Solving phpBB forum permission issues

I have noted before that phpBB’s permission system is awesome. In one way though it’s a bit defective: it’s hard to troubleshoot issues with permissions, particularly forum permissions.

In this post, I’ll delve into solving forum permission issues. The general problem is that a user typically belongs to more than one group and different groups can have different forum permissions. If you are unfamiliar with the basic phpBB groups, you might want to read this post first. You can also create groups of your own and set forum permissions to those groups.

To solve these issues, you generally you need to start with a test case. This part at least is pretty easy because you usually have a user whose permissions are not working correctly, so you just need their username. You also need one or more forums where their permissions are off. You also need to know what permission isn’t working right, such as permissions to create new topics or reply to topics.

If you dig into phpBB’s documentation, it becomes a little clearer. On permissions, the documentation says:

  • YES will allow a permission setting unless it is overwritten by a NEVER.
  • NO will be disallow a permission setting unless it is overwritten by a YES.
  • NEVER will completely disallow a permission setting for a user. It cannot be overwritten by a YES.

So essentially when the NEVER permission is set, it becomes a blocker overriding any other permissions.

Seeing all forum permissions for a user, forum and permission type

How do you see these forum permissions? You need a tool. The good news is that phpBB has just such a tool. The bad news is that they bury it. In fact, it could not be harder to find. In this example, I will use my development forum to see forum permissions for myself.

  1. Go into the Administration Control Panel
  2. Select the Permissions tab
  3. On the left sidebar, go way down to the bottom. You want View forum-based permissions. Click the link.
  4. Pick the forum or forums you want. In this example, I chose the “Your first forum” forum created by default when you create your board. I then pressed SUBMIT.
  5. Now I pick the user. There are various ways to do this with the interface for both users and groups. In this case I choose myself, with a username of “Mark D Hamill”. I entered the username in the “Find a member” field and pressed the View permissions button below the field. This brings up the Viewing permissions page. The colors you see on the permission tabs may vary from mine where the green boxes in each of the tabs basically say “This user or group has YES for ALL permissions under this tab”. Red means “This user or group has NEVER set for all permissions under this tab”. Blue means “This user or group has a mixture of permissions for the permissions in this tab.”
View permissions page
View permissions page
  1. I now want to check out a particular permission. You may have to hunt for the permission you want to check for the user and forum as it may be on a different tab. There is a tiny little icon to the left of each forum permission. That’s what you need to click on. In this case I want to see how permissions are determined for the Can start new topics permission.
Selecting a permission to check
Selecting a permission to check
  1. This generally brings up a popup window. If you don’t see a popup window, you may have to tell your browser to allow popups for the domain. Finally this brings up a useful screen:
Viewing a particular permission
Viewing a particular permission

Now you can see what’s going on for this particular user’s forum permission. Since I am both an administrator and a global moderator, I belong to both those groups, each of which has a group forum permissions too. By default, NO access is allowed to the forum for a user, so it is the first permission. But it is set to YES for Administrators, so the logic continues and the next group is tested. It is set to YES for Global moderators too, so the net permission is still YES. It is set to YES for registered users in this forum too, so it’s still YES. Finally, it looks for any user-specific forum permissions. None were granted, so this permission is NO, but since it is NO and not NEVER the overall YES permission still applied.

Fixing the underlying permission issue

With this tool, you should be able to determine where the root of the permissions issue lie from the variance from an expected permission from the actual permission. It’s usually a group permission that needs changing. The most likely solutions are:

  • A NO permission should be NEVER
  • A NEVER permission is blocking everything so it should be changed to NO
  • A NO or NEVER permission is incorrect and should be YES

So adjust the group or user permissions for the forum privilege accordingly. You can use this tool to check to see if the result is correct, or use the feature in the Administration Control Panel to test out a user’s forum permissions.

Usually in these cases, you cannot use the built-in forum roles. Rather you have to click on the Advanced link for each forum and group and change permissions that way instead.

In some cases, you can adjust the permissions for a forum role and have them trickle down accordingly, avoiding the need to use the advanced link when setting forum permissions. I’ll leave you to investigate this option if you want instead. It can get a little hairy to change these because it affects all forums where these permission roles are used.

Setting user-specific forum permissions is always a bad idea. Remove them if you can, and place these forum permissions in groups you create instead. Add people to these groups as necessary to get the desired behavior.

The newly registered users group permission quirk

There are some things that are definitely peculiar about phpBB’s permission system. Newly registered users are also in the registered users group. To start, this makes no sense. In the case of this user, “tester66”, because he is in the newly registered users group, the forum’s permissions for newly registered users does not allow them to start new topics. But because they actually are in the registered users group too, they can start new topics, the exact opposite of what you would expect!

Newly registered users permission quirk
Newly registered users permission quirk

How do you solve this problem? You have to set the permission to NEVER for the newly registered users group by using the group forum permissions function. In it you select the Advanced link to fine tune the permission. After changing the permission, you can see the result:

Fixing the newly registered users group quirk
Fixing the newly registered users group quirk

 

Integrating your phpBB topics and posts into WordPress … or any web page!

As some know, I am the developer of phpBB’s Smartfeed extension. This extension provides an ATOM, RSS1 or RSS2 feed of posts and topics on your website.

These feeds allow people to read posts on the forum remotely using a newsreader application, like one built into MS Outlook or using feed aggregator sites like feedly.com. The main advantage of feeds is that it allows you to read a forum without actually having to visit the site. If you regularly read lots of sites, using a newsreader is very efficient way to read content compared to actually visiting each site.

Smartfeed is not the only extension that does this. In fact, if you don’t need to support the RSS format and only want to show posts in public forums, an ATOM Feed has been built into phpBB since version 3.0.6. You might want to read the knowledge base article to learn the syntax to use. You can control your feeds in the Administration Control Panel: ACP > General tab > Board configuration > Feed settings.

Sometimes you want to highlight recent topics and posts on your larger website, or on another domain. For example, you may have a phpBB forum in a folder on a WordPress site. You might want to use a WordPress widget to highlight current topics and posts on a sidebar of your WordPress site. The links in the sidebar will take people directly to the post or topic of interest.

I will demonstrate how to do this using WordPress. However, conceptually you don’t need WordPress to do this. You just need something that can read an ATOM or RSS feed of your forum, and parse its XML into HTML for display, or write your own program to do this. For example, if you are familiar with jQuery, there are a number of jQuery feed plugins that would work. The PHP SimpleXML library is one way you can do it in PHP with a short PHP program.

Here’s one way to do it in WordPress:

  1. Spend some time figuring out what you want to highlight in WordPress: recent posts or recent topics. I will show a list of recent posts. In this example, I first installed my Smartfeed extension. This is because I got a SimplePie parser error when I used phpBB’s ATOM feed. This is due to a bug when parsing ISO dates in ATOM feeds using the SimplePie library. SimplePie is bundled with WordPress. I reported the bug. The resulting URLs for the feed can be seen if Smartfeed is installed. It is in the HTML source for the forum. I will use the second link because the ?y=2 parameter creates a RSS feed instead of an ATOM feed to avoid the SimplePie bug.
<link rel="alternate" type="application/atom+xml" title="ATOM" href="/phpbb/app.php/smartfeed/feed" />
<link rel="alternate" type="application/rss+xml" title="RSS" href="/phpbb/app.php/smartfeed/feed?y=2" />
  1. Note: if using Smartfeed, and you want a list of recent topics only, the resulting URL will look something like this. You should be logged out when using the Smartfeed interface. Note that you can refine the URL in the Smartfeed user interface. lp=1 limits the feed to the last post in the topic only, t=2 suppresses the time limit for retrieving posts, s=1 gives a standard sort from most recent to least recent, i=0 means to not require a minimum number of words in the post, y=2 forces a RSS2 feed, d=3 sets the feed style to use HTML, w=0 means not to limit the maximum number of words in the post, and tt=1 means to show topic titles only. There are lots of variations so use the Smartfeed interface to get the output just the way you like it.  
http://127.0.0.1/phpbb/app.php/smartfeed/feed?lp=1&t=2&s=1&i=0&y=2&d=3&w=0&tt=1
  1. Presumably you have installed WordPress already. If you haven’t, it can be downloaded from wordpress.org. Or you can usually install it from Plesk or cPanel.
  2. Login to WordPress as an administrator and go to the WordPress dashboard.
  3. WordPress comes with a RSS Widget preinstalled that also can handle ATOM feeds. You can find it off the dashboard: Appearance > Widgets
  4. Click on the RSS Widget then press the Add Widget button which appears, which by default appears on the sidebar.
  5. In the sidebar, click on the RSS Widget that was added. Enter the URL for the feed and give it an optional description. Note that it needs to be the full URL, not the partial one shown above. Then press Save.

    Configuring RSS Widget
    Configuring RSS Widget
  1. I dragged the widget to the top of the sidebar so it would appear first on the sidebar. Of course, you can place it anywhere on the sidebar that you like.
  2. Go to your WordPress site and find it on the sidebar.

    List of recent forum posts in the WordPress sidebar
    List of recent forum posts in the WordPress sidebar

Note that this works for any domain, providing the feed is publicly accessible. So you can promote this approach to have similar sites show your list of recent topics or posts. Note also that my Smartfeed extension has a number of options to make the post subject or topic title prettier if the default looks too wordy.

Fixing insecure content issues in phpBB

Updated December 27, 2018 to correct some things based on new information.

So you’ve decided to use HTTPS for your forum to show your content securely. This is good and it’s not too hard a thing to do in most cases. Everything looks good but sometimes you notice on browsers like Chrome the little green lock icon up on the URL field disappears. What’s going on? If you investigate by clicking on the icon you can usually figure out what’s going on: there is some insecure content on the web page.

What is insecure content?

Insecure content is content embedded on a web page that is delivered insecurely, i.e. from a web server using http instead of https. Usually these come from external sources, and are typically externally hosted images that are served insecurely.

One way to investigate these is to view the HTML source of the web page. Use the Find feature to scan for URLs with http:// instead of https://. The issue occurs with embedded images like this:

<img src="http://www.externalwebsite.com/myavatar.jpg />

If all these URLs could be changed to something like:

<img src="https://www.externalwebsite.com/myavatar.jpg />

then all would be well, that is if the external website supports https.

How do you fix these problems? There are typically two places where these problems manifest:

  • In post text
  • In the user’s avatar

Here are some approaches you can use to solve to fix the problem:

Use the Image Redirect extension

As of this writing the Image Redirect extension is a Beta release, so it is not recommended that you install it on a production system. This extension also requires that you set up a proxy server on your web server, not a trivial tasks and something you may not be able to do on your class of hosting. Camo Proxy is one example of a proxy server you can install. What this extension does is scan the page for these external image URLs, fetches them using a proxy and changes the URL so that it is served from your proxy copy, which will be on your machine and served securely. In theory this extension should solve all issues like this. Note that it takes some time to create a proxy image if it is not cached and this adds some small overhead, which may slow page rendering.

Fix the embedded URLs in your database

This works by changing the URLs in your database. You scan for http:// and replace it with https://. Using this approach has some limitations:

  • The server serving the remote content may not have https installed. What generally happens is the image is not served and a white box appears instead. This could make lots of posts look off or unacceptable, particularly if these images are large.
  • While it corrects existing URLs, it doesn’t prevent someone from doing the same thing in the future.

If you can live with these limitations, you can fix it in the database. This approach assumes you have MySQL or MariaDB as your database and that the REPLACE function is available. It also assumes you have phpMyAdmin or a similar way to issue SQL (Structure Query Language) commands to the database. In phpMyAdmin, there is a SQL tab where you can type in and execute SQL. Just make sure you use a SQL tab for your database.

There are two tables that typically need fixing: phpbb_posts and phpbb_users. Steps:

  1. Disable the forum
  2. Backup the forum’s tables. Make sure it is a complete backup by downloading the extract, uncompressing if if necessary and looking at the end of the file. There should be SQL in there populating the phpbb_zebra table at the bottom of the file.
  3. Use phpMyAdmin or a similar tool to go into your database. If you are not sure which database you need to modify, look at your forum’s config.php file. The database name is in the file.
  4. You can examine the extent of the problem by first looking at each table. In these examples I assume your table prefix is phpbb_. The config.php file contains the actual table prefix, which may be different.
SELECT post_text FROM phpbb_posts WHERE post_text like '%IMG src="http://%';
SELECT user_avatar FROM phpbb_users WHERE user_avatar like '%http://%'
  1. To actually fix these, use the following SQL:
UPDATE phpbb_posts set post_text = replace(post_text, 'http://','https://') WHERE post_text like '%IMG src="http://%';
UPDATE phpbb_users set user_avatar = replace(user_avatar, 'http://', 'https://') WHERE user_avatar like '%http://%'
  1. Reenable the board
  2. You might need to purge the cache, but it should not be necessary.

After these steps, some users may notice that their avatar no longer serves and there is a big, ugly white space instead. They may try to change the URL in their Avatar settings back to http:// to restore it, in which case the problem may recur. This option can be disabled (see below). In general they should be encouraged to upload an avatar so it can be served from your web server, which will then serve it securely.

Preventing future insecure content

For avatars, the issue is due to allowing remote avatars. This can be changed: ACP > Board configuration > Avatar settings > Enable remote avatars > No

For posts, you can remove the permission to use the [img] BBCode. The easiest way to do this:

  1. ACP > Permissions > Group forum permissions > Registered users group > All forums
  2. For each forum, click on the Advanced permissions link, then the Content tab.
  3. Set Can use [img] BBCode tag permission to Never. Note: this will affect everyone, including special groups and administrators. If you want to have it affect only registered users, set it to No instead. Other groups however may retain the permission to post embedded images. You may want to use this pattern on other groups you have defined. 

Fixing blank spaces where embedded images should appear

Since blank space represent placeholders for external images that no longer exist, the URL may need to be corrected. You can try the MySQL Replace function above if you know the new pattern to use.

Alternatively, you can install the External Images as Links extension. This will substitute a clickable URL for the image. It’s likely the URL will lead to HTTP 404 error (not found), but it at least resolves the blank space image in the post.

 

Should I install phpBB?

What are you getting into when you install phpBB? phpBB, open-source forum software for the web, is often simple to install. Most web hosts have a scripting center that allows you to install it on a domain in a few clicks. But should you?

It’s not like there aren’t other forum solutions out there, although arguably phpBB is the one that has survived the longest. To name a few, there is commercial vBulletin software, myBB, Xenforo, Phorum and pUNbb. There are also forum plugins. For example, WordPress has BBPress and BuddyPress. Since I specialize in phpBB I can’t speak with much authority about other forum solutions. However, as a software engineer I can highlight what I think some of phpBB’s strengths and weaknesses are, the subject of today’s posts.

What is forum software exactly?

Before you decide on any forum solution, understand what forum software is. Forum software is not blog software. It’s not a place that you use to rant about stuff that interests you and which others can comment. It is software that allows lots of disparate people to discuss certain topic areas elegantly. It imposes discipline on the content it manages by keeping things organized in forums, topics and posts.

Forum software is used by discrete communities that have something in common and want to share that information in an open manner. Usually what they are discussing is pretty specialized. For example, it might be a support forum for a commercial or open-source product (phpBB.com uses phpBB for its support forum), or a fan site, a bunch of people who own a particular type of boat or plane, whatever! Forum software allows people to create and reply to topics. It’s designed to run independently of a framework. For example, the BBPress plugin for WordPress requires it to work as an add on to WordPress, which means that to use BBPress you must also be a WordPress user on the site. Similarly, Facebook groups can act a bit like a forum, but it requires you to join the Facebook enclave. Facebook however does not organize content in its groups into forums and topics. Most forum software is designed to be standalone, at this is certainly the case of phpBB. It’s not designed to work with WordPress or any other content management system. In our social media age, this is sometimes a drawback.

phpBB’s emergence

phpBB has a long and proud legacy. Version 1.0 was released in 2000, at just the moment that the PHP language became dominant on the web, replacing mostly a lot of Perl scripts. Timing was everything. It was written in PHP, used the popular free MySQL database and was free and open-source. “Open source” was kind of a new thing back then, but it was essential to its growth. Not only was it free, anyone could modify it.  So it got downloaded and installed like crazy. It’s still widely used today. Most support sites run on phpBB. This means you have probably used phpBB already, even if you aren’t aware of it. So it will seem comfortable and familiar, even if you don’t understand why.

Version 2 came a year later in 2001 and is still being used today by many sites because it is fast and lightweight. Version 3 was released in 2007, which thoroughly modernized it. Version 3.1 arrived belatedly in 2016. Its big feature was extensions, similar to WordPress plugins plus responsive styles, so things looked good on mobile devices. Prior to 3.1 if you wanted to extend phpBB’s functionality you installed “mods” that was code changes inside the source code, which made upgrading phpBB difficult. 2016 saw the release of version 3.2, the current version, which looks and behaves a lot like 3.1 but addressed some annoying issues mostly on the backend.

While phpBB was undoubtedly popular, updates were infrequent and its huge legacy base made it hard to push out new versions. Its team of core developers worked inefficiently together, in part because the tools for doing so were relatively primitive at the time. This allowed many other forum solutions to emerge to fill the feature gap while the phpBB group lumbered awkwardly forward into the future.

phpBB’s strengths

I first installed phpBB 2.0 in 2002 and have followed it since then. I have developed modifications and extensions, as well as generating good income from helping users upgrade and migrate their forums. In spite of the phpBB Group’s sometimes lumbering organization, it’s got some major strengths:

  • Institutional legacy. Simply because it’s been around so long, it tends to get widely installed and used. Those who have phpBB forums rarely move to other forum solutions.
  • Familiarity. Most likely you already know how to use phpBB because you have used it on various sites. While the forum/topic/post metaphor is hardly new, phpBB’s implementation of it garnered it a lot of attention and traction, so most forum solutions try to imitate it while addressing its perceived deficiencies.
  • A fanatical devotion to open source. The phpBB Group developers walk the walk on open source. They are really quite devoted to the whole idea of open source software, quite fanatical and arguably more than a little obsessed about it. They don’t give preference to any particular technology (except PHP and web standards like HTML, CSS and Javascript) and try to give you flexibility. For example, most forum solutions are written only for the MySQL database. Despite the fact that hardly anyone who has a phpBB forum uses databases other than MySQL, they support a whole host of other databases including Postgres, SQLite and Oracle.
  • Terrific support. phpBB’s support forums are phenomenal. You will likely find a dozen answers to your question with a simple search but if not a quick post will generate fast response, often from dozens of highly experienced support members, all volunteers. They are so good that in most cases the problems I encounter I don’t have to solve. I can find the solution on their support forums.
  • An anal obsession to standards. This is both a strength and a weakness. WordPress has now something like 40% of the web site market, but WordPress runs fast and loose. It’s not hard at all for people to create buggy plugins and non-optimal themes and WordPress will approve a lot of these. WordPress is a Wild West place where you are never quite sure if what you are adding on is crap or gold. That’s not a problem with phpBB. They go to extraordinary lengths to check their releases for bugs, running them against a host of security tools and making the base code pass thousands of detailed automated tests. I doubt there is an open source project that releases higher quality code. As an extension author, I am impressed and sometimes annoyed by how difficult it is to get my extensions approved. They inspect everything with incredible care and make sure you adhere to their voluminous and often somewhat obscure coding standards. This also makes things slow as there are plenty of extensions and styles in the review queue and reviews can take months. Rest assured though that officially approved extensions and styles are top quality.

phpBB’s weaknesses

  • Lack of agility. The phpBB Group’s tendency toward being anal also means they are not agile. It’s hard to bring out new versions of phpBB since everything must be nitpicked to death. Arguably this is also because there are tons of features and options in phpBB; look through all the Administration Control Panel’s various screens sometimes to get an idea of how many features can be changed, enabled and disabled. Its permissions system alone is awesomely powerful while awesomely obscure. When finally released, new versions tend to be very stable and rock solid but if you are an impatient person, your patience will definitely be tested and then some. On the other hand, their development practices are top notch. They use state-of-the-art testing, development and bug tracking tools. They have daily builds of their software to see what breaks.
  • Legacy architectureAdding new features tends to be excruciatingly difficult not because their code is not modular enough (this problem largely went away with phpBB 3.1) but because the database is so baked in. Many features would mean large changes to the database. Business logic is baked into many different programs, although phpBB 3.1 introduced classes (the whole /phpbb folder) that addressed a fair amount of this problem.
  • No multi-threaded topics. This means you can’t see a set of replies to a particular post within a topic, or get a hierarchical view of replies to a topic.
  • Standalone. It doesn’t integrate with anything, at least not elegantly. It won’t work seamlessly with your content management system, like WordPress. The closest it comes to this is that it supports authentication via LDAP (Lightweight Directory Access Protocol), but even so users must still create accounts on the forum to use it.

There is a lot more to this topic that I may delve into in future posts. But this post at least gives you a heads up. phpBB is great software: stable, reliable, well tested and industrial strength. If you can live with its functionality and limitations and are okay if the features change slowly at best, it’s still a terrific solution. If you need more agility from your forum solution, you might have to look elsewhere. However, any other solution you pick may not hang around. phpBB is eighteen years old and is likely to survive another eighteen years without a sweat.

 

You probably don’t want to host phpBB on Amazon EC2

Occasionally I do something new. This month something new meant helping to rehost a client on Amazon Web Services (AWS). AWS provides cloud computing services, and its EC2 service (EC = Elastic Computing) is probably its most popular service.

Cloud services provide scalable services. Also, you pay for what you use. They can be configured so that if there are spikes in demand the service will become “elastic”, scaling to meet demand.

I did not do this rehosting by myself. The client had another technical guy that set up and configured his AWS EC2 workspace. The forum is very large with 2.6M posts. In addition to rehosting the forum, I had to upgrade the client at the same time to the newest version of phpBB and move his WordPress site. This project literally took months to complete, although I was not working on it all the time.

I don’t know what Amazon Machine Instance (AMI) was set up in this case. I don’t think the AMI chosen was ideal because WordPress had technical issues that required fine tuning EC2 to get things to work. One thing I took away from the project though is that there is a “tax” if you move to AWS. The learning curve is steep and the tools available to you are miniscule.

Some lessons learned:

  • AWS doesn’t do any handholding. While you get a console to configure EC2, you don’t get any rich control panel like cPanel or Plesk to allow you to easily do complex things. So there is no File Manager, no phpMyAdmin (unless you want to install it yourself), no easy way to create mailboxes or send email. Instead, you need a UNIX geek. I was given a SSH key file and I had to use that to do my work. This meant doing pretty much everything from the command line.
  • Connecting to the AWS workspace was complex since I had to use SSH. The command lines used to connect with SSH were long to type in and easy to get wrong. I had to reference an argument to use the key (.pem) file I was given. When you work from the command line, it’s easy to type something incorrectly. So you often end up typing the command multiple times until you get it right. Closing and opening sessions becomes time consuming and a hassle.
  • To access the database, I had to do it from the command line. It took a while to get database credentials and since I had to do things from the command line again I had to type statements very carefully. I had to export and import databases but getting the syntax just right was challenging. I frequently had to go into the database to tweak things, which meant typing a lot of SQL statements. It’s a good thing I am very fluent in SQL. This really slowed me down. Had I had phpMyAdmin, I would have saved hours of time and hassle.
  • File permissions were a pain. The default user did not have the permissions to the web root folder, which meant becoming root and granting correct group and file permissions. Then secure FTP would work. These problems kept recurring which made the process quite tedious and time consuming.
  • The Apache web server was not configured correctly for WordPress. The AMI was apparently not tuned for WordPress, so it took research and carefully editing of a httpd.conf file to get the settings right. Then the web server had to be restarted from the command line, which is not intuitive, particularly since it had to be done as root.
  • Editing files became a pain. There was a lot of this, mostly tweaking forum styles, templates and configuration files. Since I had only the command line, I had to use a command line text editor. I chose nano, but it was still tedious. There is also a lot of command line navigation to get to the right folders where you needed to do stuff. This would have been easier if I had an editor on my computer that worked with SSH and .pem files. I had the former but not that latter, as I use an old copy of Dreamweaver to more easily edit files remotely.
  • I often had to become root to do things, like read the error_log file to troubleshoot issues.
  • The database import for the forum failed three times. I finally figured out the issue from the obscure error message. I had written two triggers for the client and that required CREATE TRIGGER privileges that were not granted to the default MySQL DBA. I had to snip these lines out of a 2GB+ export file to get the import to succeed. This has never been a problem on other hosts I have worked on.
  • Setting up HTTPS was a pain. It too required special permissions to create public and private key files, on the command line only, of course. It took many attempts before it worked and a valid certificate was installed. While we were waiting to test WordPress and the forum, it required using the long URL provided by AWS, which meant changing the configuration of WordPress and phpBB via the database.

I suspect that the wrong AMI was used or that using a better one would have prevented a lot of problems. In any event, the move to AWS turned out to be tricky, time consuming and a large hassle. For my client, it was an expensive endeavor. It turned out that all this work turned into my largest bill ever. In that sense it was good, although I would have been happier if it had spent a lot less time and a lot less of his money.

Now that my client is on AWS though, as long as it is tuned properly there will be some big advantages. Hosting may cost less in the long run, and the service should be more predictable and scalable.

If you take up a project like this, you will definitely need someone who has set up AWS EC2 instances successfully and will work through all these issues with you. Even so he could not do it alone. The migration took four days to complete, although the forum was functional in less than twenty four hours.

For very large forums that need scalability and high reliability, using a cloud service like AWS makes a lot of sense. However, a project like this should not be taken lightly. Most forum owners will probably be much more comfortable on a good shared host, or a good virtual or dedicated server. 

 

Avoid hosts owned by the Endurance International Group

As I have noted before, since I work with many clients I have developed hopefully informed opinions about many web hosts. Perhaps I should not paint with a broad brush but I do have one suggestion: avoid any web hosts owned by the Endurance International Group.

Web hosting tends to be a low profit business. With so much competition, customers will shop around for the best deal. This results in many hosts offering cheap plans for $5 or $10 per month. Web hosts can hope to find profitability in volume but since there is a lot of competition profitability usually comes from consolidation. The Endurance International Group buys web hosts. It looks like they find profitability through throwing all these companies under one umbrella and one hosting center.

I used to host with Hostgator. I found their support good and their infrastructure above average, yet their pricing was very reasonable. Then they were bought out by the Endurance International Group. Almost immediately afterward their support became crappy and I noticed delays accessing my domain as well as infrastructure related issues. When my hosting contract was over, I was happy to move somewhere else.

When you call these companies for support, you are immediately placed into a third-level support queue. After you finally connect with a human, these brain-dead support people follow scripts that are designed basically to not solve your problem and make you go away. Moreover, I found myself far more knowledgable about hosting and how to solve problems than they were. They could rarely even cover the basics. If you needed real help I found I had to badger for second-tier support.

All this is to keep their costs low since one support center for dozens of companies is obviously cheaper. But it results in inferior service, as evidenced by my experience with hostgator.com.

Endurance International Group own a lot of hosts, most pretty obscure. Among those they purchased you may be familiar with include Hostgator, Bluehost, Hostcentric, iPage and Site5. You can see a full list of the brands they bought on this Wikipedia page.

Given the low margins, the hosting business is likely to continue consolidating. There is certainly a lot of smoke and mirrors in this business. What used to be good hosting can turn into poor hosting pretty quickly when they get acquired. This is true of MediaTemple, at least it’s Grid Service, based on my latest experience since it was bought by GoDaddy. Right now my recommended hosts include Siteground for most hosting and Rackspace for dedicated and virtual server hosting.

It’s quite clear to me though that you are likely to be unhappy with any hosting owned by the Endurance International Group. So avoid.

Why you might want to use SMTP to make emailing more reliable

Emailing from phpBB is often problematic. In a previous post I looked at various ways to make sending email from phpBB more reliable.

In this post I look at why you might want to configure phpBB to use SMTP (Simple Mail Transfer Protocol) to send emails. If you are using a Windows web server (IIS), this is usually required. You can change these settings in ACP > General > Client communications > Email settings, which can be set halfway down the page.

By default, phpBB hands off email to PHP using PHP’s mail function and hopes for the best. If the mail function returns FALSE, the email should not have gone out. You won’t necessarily be know if it fails, however. Known email sending failures appear in phpBB’s error log: ACP > Maintenance > Error log.

Even if the PHP mail function returns TRUE, it may be a false report. In many cases TRUE only means that the mail was accepted. Whether TRUE means “accepted” or “successfully sent” depends on how your host’s email server is configured.

Once accepted by the email server, the email is likely to be closely examined. If it has some of the markers of being spam, it will probably get blocked from actually being sent out. In this case, you probably won’t know about it. You can greatly improve the odds that emails will go out successfully if you:

  • Create an email account that uses your forum’s domain, ex: admin@mydomain.com
  • Assert this email address in phpBB: ACP > General > Client communications > Email settings. Set this email address for Contact email address and From email address.

By default on Linux web servers (most typical kind of hosting), PHP’s mail function sends outgoing email to a sendmail process. Essentially, emailing is the job of your server’s operating system, so you can’t control it. Because you can’t control it, sendmail will be configured generically. Any other domains on the server you are using will send email out through the same sendmail process.

However, if you use SMTP to send email instead, you have to authenticate yourself with the SMTP mail server. By properly authenticating yourself, emails are likelier to go out. The downside is that it’s a bit of a hassle to set up SMTP. I discovered this on this site when I moved my hosting to siteground.com. It uses WordPress which by default also uses sendmail. Emails weren’t going out. A call to Siteground’s tech support revealed that SMTP was a better way to go. They provided the credentials to use and now my WordPress email notifications go out quickly and reliably. This should work for phpBB too.

Don’t assume that you can use an external SMTP server like GMail. Many web hosts will block outgoing SMTP email. If it’s allowed, by all means go ahead. You should check with your web host for the proper email settings to use.

One possible downside is that outgoing email quotas are likely, but that’s probably also true if your host uses sendmail. Your web host can tell you what policies if any apply to your hosting. See the previous post for instructions on how to properly set your email package size and to set up a system cron, if necessary. Make sure it works by sending a test email, an option available on the email settings page.

Cleantalk extension for phpBB can remove spam posts, plus its spam firewall feature is very useful

This is an update on an earlier post on removing spam posts.

Removing spam posts is hard because it requires actually reading the post and deciding if the post is spam or not and then using moderator tools to remove these posts. If your forum is overwhelmed with spam posts, this is a Herculean endeavor. Ideally though posts could be “read” by software and it would make the judgment on whether it is spam or not.

The Cleantalk extension for phpBB 3.1.x and 3.2.x can do just this as well as lots of other really cool tricks. My customers love Cleantalk, but the service is not free. However, it is so inexpensive that it easily justifies spending $8/year for the service. You can subscribe on the Cleantalk website. As of this writing, you can try it for free for 7 days. After 7 days, it won’t bring down your forum but it will stop working.

What is Cleantalk?

Cleantalk is essentially a huge database of addresses of known spammer sites. While it’s not perfect, based on the experience of my clients it is about 99% perfect. I originally recommended it as a spam registration solution for my clients. It still does that but is less necessary since phpBB 3.2. This is because since phpBB 3.2, version 2 of Google’s reCaptcha is supported. Unless it gets hacked, as long as you have it properly configured as a spambot countermeasure it should prevent virtually all spam registrations.

However, it has two powerful features that still keep it relevant for phpBB forums.

Cleantalk ACP Interface
Cleantalk ACP Interface

Installing and enabling Cleantalk

Cleantalk is installed like any other extension. While it can be downloaded from phpbb.com, you should download it from Cleantalk instead or from its GitHub page. This is because as of this writing the version on phpbb.com does not include the spam firewall feature, and you will probably want to enable this feature. You can access it through the Administration Control Panel: ACP > Extensions > Antispam by Cleantalk. Before you can do much with it you have to enter your Cleantalk key which you can get from their website or by pressing the button in the extension that should retrieve it for you.

Removing spam users and spam posts

As you can see from the image, once the extension is enabled and the key is properly configured there is a prominent Check users for spam button on its page within the Administration Control Panel. If you have lots of users, it may hang. Based on my experience though the next time you go into its interface you will see a list of potential spammers.

As I said, it is not perfect. So I recommend that for users with posts to check these out these users topics to make sure their posts are spam before deleting them. For those you want to delete, check the boxes next to their usernames and then press Delete marked. You can also press Delete all to remove all users and their posts. You may have to go through many pages to delete all spam users and their posts, but this is obviously much faster than doing a visual inspection of all your posts.

Spam firewall

This is a new feature which as of this writing is not available if you download the extension from phpbb.com. It keeps almost all spammers from hitting your site at all. Instead, Cleantalk’s servers grab it first. In the event the user is legitimate, there is a link that will take them to your website.

Why is this useful? Because it reduces the stress on your server by limiting it to legitimate traffic only. It speeds up the performance of your forum and makes it less likely that you will have to pay for the cost of a higher class of hosting to handle your traffic. Isn’t that worth $8 a year?

Stopping contact form spam

Cleantalk has one other useful feature: the ability to stop contact form spam. Of course you can disable the contact form (ACP > General > Contact page settings) and that will solve that issue. Or you can have Cleantalk essentially moderate it for you, passing on only valid contact forms to you. Simply check that option on the extension’s page and submit the form. Somewhat oddly, the phpBB group did not tie the contact form to the spambot countermeasure feature of phpBB. Perhaps that will come in a future release.

In any event for forums that get lots of spam and/or lots of traffic, using the Cleantalk service with the Cleantalk extension for phpBB is a no-brainer providing you know about it. Now you do!

MediaTemple grid service no longer recommended

It’s sad for me to say this, but I can no longer recommend MediaTemple’s Grid service as a hosting option. For the last 18 months or so I’ve been using this service and have gotten increasing dissatisfied and exasperated by it. Today I started the process of moving my domains off of it to Siteground.com even though I have four and a half months left on that hosting contract. This domain should now be coming to you from siteground.com servers and hopefully in a reliable and maybe spiffy fashion.

MediaTemple.net was known as one of the premier providers of business-class hosting. It was acquired by GoDaddy with the promise that it would be separately managed. It appears from my experience with their Grid service that they broke that promise with their customers. Sometimes I have to wait a minute or more to retrieve pages from my own site. It sure looks like they are overloading their servers and/or managing them very badly.

I used UpTime Robot to test whether my domains are up. Pretty much every day I will get one or more emails telling me it is inaccessible. So it was likely costing me money, motivating me to move to Siteground.com instead.

I do have clients using MediaTemple’s virtual servers and they have no complaints about that service so far. Definitely avoid their Grid service now and if you have an option you might choose some other host for your virtual or private server needs. I don’t have experience with Siteground’s, but it’s likely fine. A company like Rackspace.com is likely doing it right.

Another annoyance was revealed simply in moving my site. An old phpBB forum I have with about 50,000 posts could not be downloaded. I had to break it down into multiple downloads, including the posts table into two separate downloads. The Grid service simply cut me off when I hit some sort of resource limitation. The whole database is only 80MB or so. Shame!

How to rehost your forum

It can be hard to break up with your web host, particularly if you have phpBB on it. phpBB consists of files plus a database, and the database is stored separately. phpBB does have a knowledge base article on rehosting. You may want to refer to it. In this post I add my own thoughts and document my own processes, since I do a lot of this for a living.

Ask your new host to do it

Some hosts will move your forum along with your whole website for free for you to get your business. If they don’t, you might ask them if they will. This is a great way to go, providing they do it properly. Some hosts will move the files and forget the database, or leave that part for you. Some will do both but won’t integrate the two by fixing phpBB’s config.php file. There are sometimes other issues. File and directory permissions may change moving to a new host, that might cause issues. Of course you can always hire me to do it for you.

The process

The general steps are:

  1. Buy and setup new hosting
  2. Disable the forum
  3. Download a copy of the forum’s database
  4. Download a copy of the forum’s files
  5. Optional: change your hosts file so you can access your domain on the new host
  6. Upload your files to the new host
  7. Recreate the database
  8. Reconfigure the config.php file
  9. Test
  10. Recreate any email addresses
  11. Change the domain to point to the new host
  12. Monitor and fix settings as needed

Buy and setup new hosting

You have probably done this already. I have recommendations on my rehosting page for new hosts if you are still shopping. In some ways figuring out who deserves your business is the hardest part because the new host must be able to handle your forum’s traffic without breaking a sweat, including during spikes of traffic.

After paying for the hosting, make sure you can access it. Typically the host will provide access credentials to a web host control panel, usually cPanel or Plesk. Test your access. You need to do three things:

  1. You need to know the name of the nameservers to use. You will need this for the final step. There should be two of them, and they usually start with “ns”. They are often in an introductory email you get when you pay for hosting.
  2. Create FTP credentials. Often these are created for you, in which case make sure they work by testing them with your FTP program. Because your domain has not moved yet, you usually access FTP using an IP address.
  3. Make sure you can create a database. Look in the web host control panel for database options. In cPanel look for a “MySQL databases” option.

Disable the forum

For consistency you should disable your forum (ACP > General > Board settings) before backing up anything. You might want to first send out a mass email or post announcements indicating that the forum is being moved, so your users aren’t alarmed.

Download a copy of the forum’s database

Use a phpBB database backup

phpBB has a database backup program built into it. You can often backup your database successfully this way with this option. ACP > Maintenance > Database > Backup. For action, select Download. Press Select All to ensure all the tables in your database are backed up. When you submit the form your browser should soon note a file being downloaded.

Use a backup generated by phpMyAdmin

In your web host control panel, phpMyAdmin should be available. You can use it to export your database. Again, you want to download the result. Check the first link to see how this is done. If you are not using MySQL or MariaDB, consult your database tool to figure out how to get an appropriate backup. I recommend downloading the database as a .sql.gz file.

Backup your database from the command line

In some unusual circumstances you may need command line (SSH) access to backup the database. In addition to SSH credentials, you will need credentials to login to mysql from the command prompt. Describing this procedure is too lengthy for this post, but you can use a search engine to learn how to do this. It is challenging!

Check the integrity of the backup

This step is critical. On some hosts (shared hosting in particular) you may not get a complete backup due to resource limitations. Open the archive using an unarchive tool. Use an editor to view it. Look at the bottom of the file. It should end with the phpbb_zebra table. For MySQL/MariaDB, the last character should be a semicolon(;). If you don’t have a complete backup, you will have to get one. This may require an awkward call to your old web host for help.

Download a copy of the forum’s files

I am assuming that your do not have a larger website to move. When moving a domain you need to move all web accessible files for the domain. If you have WordPress as a front end, you will need to move WordPress too, using a procedure similar to the one for phpBB.

You can use your FTP program to download your files. This approach is often very time consuming, particularly if you have lots of files in the forum’s files folder or you need to move an entire website. For phpBB only, make sure you only download the folder containing your forum.

A better way is to use your old host’s file manager. Select all the files in the forum’s folder, or for an entire site select all the files in the web root folder. Click on the first file, scroll to the bottom then while holding the shift key click the last file. This should get all files and folders. Look for a compress option. It will create a .zip or .tar.gz file. Once the archive is generated, download it with your FTP program.

Optional: change your hosts file so you can access your domain on the new host

While this is optional, it’s almost required as it makes the rest of the work so much easier. You want your computer to use your new domain name transparently even though you have not pointed your domain to your new host yet. Instructions for Windows are here, instructions for Mac are here. You need the IP of your new host to make this trick work. When done when you use your domain name in the browser it should see your new hosting. In most cases you will see a default web page for the domain.

Upload your files to the new host

  1. Create the directory for your forum. It should be named the same as on your old host. Where to place it? It must be in a web accessible directory for your domain. Your web folder will vary but it’s usually in a html or public_html folder.
  2. Upload your files. If you have an archive, simply upload that to your forum’s folder, otherwise upload the thousands of files that comprise the software and data for your forum. If uploading an archive, use the file manager on the new host to unarchive it.
  3. Double check that the files uploaded are in the correct folder and that nothing is missing. You can delete the archive file now if you want.
  4. Check your file permissions. On Unix-based systems the following folders need to be world-writeable (777 permissions): cache, files, store and images/avatars/upload. Fix if necessary. All other files should have Unix 755 permissions.

Recreate the database

  1. In your web host control panel, create a new database for your forum. Sometimes you can specify the database name, sometimes you can only specify part of the database name. Write the name of the new database down.
  2. Next, create a database user that will be allowed to access the database. You also have to assign a password to the database user. Make it a complex password and write it and the database user name down.
  3. Give the new database user permissions to the database. Make sure you grant ALL permissions.
  4. Determine the name of the database server. It is usually on the same machine as your web server and can be referenced as localhost. But if it’s something different, write it down.
  5. Try importing the database using phpMyAdmin (for MariaDB or MySQL). Select the import tab for your database. Point it to your database extract and let it be uploaded. Once uploaded it should be read, recreating your forum’s tables. If the file is too big to be uploaded, you got to be more creative. In most cases you need a staggered importer, which generally means uploading and configuring bigdump.php. If the database was partially loaded, make sure you drop all tables in your new database first using phpMyAdmin. bigdump.php must be edited with the correct database settings before being run. Upload the database extract archive to the same folder as bigdump.php. Run bigdump.php by specifying the correct URL based on where you uploaded it. If you didn’t change your hosts file, you will need the IP of your new server. In addition, you may have to specify a folder in the URL after the IP. Often the letter you get with new hosting will contain this information, otherwise ask you new web host.
  6. Check that everything is moved. You should use phpMyAdmin on your new host in one tab, and phpMyAdmin on your old host in another tab. Make sure all tables in the old database are in the new database and that each table in the new database contains the same number of rows as in the old database. Check a few tables to make sure the structure of the table looks reasonable. In most cases there should be a primary key and one or more indexes for a table.

Reconfigure the config.php file

Most likely the config.php file you copied over won’t work as is. Most likely the database name, the database user name and the database password are all different. You can usually edit this file with your web host’s file manager. Bonus tip: if you are running PHP 7.0 or higher, you may need to change the line:

$dbms = 'mysql';

to:

$dbms = 'mysqli';

Test

Hold your breath. Using your browser, enter the URL for your forum and hope it comes up. There may be a delay of several seconds as new cache files are recreated. Fix any errors you find, which can be challenging. Your web host can help or you can hire me. Reenable the forum and test it. Make sure your style looks right, your logo is properly placed, all the forums are on the index and you can make a test post successfully.

Recreate any email addresses

When you move your domain, you should also recreate any email mailboxes and email forwards you set up for the domain. Unless email for the domain is hosted elsewhere, you should recreate these email boxes, such as your board contact email address. If you had any email forwarders, set these up too.

Change the domain to point to the new host

You are ready to go live! Go to your domain registrar. Enter the new nameservers carefully in the appropriate fields for the domain. Then wait for the DNS changes to propagate. These days most changes happen in 1-3 hours. Your users will know they hit the live forum because the forum is disabled message will not appear. Also, if you changed your host file, undo those changes.

Monitor and fix settings as needed

There are often minor hiccups in the software on a new host. Sometimes you may have to upgrade or downgrade the version of PHP used. There may be some PHP settings that have to be tweaked. Expect a few of these and you may need some help from your web host. Things generally settle down within a few days.