necessary. Make sure it works by sending a test email, an option available on the email settings page.

Cleantalk extension for phpBB can remove spam posts, plus its spam firewall feature is very useful

This is an update on an earlier post on removing spam posts.

Removing spam posts is hard because it requires actually reading the post and deciding if the post is spam or not and then using moderator tools to remove these posts. If your forum is overwhelmed with spam posts, this is a Herculean endeavor. Ideally though posts could be “read” by software and it would make the judgment on whether it is spam or not.

The Cleantalk extension for phpBB 3.1.x and 3.2.x can do just this as well as lots of other really cool tricks. My customers love Cleantalk, but the service is not free. However, it is so inexpensive that it easily justifies spending $8/year for the service. You can subscribe on the Cleantalk website. As of this writing, you can try it for free for 7 days. After 7 days, it won’t bring down your forum but it will stop working.

What is Cleantalk?

Cleantalk is essentially a huge database of addresses of known spammer sites. While it’s not perfect, based on the experience of my clients it is about 99% perfect. I originally recommended it as a spam registration solution for my clients. It still does that but is less necessary since phpBB 3.2. This is because since phpBB 3.2, version 2 of Google’s reCaptcha is supported. Unless it gets hacked, as long as you have it properly configured as a spambot countermeasure it should prevent virtually all spam registrations.

However, it has two powerful features that still keep it relevant for phpBB forums.

Cleantalk ACP Interface
Cleantalk ACP Interface

Installing and enabling Cleantalk

Cleantalk is installed like any other extension. While it can be downloaded from phpbb.com, you should download it from Cleantalk instead or from its GitHub page. This is because as of this writing the version on phpbb.com does not include the spam firewall feature, and you will probably want to enable this feature. You can access it through the Administration Control Panel: ACP > Extensions > Antispam by Cleantalk. Before you can do much with it you have to enter your Cleantalk key which you can get from their website or by pressing the button in the extension that should retrieve it for you.

Removing spam users and spam posts

As you can see from the image, once the extension is enabled and the key is properly configured there is a prominent Check users for spam button on its page within the Administration Control Panel. If you have lots of users, it may hang. Based on my experience though the next time you go into its interface you will see a list of potential spammers.

As I said, it is not perfect. So I recommend that for users with posts to check these out these users topics to make sure their posts are spam before deleting them. For those you want to delete, check the boxes next to their usernames and then press Delete marked. You can also press Delete all to remove all users and their posts. You may have to go through many pages to delete all spam users and their posts, but this is obviously much faster than doing a visual inspection of all your posts.

Spam firewall

This is a new feature which as of this writing is not available if you download the extension from phpbb.com. It keeps almost all spammers from hitting your site at all. Instead, Cleantalk’s servers grab it first. In the event the user is legitimate, there is a link that will take them to your website.

Why is this useful? Because it reduces the stress on your server by limiting it to legitimate traffic only. It speeds up the performance of your forum and makes it less likely that you will have to pay for the cost of a higher class of hosting to handle your traffic. Isn’t that worth $8 a year?

Stopping contact form spam

Cleantalk has one other useful feature: the ability to stop contact form spam. Of course you can disable the contact form (ACP > General > Contact page settings) and that will solve that issue. Or you can have Cleantalk essentially moderate it for you, passing on only valid contact forms to you. Simply check that option on the extension’s page and submit the form. Somewhat oddly, the phpBB group did not tie the contact form to the spambot countermeasure feature of phpBB. Perhaps that will come in a future release.

In any event for forums that get lots of spam and/or lots of traffic, using the Cleantalk service with the Cleantalk extension for phpBB is a no-brainer providing you know about it. Now you do!

MediaTemple grid service no longer recommended

It’s sad for me to say this, but I can no longer recommend MediaTemple’s Grid service as a hosting option. For the last 18 months or so I’ve been using this service and have gotten increasing dissatisfied and exasperated by it. Today I started the process of moving my domains off of it to Siteground.com even though I have four and a half months left on that hosting contract. This domain should now be coming to you from siteground.com servers and hopefully in a reliable and maybe spiffy fashion.

MediaTemple.net was known as one of the premier providers of business-class hosting. It was acquired by GoDaddy with the promise that it would be separately managed. It appears from my experience with their Grid service that they broke that promise with their customers. Sometimes I have to wait a minute or more to retrieve pages from my own site. It sure looks like they are overloading their servers and/or managing them very badly.

I used UpTime Robot to test whether my domains are up. Pretty much every day I will get one or more emails telling me it is inaccessible. So it was likely costing me money, motivating me to move to Siteground.com instead.

I do have clients using MediaTemple’s virtual servers and they have no complaints about that service so far. Definitely avoid their Grid service now and if you have an option you might choose some other host for your virtual or private server needs. I don’t have experience with Siteground’s, but it’s likely fine. A company like Rackspace.com is likely doing it right.

Another annoyance was revealed simply in moving my site. An old phpBB forum I have with about 50,000 posts could not be downloaded. I had to break it down into multiple downloads, including the posts table into two separate downloads. The Grid service simply cut me off when I hit some sort of resource limitation. The whole database is only 80MB or so. Shame!

How to rehost your forum

It can be hard to break up with your web host, particularly if you have phpBB on it. phpBB consists of files plus a database, and the database is stored separately. phpBB does have a knowledge base article on rehosting. You may want to refer to it. In this post I add my own thoughts and document my own processes, since I do a lot of this for a living.

Ask your new host to do it

Some hosts will move your forum along with your whole website for free for you to get your business. If they don’t, you might ask them if they will. This is a great way to go, providing they do it properly. Some hosts will move the files and forget the database, or leave that part for you. Some will do both but won’t integrate the two by fixing phpBB’s config.php file. There are sometimes other issues. File and directory permissions may change moving to a new host, that might cause issues. Of course you can always hire me to do it for you.

The process

The general steps are:

  1. Buy and setup new hosting
  2. Disable the forum
  3. Download a copy of the forum’s database
  4. Download a copy of the forum’s files
  5. Optional: change your hosts file so you can access your domain on the new host
  6. Upload your files to the new host
  7. Recreate the database
  8. Reconfigure the config.php file
  9. Test
  10. Recreate any email addresses
  11. Change the domain to point to the new host
  12. Monitor and fix settings as needed

Buy and setup new hosting

You have probably done this already. I have recommendations on my rehosting page for new hosts if you are still shopping. In some ways figuring out who deserves your business is the hardest part because the new host must be able to handle your forum’s traffic without breaking a sweat, including during spikes of traffic.

After paying for the hosting, make sure you can access it. Typically the host will provide access credentials to a web host control panel, usually cPanel or Plesk. Test your access. You need to do three things:

  1. You need to know the name of the nameservers to use. You will need this for the final step. There should be two of them, and they usually start with “ns”. They are often in an introductory email you get when you pay for hosting.
  2. Create FTP credentials. Often these are created for you, in which case make sure they work by testing them with your FTP program. Because your domain has not moved yet, you usually access FTP using an IP address.
  3. Make sure you can create a database. Look in the web host control panel for database options. In cPanel look for a “MySQL databases” option.

Disable the forum

For consistency you should disable your forum (ACP > General > Board settings) before backing up anything. You might want to first send out a mass email or post announcements indicating that the forum is being moved, so your users aren’t alarmed.

Download a copy of the forum’s database

Use a phpBB database backup

phpBB has a database backup program built into it. You can often backup your database successfully this way with this option. ACP > Maintenance > Database > Backup. For action, select Download. Press Select All to ensure all the tables in your database are backed up. When you submit the form your browser should soon note a file being downloaded.

Use a backup generated by phpMyAdmin

In your web host control panel, phpMyAdmin should be available. You can use it to export your database. Again, you want to download the result. Check the first link to see how this is done. If you are not using MySQL or MariaDB, consult your database tool to figure out how to get an appropriate backup. I recommend downloading the database as a .sql.gz file.

Backup your database from the command line

In some unusual circumstances you may need command line (SSH) access to backup the database. In addition to SSH credentials, you will need credentials to login to mysql from the command prompt. Describing this procedure is too lengthy for this post, but you can use a search engine to learn how to do this. It is challenging!

Check the integrity of the backup

This step is critical. On some hosts (shared hosting in particular) you may not get a complete backup due to resource limitations. Open the archive using an unarchive tool. Use an editor to view it. Look at the bottom of the file. It should end with the phpbb_zebra table. For MySQL/MariaDB, the last character should be a semicolon(;). If you don’t have a complete backup, you will have to get one. This may require an awkward call to your old web host for help.

Download a copy of the forum’s files

I am assuming that your do not have a larger website to move. When moving a domain you need to move all web accessible files for the domain. If you have WordPress as a front end, you will need to move WordPress too, using a procedure similar to the one for phpBB.

You can use your FTP program to download your files. This approach is often very time consuming, particularly if you have lots of files in the forum’s files folder or you need to move an entire website. For phpBB only, make sure you only download the folder containing your forum.

A better way is to use your old host’s file manager. Select all the files in the forum’s folder, or for an entire site select all the files in the web root folder. Click on the first file, scroll to the bottom then while holding the shift key click the last file. This should get all files and folders. Look for a compress option. It will create a .zip or .tar.gz file. Once the archive is generated, download it with your FTP program.

Optional: change your hosts file so you can access your domain on the new host

While this is optional, it’s almost required as it makes the rest of the work so much easier. You want your computer to use your new domain name transparently even though you have not pointed your domain to your new host yet. Instructions for Windows are here, instructions for Mac are here. You need the IP of your new host to make this trick work. When done when you use your domain name in the browser it should see your new hosting. In most cases you will see a default web page for the domain.

Upload your files to the new host

  1. Create the directory for your forum. It should be named the same as on your old host. Where to place it? It must be in a web accessible directory for your domain. Your web folder will vary but it’s usually in a html or public_html folder.
  2. Upload your files. If you have an archive, simply upload that to your forum’s folder, otherwise upload the thousands of files that comprise the software and data for your forum. If uploading an archive, use the file manager on the new host to unarchive it.
  3. Double check that the files uploaded are in the correct folder and that nothing is missing. You can delete the archive file now if you want.
  4. Check your file permissions. On Unix-based systems the following folders need to be world-writeable (777 permissions): cache, files, store and images/avatars/upload. Fix if necessary. All other files should have Unix 755 permissions.

Recreate the database

  1. In your web host control panel, create a new database for your forum. Sometimes you can specify the database name, sometimes you can only specify part of the database name. Write the name of the new database down.
  2. Next, create a database user that will be allowed to access the database. You also have to assign a password to the database user. Make it a complex password and write it and the database user name down.
  3. Give the new database user permissions to the database. Make sure you grant ALL permissions.
  4. Determine the name of the database server. It is usually on the same machine as your web server and can be referenced as localhost. But if it’s something different, write it down.
  5. Try importing the database using phpMyAdmin (for MariaDB or MySQL). Select the import tab for your database. Point it to your database extract and let it be uploaded. Once uploaded it should be read, recreating your forum’s tables. If the file is too big to be uploaded, you got to be more creative. In most cases you need a staggered importer, which generally means uploading and configuring bigdump.php. If the database was partially loaded, make sure you drop all tables in your new database first using phpMyAdmin. bigdump.php must be edited with the correct database settings before being run. Upload the database extract archive to the same folder as bigdump.php. Run bigdump.php by specifying the correct URL based on where you uploaded it. If you didn’t change your hosts file, you will need the IP of your new server. In addition, you may have to specify a folder in the URL after the IP. Often the letter you get with new hosting will contain this information, otherwise ask you new web host.
  6. Check that everything is moved. You should use phpMyAdmin on your new host in one tab, and phpMyAdmin on your old host in another tab. Make sure all tables in the old database are in the new database and that each table in the new database contains the same number of rows as in the old database. Check a few tables to make sure the structure of the table looks reasonable. In most cases there should be a primary key and one or more indexes for a table.

Reconfigure the config.php file

Most likely the config.php file you copied over won’t work as is. Most likely the database name, the database user name and the database password are all different. You can usually edit this file with your web host’s file manager. Bonus tip: if you are running PHP 7.0 or higher, you may need to change the line:

$dbms = 'mysql';

to:

$dbms = 'mysqli';

Test

Hold your breath. Using your browser, enter the URL for your forum and hope it comes up. There may be a delay of several seconds as new cache files are recreated. Fix any errors you find, which can be challenging. Your web host can help or you can hire me. Reenable the forum and test it. Make sure your style looks right, your logo is properly placed, all the forums are on the index and you can make a test post successfully.

Recreate any email addresses

When you move your domain, you should also recreate any email mailboxes and email forwards you set up for the domain. Unless email for the domain is hosted elsewhere, you should recreate these email boxes, such as your board contact email address. If you had any email forwarders, set these up too.

Change the domain to point to the new host

You are ready to go live! Go to your domain registrar. Enter the new nameservers carefully in the appropriate fields for the domain. Then wait for the DNS changes to propagate. These days most changes happen in 1-3 hours. Your users will know they hit the live forum because the forum is disabled message will not appear. Also, if you changed your host file, undo those changes.

Monitor and fix settings as needed

There are often minor hiccups in the software on a new host. Sometimes you may have to upgrade or downgrade the version of PHP used. There may be some PHP settings that have to be tweaked. Expect a few of these and you may need some help from your web host. Things generally settle down within a few days.

End phpBB update styling rework with a custom style

Updated February 15, 2018 to add a few things.

Has this happened to you? You update phpBB to the latest version and find out that your custom logo or various style changes that you tediously made to phpBB are gone, or partially gone. It’s a common problem and one reason many forum owners defer updating phpBB.

You can end this hassle by creating and installing your own custom style. Using this approach your custom style inherits most of its styling from a primary phpBB style. You then selectively override the primary style’s CSS, HTML or Javascript with your own changes. This way when the primary style you use is changed, you don’t lose your custom changes. This also ensures that your styles and templates use the most current and approved code, which often includes security patches.

In this tutorial I will show how you can do this. I will keep my example simple by using my custom style to swap out the default phpBB logo with my own logo, sized to the new logo’s dimensions. In principle though you can go way beyond this simple use. For example, your custom style can overwrite the inherited style’s colors, padding and margins, or container widths and heights. You can also overwrite HTML and Javascript files.

Overview of steps required

The basic approach is:

  1. Make a note of all the changes you made to your style
  2. Reload your preferred style
  3. Create a custom style that inherits from your preferred style
  4. Override the preferred style’s stylesheet directives. This is best done by creating a stylesheet.css file for your custom style and placing your style customizations there.
  5. If you changed some templates, place the custom version of these templates in your custom style’s template directory. Frequently, forum owners will make changes to overall_header.html and overall_footer.html.
  6. Install the custom style
  7. Make the custom style the primary style
  8. Test and refine

Let’s delve into each step to see how this is done.

Make a note of all the changes you made to your style

You probably know what these changes are, but if you have any questions you can use a file comparison tool like WinMerge (for Windows) or kdiff3 (for pretty much any operating system) to compare your files with a reference version.

  1. Download your current style folder where you made all your custom changes, such as /styles/prosilver
  2. Download a reference version of your style for your current release of phpBB. phpBB keeps a list of its releases here. If your styles are based on prosilver then you would use the reference /styles/prosilver folder for your current release of phpBB. If using a different style, find the style version you used. You may have to download it from phpbb.com or from the style author’s website.
  3. Run the file comparison tool and note the changes you made so they can be reapplied in the custom style.

Reload your preferred style

  1. Make certain you have documented all the changes you made to your style. Once they are overwritten, you may not be able to recover them.
  2. Since you made changes to your preferred style, it’s a good time to undo them. The simplest way is to upload the reference version of your style, replacing anything that’s there. Purge the cache. If you don’t see the style changes afterward, clear your browser’s cache and reload the page.

Create a custom style that inherits from your preferred style

  1. First review phpBB’s Creating & Modifying Styles page.
  2. Create a folder in the styles folder for the name of your style. In this example I keep it simple and call the folder “custom”, i.e. /styles/custom.
  3. Create a style.cfg file in this folder. Copy the style.cfg contents from your parent style’s style.cfg file. Below is the code in /styles/prosilver/style.cfg for phpBB 3.2, which I used because my “custom” style inherits from prosilver.
#
# phpBB Style Configuration File
#
# This file is part of the phpBB Forum Software package.
#
# @copyright (c) phpBB Limited <https://www.phpbb.com>
# @license GNU General Public License, version 2 (GPL-2.0)
#
# For full copyright and license information, please see
# the docs/CREDITS.txt file.
#
# At the left is the name, please do not change this
# At the right the value is entered
#
# Values get trimmed, if you want to add a space in front or at the end of
# the value, then enclose the value with single or double quotes.
# Single and double quotes do not need to be escaped.
#
#

# General Information about this style
name = prosilver
copyright = © phpBB Limited, 2007
style_version = 3.2.0
phpbb_version = 3.2.0

# Defining a different template bitfield
# template_bitfield = lNg=

# Parent style
# Set value to empty or to this style's name
# if this style does not have a parent style
parent = prosilver
  1. In my example I changed “name = prosilver” to “name = custom”. Since I want to inherit from prosilver I left the “parent = prosilver” line unchanged. If you are changing a style other than prosilver as the primary style, you need to change the parent style to the correct style name. It must match the parent folder name in the styles folder. You might also want to edit the copyright, style_version and phpbb_version lines. If it’s only for your own use, this is not necessary. Here are my changes:
# General Information about this style
name = custom
copyright = © Mark D. Hamill
style_version = 1.0.0
phpbb_version = 3.2.2

# Defining a different template bitfield
# template_bitfield = lNg=

# Parent style
# Set value to empty or to this style's name
# if this style does not have a parent style
parent = prosilver
  1. Save the file, making sure it is in the root folder for the custom style, e.g.: /styles/custom/style.cfg.

Override the preferred style’s stylesheet directives

  1. Create a theme folder for your style. In my example, this would be /styles/custom/theme.
  2. Create an images folder inside the theme folder. In my example, this would be /styles/custom/theme/images.
  3. If changing the logo, upload the logo you will use to /styles/custom/theme/images. Make a note of the image’s height and width as you will need this later.
  4. Create a file called stylesheet.css in the theme folder.
  5. To inherit styles from your parent style, you need an @import statement at the top of this file. For example, if prosilver is the preferred style, this line would be at the top of the file. Generally you just need to reference the stylesheet.css file in the parent style. You will have to amend the path so it finds the parent style’s stylesheet files. In my case for the @import line, I added “../../prosilver/theme/”. The ?v=3.2 indicates the version of phpBB expected, so it may have to be changed.
@import url("../../prosilver/theme/stylesheet.css?v=3.2");
  1. Any style changes that you want to override should now be appended to the end of this file. In the example of replacing the logo, in the prosilver style you would normally edit the .site_logo class in colours.css and common.css. In my case I added these lines at the end of my /styles/custom/theme/stylesheet.css file, which provides the correct image to use for the logo and its proper dimensions:
.site_logo {
    background-image: url("./images/mark.jpg");
    width: 181px;
    height: 229px;
}
  1. I then saved the file stylesheet.css with my changes.

Changing templates

In my example, since I am only replacing the logo so no template changes were needed. If you need to change templates there are two approaches.

  1. The simplest is to copy the template, for example, /styles/prosilver/template/overall_header.html to /styles/custom/template/overall_header.html. Then make the changes that you need to make and save the file. This has a downside: if there are changes made to this template with an update, your version won’t have them unless you manually inspect for any changes and apply them to your custom version.
  2. In many cases you want to insert some HTML or Javascript rather than change existing HTML or Javascript. In this case it’s better to use template events, if you can “hook into” an appropriate event. This way if the parent style is changed with an update, you don’t have to worry about replicating any changes to it in your style. For example, overall_header.html has a template event in it marked as <!– EVENT overall_header_head_append –>. In this case you could create an event folder in your template folder then create a file called /styles/custom/template/event/overall_header_head_append.html. Add whatever HTML you want inserted when this event is encountered into this file. A list of template events can be found here.

Install the custom style

  1. ACP > Customise > Style management > Install Styles
  2. Select the new style you created (“custom” in my example) by pressing the corresponding Install style link.

Make the custom style the primary style

ACP > General > Board configuration > Board settings. Generally you set the default style to your new custom style, the guest style to your new custom style and you may optionally want to set the override user style option to Yes. Submit the form.

Test and refine

You should not need to purge the cache if you make any stylesheet changes. However, if you make subsequent changes to any templates first purge the cache then test.

Approach when upgrading

This approach is unlikely to work correctly when upgrading. An upgrade is when you go from one minor release of phpBB to another, such as from 3.2 to 3.3. You can of course go through the process of creating a new custom style again. As for updates, this should work.

Enjoy!

Professionalizing your forum, part two

Since I wrote my first post about professionalizing your forum, I realized there are some other actions that will up your game in this area.

Monitor your domain for blacklisting

Blacklisting happens when users report to one or more blacklist sites that your site is sending out spam or contains malware. Generally you don’t get put on a blacklist inadvertently, so your site may have been hacked. It’s also possible that some email sent or reportedly sent from your domain were judged as spam or spam-like. It’s also possible of course that someone is falsely reporting your site to a blacklist. In any event being on a blacklist is not a mark of distinction. You need to monitor blacklists and take corrective action if your domain shows up on a list. Being on a blacklist can get your dropped from search engines or move way down in the rankings, as well as dramatically reduce site traffic.

Since you probably don’t want to check all the blacklists out there individually, there are services out there that can help you. If you have just one domain and getting one email a week is sufficient, you can use this site for free. They offer paid plans for multiple domains and more frequent checks, and there are other similar services so shop around.

To get yourself off a blacklist usually requires some explicit action on your part where you appeal or prove that the content does not or no longer exists.

Monitor, find and fix issues with Google Webmaster Tools

Google of course is constantly searching the web and indexing as much content on your site as you allow it to index. Google Webmaster Tools can find security issues with your site too, as well as tell you of issues like links that are bad that should be fixed.

To see reports about your domain you must take the time to register the site with Google, which can be done using a number of methods. Google will tell you if there are any critical issues but to do things like fix broken links you have to dig into their reports. Since most links on your site are going to be in posts posted by users to your forum, fixing these links is probably not worth the effort. However, there may be other links that are worth fixing.

Periodically check your WOT Rating

Browsers generally support a Web of Trust (WOT) extension. The extension allows users to easily say whether they trust your site or not. Since it’s an extension, you can install it in your favorite browser and when you are on your site monitor your reported trust status. If you notice your site trust level going down, you might want to see if there is a root cause and take appropriate actions.

There is some controversy about whether WOT can itself be trusted, since it was reported its developers were collecting your browser history without identifying information.

Use a sitemap

A sitemap indexes your forum’s content into a file that search engines like Google can read. It’s an authoritative way of describing the content on your site to search engines. There is a sitemap extension that works for phpBB 3.1 and reputedly 3.2 as well. Since it is simple to install, installing this one should be a no-brainer, providing you know about it!

Moderate, or take out the trash

A lot of administrators don’t even read their forums, or not all parts of it. It could be because the forum gets a lot of traffic and it’s a lot to keep up on. All forums should at least be moderated, either by an administrator or one or more global or forum-specific moderators. The moderation tools in phpBB are pretty good. They let users do a lot of the moderation for you by at least being able to report a post as inappropriate, spam or whatever. They won’t do this though unless you encourage them, so if this is important to you post a global announcement to this effect.

Disk space is cheap these days so moderation may seem like a lot of work. Why not just let people post whatever they want in whatever rambling way they want? For many forums this is fine, but for certain forums it’s not appropriate. You want the content to be relevant and that can be done by removing posts and topics that aren’t relevant.

Posts that seek to troll other users, inflame conversations and such are rarely desired. Here’s where you moderators can be of help, perhaps by empowering them to set up moderation guidelines for their forums setting the rules and then letting them wield the power. Hopefully this will translate into a better reputation for your forum and topics as search engines decide the content is more relevant.

As long as your moderation rules are clear, a well moderated forum where irrelevant stuff is regularly pruned is a good idea. It’s unlikely your readers want to read irrelevant content anyhow.

You might want to set up an off-topic forum for general banter, so your main forums can stay clean. Moderators may choose to move these topics into such a forum rather than remove them.

Consider pruning

phpBB has a rarely used pruning feature. It lets administrators throw out old content. This is rarely used for obvious reasons: old content is not necessarily irrelevant and it’s unlikely that you will hit some sort of quota for the size of your database. It’s possible that search engines will rank you higher if the old stuff is regularly pruned. Global pruning is an administrator responsibility. Topics can be pruned on various common sense criteria: days since there was a posting and days since someone last viewed the topic. You can prune announcements, stickies and old polls as part of pruning or not. To prune: ACP > Forums > Manage forums > Prune forums.

There is likely more to this topic that may generate future posts.