Hiding your phpBB forums

Introduction

Not every forum administrator wants their forum to be public. Some want to have a members-only forum. In fact, it’s not unusual to want the forum to be completely hidden or wholly inaccessible by the public. Some forum administrators realize it’s important not only to keep humans out, but search engines as well.

The good news is that phpBB can keep your forum private, although there are some steps you might want to take outside of phpBB. The bad news is that the procedures for doing so are pretty obscure. Let’s look at some common ways of limiting access.

Keeping everyone out using your web server’s security system

Pros: about as secure as you can get

Cons: shared passwords are often used, ugly interface, and it works separately from the forum

The most effective way to keep everyone out but specified users is to use a security mechanism that is built into your web server. The technique originated with the Apache web server. Not all web servers use Apache, but most do. IIS is Microsoft’s web server, if you are using Windows hosting. nginx (pronounced “Engine X”) is another web server gaining in popularity that is slowly replacing Apache.

With this approach, the first step is to determine what web server software you are running. This site makes it easy.

The idea is to use the web server to challenge the user trying to get into the forum’s folder by requiring the user to successfully provide some credentials, usually a username and password. Typically you get an ugly black and white screen with these fields and a submit button. So this approach is not pretty, but it is highly secure.

If you want to go with this approach, first look at your web host control panel. Control panels like cPanel often have a feature that lets you password protect folders, in this case your phpBB root folder. Here are cPanel’s instructions. Failing that you can do this yourself.

You can use these instructions if you are using Apache and these instructions for nginx. IIS being a Microsoft product operates quite differently. You can use these instructions for IIS.

You can make it easy and use a shared username and/or password or create one for each member of the forum. Note that this happens outside of the forum, so any usernames and passwords used with this approach will probably not be the username and password used to login to the forum. You will have to pass the username and password to use to the user, perhaps using email. This approach simply allows access to the forum so a second step is needed: you must also login to the forum.

This approach not only keeps out humans, but also search engines.

Although not covered here, there are even more secure ways to limit access if you limit access to specific IP addresses. A search engine query will provide instructions if this approach interests you. Since most IP addresses are generated dynamically, this approach usually requires allowing a range of IP addresses and is somewhat fragile.

Stopping search engines from indexing your site with a robots.txt file

Pros: Simple and probably 99% effective

Cons: Malicious search engines can choose to ignore your policy

You can instruct search engines not to search your site. While you can provide instructions, this approach doesn’t keep malicious search engine agents from indexing your site anyhow. Essentially you create a robots.txt file in a plain editor like Notepad and upload it to your forum’s root folder. Its contents should look like this:

User-agent: *
Disallow: /

Disallowing search engines using phpBB

Pros: Effectively stops search engines that phpBB knows about, which are most of them. With the permissions properly set these search engines cannot index your content because the permissions won’t allow it.

Cons: Limited to the 46 search engines that phpBB handles by default

Procedures:

  1. ACP > Permissions > Permission roles > Forum roles
  2. Click on the green wheel on the Bot Access row
  3. Go to the bottom of the page and select the Actions tab
  4. Click on the No column header link which easily makes all these permissions no. Then Submit.

By changing the properties of the Bots role it will affect all existing bots plus any additional bots you create manually later on.

If you want to add bots manually, you can do it this way: ACP > System > General tasks > Spiders/Robots. Where would you discover new robots that might be hitting your site? You would need to periodically review your web server access log.

The phpBB group periodically adds new robots so when you update or upgrade these new robots will appear and will inherit privileges for the bots role.

You can certainly add a robots.txt file disallowing access to your forum root folder and use these procedures too.

Disallowing guest access to forums

Pros: Removes guest read privileges

Cons: A little complex to set up and message to guests is misleading

Procedures:

  1. ACP > Forums > Forum based permissions > Group forum permissions
  2. Select the Guests usergroup and press Submit
  3. Select the forums that you don’t want guests to read or access. For all, check All Forums. Then press Submit.
  4. If you want guests to neither read the forum nor see its name, for each forum change Read Only Access to No Access then the press the Apply All Permission button at the bottom of the page. Note: if all forums were changed then at this point guests accessing the index will see a “No forums” message. This is misleading because the forums are there, you just have to be registered, logged in and have appropriate permissions to see them.
  5. If you want guests to see the forum name but not be able to see or read any topics, first complete step 4. Then for each forum click on Advanced permissions, select the Actions tab and select Yes to Can see forum. When applied to all applicable forums, press the Apply All Permission button at the bottom of the page.

Bonus tip

If security is a concern, consider also using HTTPS to encrypt all traffic going to and from your forum. More is on this post.

Moving your forum to https

Updated October 13, 2019 to add that cookie settings should be made secure and to use 443 for the server port.

Should your forum transmit and receive data securely? Most forums don’t contain sensitive information, so you would think the answer would normally be “no”. A secure forum encrypts all communications between server and client. This would be done by changing the URL of your forum to use https (Secure HTTP) instead of http (insecure).

Once considered a nice-to-have feature, technology companies are nudging us content providers to use https. Google is primarily responsible for upping the ante. Back in 2014, Google announced that sites that send data securely would be ranked higher than those that did not, all things being equal. This is a pretty good incentive for site owners to respond, particularly if you are concerned about your site ranking. However, in 2014 moving to https was still a pain so lots of site owners decided to dodge the issue.

As with most things, going to https can be complicated and potentially expensive and/or time consuming. Fortunately, it’s less complicated than it was, and can even be free.

SSL vs. TLS encryption

To make https work, a digital certificate must be installed on your web server. Keys in the certificate are used to encrypt communications, by the server with a private key which is decrypted by the receiver with a public key provided when the connection is established. SSL (secure socket layer) or TLS (transport layer security) protocols are used to facilitate secure communications over HTTP. TLS is the newer technology and SSL is now seen less frequently because it is easier to hack. Whether using SSL or TLS though, it’s behind the scenes stuff. The user just sees https in the URL and assumes data going to and from your forum will be transmitted securely.

Shared certificates

Hosts often provide a shared certificate you can use. As the name implies, the certificate is shared with others, generally all domains on the same server as the one that you are on. While this works, it is ugly. First, hosts will issue “self signed” certificates. Browsers will not trust self signed certificates and will ask users if they want to trust the certificate. You generally pick an “advanced” link in the browser and give your browser permission to trust the certificate. This obviously will not inspire confidence in users coming to your site. New users may simply opt out of coming to your forum altogether, feeling it is untrustworthy.

Paid certificates

Web hosts will usually offer to sell you a certificate, generally for around $75/year. This is a convenient way to go if cost is not a concern. Some hosts will handle the logistics of integrating the certificate for you. Also, these certificates will be trusted by the browser, as they will come from a certificate authority the browser will recognize as trusted.

As you might expect there are various levels of certificates based on the level of trust you are willing to pay for. Higher class certificates require site owners to submit credentials to prove they own their domains and they are who they say they are. This is especially important in electronic commerce. Hence Amazon’s certificates will cost a lot more than any certificate you are likely to get. If you are doing electronic commerce on your site you might want to pay for a higher level certificate, which will require you providing credentials to the certificate authority. In most cases though forums simply need a low class certificate, enough so that the certificate is trusted by the browser by default.

Let’s Encrypt certificates

The hassle and cost of securing web traffic has become recognized as a general issue, leading to a project to make trusted certificates available for free. The Let’s Encrypt site will issue certificates for free that are recognized by all the major browsers. However, the certificates are only good for three months. Moreover, depending on your host, installing and renewing certificates can be a considerable hassle. For example, I use MediaTemple‘s Grid Service to host this site. It supports Let’s Encrypt, but it’s quite a pain to install and renew certificates. Other sites, like SiteGround, make it automatic. All things being equal, you might prefer a host that makes installing and renewing Let’s Encrypt certificates easy, especially if this is important to your site.

Configuring phpBB to use HTTPS

By default, phpBB assumes you will be using HTTP, not HTTPS. Once your certificate is installed and tested, it’s easy to change phpBB in the Administration Control Panel: ACP > General > Server configuration > Server settings. Then change server protocol from http:// to https:// and the server port from 80 to 443. What this does is change the links across the site.

Also, change your cookie settings to use a secure cookie: ACP  > General > Server configuration > Cookie settings.

Do you have a httpsdocs or ssl folder? You may want to move your web content into it.

It you normally place your web content into a httpdocs folder, check to see if there is also a httpsdocs folder. This is commonly set up for you if you use Plesk as a web host control panel. Content in the httpsdocs folder is served securely.

In some configurations, there is a public_html folder for web content and also a ssl folder for secure content. In this case you could move the content of the public_html folder into the ssl folder.

This is a one-time action. If you have lots of files, it may take a while to move all the content. If you have a file manager, this makes it easier, but be careful to get the paths just right! You might want to backup your site before attempting this.

Redirecting HTTP traffic to HTTPS

Even with a certificate installed it’s possible that you will get requests for forum traffic using HTTP. You may want to make all HTTP traffic use HTTPS traffic instead. You can see what type of web server you are using the Administration Control Panel: ACP > General > Quick access > PHP Information. Scan for “Server API”.

These instructions will work if your web server is Apache. Edit your .htaccess file in your forum (or to make it across the whole site, edit or create a .htaccess file in your web root) as follows. Place this code at or near the top of the file, changing mysite.com to your domain name:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R,L]

If you use nginx, use these instructions. If you use Microsoft’s IIS, use these.

Malware issues with phpBB

As I do work for lots of different clients, I see patterns that others may not. Recently I’ve been seeing frequent malware issues on mostly older phpBB 3.0 forums. Since it’s malware, it’s often hard to know that you have malware. The malware may not be doing anything malicious to your web site, but it is trying to infect the computers of the users of your forum.

Do you have malware?

There is no way to really know if you have malware or not without comparing the version of phpBB you have installed with a reference version. If your forum seems to be operating normally, you will have no reason to check for malware. But if a forum that was recently running optimally now seems slower, particularly when loading pages, this might point to a malware problem. You or users accessing your forum might have antivirus tools installed that may detect malware.

Is phpBB software introducing your malware?

Almost certainly not. Rest assured that the phpBB Group spends considerable time and effort to check software it releases for security issues. In fact, it uses some of the best software available to find potential issues so they don’t occur. So it’s unclear to me how this malware is being introduced, but rest assured it’s not an issue with anything the phpBB group has done.

That said, the phpBB group has improved its security practices over time. One thing that has changed is it is judicious about using PHP eval() statements. They have not all been removed but where they are used they are marked as exceptions in the code. PHP eval() statements are dangerous because any code placed inside the parentheses is evaluated and executed. Since you don’t know what the code will be in advance, any use of eval() introduces a potential vulnerability to phpBB.

How is malware getting on a forum?

It’s hard to say definitively how this malware is getting introduced. Most likely it is being introduced by wrong permissions on phpBB folders and files. In phpBB only the files, images/avatars/upload and store folders should be publicly writable (0777 permissions). It’s critically important to make sure that your forum’s config.php file is not publicly writeable. You can use tools like your web host’s File Manager or an FTP program like Filezilla to check your folder and file permissions and correct as necessary.

Malware could also be introduced by sloppy server management by your web host.

Possible malware symptoms

If your forum comes to a halt rather unexpectedly, malware may be the cause. For example if you cannot login and you were previously able to login, this may be due to malware. What I often see are HTTP 500 (Application errors) reported. HTTP errors are usually written to a log. Sometimes you will find that your web server puts a file named error_log in your phpBB root folder, or in your web root folder. Examine the error log at the time the error occurred and see if there are any messages. In particular if there is an error message saying a PHP eval() statement failed, this may point to a malware issue.

How do I know if my forum’s files have malware?

As I mentioned, the only way to know for sure is to compare your forum’s files with a phpBB reference. I usually find malware at the top of certain or all .php files. You can use these procedures. This is obviously a lot of work. If you prefer, I can do this and fix most issues found for 1-2 hours of labor ($30 – $60). Contact me.

  1. Determine the version of phpBB you are using. If you can get into your Administration Control Panel, it will show the phpBB version on the main screen. If you can’t this SQL query using a tool like phpMyAdmin will tell you. You must be in the database containing your forum. If you are unsure what the name of the database is, you can see it in your config.php file. On the SQL tab execute paste the following SQL. (Change the table suffix if necessary to what you are using):
    select config_value from phpbb_config where config_name = ‘version’;
  2. Download a copy of the official version of phpBB that you have installed and expand the archive. All versions can be found here. For phpBB 3.0, you can also find it here.
  3. Install a tool that can compare files and directories. If you are using Windows, WinMerge is an obvious choice. For the Mac, if you know Unix there is the Unix diff command but it’s not easy to use. For Mac or Linux, I recommend kdiff3 which is also available for Windows and most Unix variants.
  4. Use FTP to download your phpBB forum files to your local computer. Keep it in its own directory. Note: this can be quite time consuming particularly if you allow users to upload files and images. You might want to skip downloading the files, images and cache folders.
  5. Compare your phpBB programs with the referenced version. If introduced, malware it is most likely in .php files, but could possible be in .html or .js files too. The tool will highlight files and folders with differences. Malware is most likely to be seen at the top of the file probably inside of a long PHP eval() statement. They should stick out like sore thumbs as the malware code will look odd and different. Note: some differences could be due to installing phpBB 3.0 modifications.  phpBB 3.0 modifications work by changing phpBB’s source files.
  6. Upload clean versions of uninfected files from your reference, Make sure you are replacing the old programs. Note: if there is malware in config.php remove it manually using the File Manager’s edit function. You want to preserve the lines that are critical to integration of the database.
  7. If most files are infected, you might want to replace all the files. If you do this:
    1. Backup your files and the database just in case.
    2. Do not replace the config.php file, but edit as in Step 6.
    3. If you see no malware in the style folder, don’t upload that as it’s unnecessary and you may overwrite changes made to your style for your logo, unique colors, etc. If you have to remove malware from a style folder, it’s best to do it carefully and edit out the malware on a file-by-file basis.
    4. Do not remove valid files such as uploaded images and documents in the files and images folders.
    5. If you are using phpBB 3.0 and have modifications installed, you will have to edit any files that the mod changes to regain the functionality of the mods. The install.xml file for the mod should detail all the file changes needed. You should also be able to see these changes using your file difference program.
  8. Run and test phpBB. Everything should behave normally.

Preventing malware

  1. Make sure your forum’s file and folder permissions are set correctly. See above.
  2. Upgrade or update your forum to the latest version of phpBB.
  3. Make a practice of updating your forum soon after new releases of phpBB are announced. Releases contain fixes for any security issues found.
  4. Many web hosts offer Apache ModSecurity that can be enabled in the web host control panel. Sometimes it is enabled by default. While enabling ModSecurity can prevent a lot of problems, my experience is that phpBB and ModSecurity don’t work well together. It may introduce its own HTTP 500 errors. You can try enabling it and see if it doesn’t cause issues. Disable it or add code to your forum’s .htaccess file to disable inside your forum if issues occur.