Hiding your phpBB forums


Not every forum administrator wants their forum to be public. Some want to have a members-only forum. In fact, it’s not unusual to want the forum to be completely hidden or wholly inaccessible by the public. Some forum administrators realize it’s important not only to keep humans out, but search engines as well.

The good news is that phpBB can keep your forum private, although there are some steps you might want to take outside of phpBB. The bad news is that the procedures for doing so are pretty obscure. Let’s look at some common ways of limiting access.

Keeping everyone out using your web server’s security system

Pros: about as secure as you can get

Cons: shared passwords are often used, ugly interface, and it works separately from the forum

The most effective way to keep everyone out but specified users is to use a security mechanism that is built into your web server. The technique originated with the Apache web server. Not all web servers use Apache, but most do. IIS is Microsoft’s web server, if you are using Windows hosting. nginx (pronounced “Engine X”) is another web server gaining in popularity that is slowly replacing Apache.

With this approach, the first step is to determine what web server software you are running. This site makes it easy.

The idea is to use the web server to challenge the user trying to get into the forum’s folder by requiring the user to successfully provide some credentials, usually a username and password. Typically you get an ugly black and white screen with these fields and a submit button. So this approach is not pretty, but it is highly secure.

If you want to go with this approach, first look at your web host control panel. Control panels like cPanel often have a feature that lets you password protect folders, in this case your phpBB root folder. Here are cPanel’s instructions. Failing that you can do this yourself.

You can use these instructions if you are using Apache and these instructions for nginx. IIS being a Microsoft product operates quite differently. You can use these instructions for IIS.

You can make it easy and use a shared username and/or password or create one for each member of the forum. Note that this happens outside of the forum, so any usernames and passwords used with this approach will probably not be the username and password used to login to the forum. You will have to pass the username and password to use to the user, perhaps using email. This approach simply allows access to the forum so a second step is needed: you must also login to the forum.

This approach not only keeps out humans, but also search engines.

Although not covered here, there are even more secure ways to limit access if you limit access to specific IP addresses. A search engine query will provide instructions if this approach interests you. Since most IP addresses are generated dynamically, this approach usually requires allowing a range of IP addresses and is somewhat fragile.

Stopping search engines from indexing your site with a robots.txt file

Pros: Simple and probably 99% effective

Cons: Malicious search engines can choose to ignore your policy

You can instruct search engines not to search your site. While you can provide instructions, this approach doesn’t keep malicious search engine agents from indexing your site anyhow. Essentially you create a robots.txt file in a plain editor like Notepad and upload it to your forum’s root folder. Its contents should look like this:

User-agent: *
Disallow: /

Disallowing search engines using phpBB

Pros: Effectively stops search engines that phpBB knows about, which are most of them. With the permissions properly set these search engines cannot index your content because the permissions won’t allow it.

Cons: Limited to the 46 search engines that phpBB handles by default


  1. ACP > Permissions > Permission roles > Forum roles
  2. Click on the green wheel on the Bot Access row
  3. Go to the bottom of the page and select the Actions tab
  4. Click on the No column header link which easily makes all these permissions no. Then Submit.

By changing the properties of the Bots role it will affect all existing bots plus any additional bots you create manually later on.

If you want to add bots manually, you can do it this way: ACP > System > General tasks > Spiders/Robots. Where would you discover new robots that might be hitting your site? You would need to periodically review your web server access log.

The phpBB group periodically adds new robots so when you update or upgrade these new robots will appear and will inherit privileges for the bots role.

You can certainly add a robots.txt file disallowing access to your forum root folder and use these procedures too.

Disallowing guest access to forums

Pros: Removes guest read privileges

Cons: A little complex to set up and message to guests is misleading


  1. ACP > Forums > Forum based permissions > Group forum permissions
  2. Select the Guests usergroup and press Submit
  3. Select the forums that you don’t want guests to read or access. For all, check All Forums. Then press Submit.
  4. If you want guests to neither read the forum nor see its name, for each forum change Read Only Access to No Access then the press the Apply All Permission button at the bottom of the page. Note: if all forums were changed then at this point guests accessing the index will see a “No forums” message. This is misleading because the forums are there, you just have to be registered, logged in and have appropriate permissions to see them.
  5. If you want guests to see the forum name but not be able to see or read any topics, first complete step 4. Then for each forum click on Advanced permissions, select the Actions tab and select Yes to Can see forum. When applied to all applicable forums, press the Apply All Permission button at the bottom of the page.

Bonus tip

If security is a concern, consider also using HTTPS to encrypt all traffic going to and from your forum. More is on this post.

Moving your bulletin board to https

Updated October 13, 2019 to add that cookie settings should be made secure and to use 443 for the server port.

Should your bulletin board transmit and receive data securely? Most boards don’t contain sensitive information, so you would think the answer would normally be “no”. A secure board encrypts all communications between server and client. This would be done by changing the URL of your board to use https (Secure HTTP) instead of http (insecure).

Once considered a nice-to-have feature, technology companies are nudging us content providers to use https. Google is primarily responsible for upping the ante. Back in 2014, Google announced that sites that send data securely would be ranked higher than those that did not, all things being equal. This is a pretty good incentive for site owners to respond, particularly if you are concerned about your site ranking. However, in 2014 moving to https was still a pain so lots of site owners decided to dodge the issue.

As with most things, going to https can be complicated and potentially expensive and/or time consuming. Fortunately, it’s less complicated than it was, and can even be free.

SSL vs. TLS encryption

To make https work, a digital certificate must be installed on your web server. Keys in the certificate are used to encrypt communications, by the server with a private key which is decrypted by the receiver with a public key provided when the connection is established. SSL (secure socket layer) or TLS (transport layer security) protocols are used to facilitate secure communications over HTTP. TLS is the newer technology and SSL is now seen less frequently because it is easier to hack. Whether using SSL or TLS though, it’s behind the scenes stuff. The user just sees https in the URL and assumes data going to and from your board will be transmitted securely.

Shared certificates

Hosts often provide a shared certificate you can use. As the name implies, the certificate is shared with others, generally all domains on the same server as the one that you are on. While this works, it is ugly. First, hosts will issue “self signed” certificates. Browsers will not trust self signed certificates and will ask users if they want to trust the certificate. You generally pick an “advanced” link in the browser and give your browser permission to trust the certificate. This obviously will not inspire confidence in users coming to your site. New users may simply opt out of coming to your board altogether, feeling it is untrustworthy.

Paid certificates

Web hosts will usually offer to sell you a certificate, generally for around $75/year. This is a convenient way to go if cost is not a concern. Some hosts will handle the logistics of integrating the certificate for you. Also, these certificates will be trusted by the browser, as they will come from a certificate authority the browser will recognize as trusted.

As you might expect there are various levels of certificates based on the level of trust you are willing to pay for. Higher class certificates require site owners to submit credentials to prove they own their domains and they are who they say they are. This is especially important in electronic commerce. Hence Amazon’s certificates will cost a lot more than any certificate you are likely to get. If you are doing electronic commerce on your site you might want to pay for a higher level certificate, which will require you providing credentials to the certificate authority. In most cases though boards simply need a low class certificate, enough so that the certificate is trusted by the browser by default.

Let’s Encrypt certificates

The hassle and cost of securing web traffic has become recognized as a general issue, leading to a project to make trusted certificates available for free. The Let’s Encrypt site will issue certificates for free that are recognized by all the major browsers. However, the certificates are only good for three months. Moreover, depending on your host, installing and renewing certificates can be a considerable hassle. For example, I use MediaTemple‘s Grid Service to host this site. It supports Let’s Encrypt, but it’s quite a pain to install and renew certificates. Other sites, like SiteGround, make it automatic. All things being equal, you might prefer a host that makes installing and renewing Let’s Encrypt certificates easy, especially if this is important to your site.

Configuring phpBB to use HTTPS

By default, phpBB assumes you will be using HTTP, not HTTPS. Once your certificate is installed and tested, it’s easy to change phpBB in the Administration Control Panel: ACP > General > Server configuration > Server settings. Then change server protocol from http:// to https:// and the server port from 80 to 443. What this does is change the links across the site.

Also, change your cookie settings to use a secure cookie: ACP  > General > Server configuration > Cookie settings.

Do you have a httpsdocs or ssl folder? You may want to move your web content into it.

It you normally place your web content into a httpdocs folder, check to see if there is also a httpsdocs folder. This is commonly set up for you if you use Plesk as a web host control panel. Content in the httpsdocs folder is served securely.

In some configurations, there is a public_html folder for web content and also a ssl folder for secure content. In this case you could move the content of the public_html folder into the ssl folder.

This is a one-time action. If you have lots of files, it may take a while to move all the content. If you have a file manager, this makes it easier, but be careful to get the paths just right! You might want to backup your site before attempting this.

Redirecting HTTP traffic to HTTPS

Even with a certificate installed it’s possible that you will get requests for board traffic using HTTP. You may want to make all HTTP traffic use HTTPS traffic instead. You can see what type of web server you are using the Administration Control Panel: ACP > General > Quick access > PHP Information. Scan for “Server API”.

These instructions will work if your web server is Apache. Edit your .htaccess file in your board (or to make it across the whole site, edit or create a .htaccess file in your web root) as follows. Place this code at or near the top of the file, changing mysite.com to your domain name:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R,L]

If you use nginx, use these instructions. If you use Microsoft’s IIS, use these.

Why does my forum’s performance suck?

With growth or just with the passage of time, phpBB forums can slow down. Pages may take a while to load if they load at all. You might get HTTP 500, 403 or other errors.

Today, site visitors expect fast response and if they don’t get it they may just decide it’s not worth coming to your forum. However, troubleshooting the root cause of these problems can be hard.

Often just opening a support ticket with your web host will bring you resolution. Or not. Web hosts run the gamut from poor to excellent, and generally the less you pay the poorer the service is. Web hosts though often know what the problems are, they just don’t want to tell you, as it makes them look bad. They may want you to pay for a higher quality of hosting to “solve” a problem that is really their fault, because they don’t maintain their infrastructure properly.

Here are some reasons that may be at the heart of your forum’s performance problems:

  1. Increased traffic. The traffic may not be traffic to your forum, but to other websites hosted on the same machine (server) as your website, if you are using shared hosting. This used to be a huge problem. Hosts would overload servers with domains because it was cheaper than going out and buying new machines. This works for a while until enough customers complain. The smart customers rehost somewhere else but obviously their hosts are hoping the rest won’t bail because it’s too much hassle. If traffic is getting consistently slower over a relatively short period of time or you are seeing a consistent increase in 500, 403 or similar error pages while using shared hosting, this is probably the reason. If your site is getting massively more traffic than you did before you might need to upgrade your hosting to a virtual private server or possibly even a dedicated server. Web hosts usually provide reports on usage that will help you get an idea if this might be the cause.
  2. Old hardwareThe law of entropy states that over time systems must degrade, i.e. become more complex or inefficient. It happens to your host’s servers too. Your website may be on a server that is ten years old, or has insufficient memory or CPU power for today’s needier software. So work may go into a queue until the CPU can catch its breath. While you are waiting of course nothing is happening. One clue may be to check the software installed on a server. For example, if you look in phpMyAdmin and you find that your MySQL database is running version 5.1 (released in 2008) then maybe your server is 2008 vintage, or older. Today MySQL 5.5 is generally the minimum version installed, with 5.7 being the newest and shiniest.
  3. Underpowered servers. Your server may not really have sufficient resources (CPUs, disk drives, etc.) to handle the traffic that is on it.
  4. Resource limitations. With shared hosting in particular there are implicit and generally poorly understood limits on the number of “resources” you can use: files, memory, CPU time or units of database work. You will usually see errors like this when they happen. They mean generally two things: either you are outgrowing your hosting or your server is overcommitted with other domains it is supporting. If your traffic is pretty steady, it’s more likely the latter problem. This is a sign of a poor host. You might want to rehost.
  5. Dated software. I mentioned that a host still running MySQL 5.1 is a yellow flag of caution. It’s not that MySQL 5.1 was a bad version, but many new features and performance improvements have been added since 2008. Your forum’s software has probably gotten more complex so it could use those improvements. Similarly, hosts running PHP 4 (fortunately, there are very few of these left) or even PHP 5.2 need to update their technology stack. You can see your version of PHP, web server software, operating system and the database in the Administration Control Panel, PHP information. Even the web server software you use can be dated. Still on Apache 1.2? You should probably be hosting somewhere else.
  6. You’ve been hacked! This happens rather infrequently, but it does occur from time to time. Malware or other bogus code may have infected your phpBB programs, templates and stylesheets, chewing up CPU and worse possibly infecting your readers’ computers with malware. Needless to say any malware must be removed. It may be discovered by comparing your software with a reference version of phpBB that you are using.
  7. Your database needs tuning. With so many reads and writes, your database may have grown and scattered itself all over the server’s disk platters, making it time consuming for the database management system to read and write data. You can try repairing and optimizing your forum’s tables in phpMyAdmin or a similar tool and see if performance improves.
  8. Your database is not properly configured. You may be missing primary keys, or indexes for tables. In some cases certain standard columns (added with upgrades) end up missing. Primary keys and indexes are used to retrieve data quickly. If they are missing the database won’t complain, but it will read all rows in a table to get what it needs, which is highly inefficient and can make a forum crawl. These sorts of problems are often the result of database updates that never finished properly, although they may have said they did. This can happen frequently upgrading from phpBB 3.0 to 3.1.
  9. Your phpBB version is woefully out of date. I am still surprised by requests that I get to upgrade phpBB 2 forums. phpBB 3.0 was released in late 2007! The problem is often not phpBB 2 itself, but your PHP version, which has evolved, making the handshake between PHP and phpBB awkward and inefficient, if it doesn’t trigger PHP warnings or errors. Upgrades are never fun or painless, but something you need to keep up on.
  10. You need to use a different database. Typically phpBB is used with the MySQL database because it’s free. phpBB at least in theory supports a host of other databases including SQLite and SQLServer. Most of the testing is done against MySQL and really phpBB is optimized for use with MySQL or its clone MariaDB. You will probably see better performance if you stick with these databases.
  11. You are using Microsoft software on the server. IIS is Microsoft’s web server. If you are running IIS you are also on a server using a Microsoft server operating system. IIS is not a bad web server but it works suboptimally with phpBB. phpBB should work best in a standard environment. So if you have the option to move to a Linux/Apache web server you may find marked performance improvement.
  12. Your browser is old. phpBB expects a reasonably modern browser. If others aren’t having issues but you are, maybe it’s time to upgrade your browser from IE7 or Firefox 2. Stick with recent versions of browsers like Firefox, Chrome, Safari and Opera.

There are other reasons your forum could be slow, but most likely the cause is one or more of the above. If you don’t feel you have the expertise to troubleshoot these issues yourself, or simply would rather have it done professionally, send me a service inquiry.