October 2017 work summary

October was a very profitable month for me, best of the year so far. It’s a little mysterious to me why it was so, but I did collect on a few projects I was owed so that helped. Anyhow, here’s a summary of the work I did in October. All client information has been anonymized, of course:

  • Upgraded a forum from phpBB 3.0.9 to 3.2.1. The vendor folder was corrupt in my archive, which I think was due to a bad release by the phpBB Group since corrected. I fixed my archive, installed the prosilver_se style and applied the client’s logo. I also installed my digests extension (version 3.2.4) and tested it. In programming the cron job, since HTTPS was used, I added -K option to curl so it didn’t verify the certificate.
  • Client upgraded from phpBB 3.1 to 3.2. He had the portal extension installed but the upgrade caused an error rendering the portal page. Updating the extension to 2.2.0-b1 solved the problem although it should be noted there is not an approved version of the portal for phpBB 3.2 at this time.
  • Client was having trouble getting version 3.0.7 of my digests extension to mail from a phpBB 3.1.10 instance. I figured out the issues were due to incorrect manual testing procedures. Then wanted me to create a customized version that removed certain items from the digest email. I made changes which also required a change to the mailer program. I also found a digests 3.0.7 French language translation and installed it (since the board is hosted in France) and modified that language file as well as the English version to accommodate the requested changes. I tested it on a 3.1.9 instance on my machine and since I did not have installation permissions, I placed a copy on Google Drive for the client to access and install, with instructions. Later there was additional work. Now with full permissions, I upgraded the client from phpBB 3.1.10 to 3.2.1. I installed a new version of we_universal style, but the development version has a few issues (quote icons and the like would not show). I reapplied custom code changes to my digests extensions. In addition the client wanted additional template changes with banner images in the digests. These plus communication challenges added a lot of time.
  • Client said he had managed to acquire the domain name a competitor was using, which had expired. Changed DNS to redirect to the selected domain but the action never completed. However, I later learned that the domain did not expire but GoDaddy let him buy it anyhow. Client paid me for my time.
  • Upgraded a forum from phpBB 3.0.12 (subsilver2 style, no mods) to 3.2.1. Changed the style with the upgrade to Allen Subsilver. I added the old logo. I added an extension so external links render pages in new tabs. Redirect issues were solved by removing cPanel redirects and creating an index.html file with a meta tag to redirect to forum. In addition, SuperCacher was turned on. I had to flush SuperCacher in cPanel to affect logo changes. I created a question on registration but registration is currently disabled. I suggested configuring the new reCaptcha if this is enabled.
  • Another error was reported by client I helped last month. I looked at the error log. I determined that German language pack said it was installed by the files were not there and that triggered the error. I added the German language pack for phpBB 3.1.10. Another error pointed to something wrong with the Profile Side Switcher extension. Version 0.0.1 was installed, updated to 1.0.0 and that error went away. I also removed some dead modules. I changed permissions on cache, files, images/avatars/upload and store folders. I cleared the cache. The extensions tab did not show. This may be a database issue with the modules table. Waited for feedback or additional permissions. Client paid me for the work to date.
  • I completed a month plus long project to change the website’s front end from static pages to WordPress. Originally I placed WordPress in a /wordpress folder. I moved the old files into an old_files folder, moved WordPress into the root folder, installed a plugin to change some paths and changed some database columns to get it to work from the root folder. The move to WordPress included creating a shopping cart and testing it, replicating a members only area by doing it inside of WordPress, installing a theme, installing a form generator for membership applications and creating the membership form, and the integration of a photo gallery using a plug in. So while phpBB is my specialty, I can do a lot of WordPress work too, so it doesn’t hurt to ask if you want me to do some WordPress work for you.
  • Upgraded a forum from phpBB 3.2.0 to 3.2.1. Reapplied logos. Updated American English language pack.
  • Removed malware from site using cPanel’s file manager, placed bad content in Trash for customer’s review then submitted it to Google for a check. Later, client encountered more spam issues. Web host said WordPress plugins were sending spam. They blocked access to the site so I couldn’t go in and do anything. Sent support an email. Never replied back but a couple days later I could get into WordPress. Client has both a French and an English site. Updated plugins and updated WordPress on both sites. Installed plugin that automatically updates plugins on both sites.
  • Upgraded a forum from phpBB 3.0.14 to 3.2.1. Work involved rehosting the forum too as the customer’s virtual server was underpowered, making database operations problematic. Customer eventually chose a new web host and it took about a week to move the content over along with the WordPress content. Resource limitations occurred trying to upgrade forum on old host, requiring me to move it to my machine, do the work there and upload it. However, bigdump.php would not complete loading the database, due to resource limitations on the database (first time I’ve seen this for virtual hosting). Many tables had primary keys and indexes missing. Eventually the new host got WordPress working correctly for the client. I had to reload the phpBB database to recreate the indexes and primary keys that were missing. While running bigdump.php on the new host I encountered a Javascript error but I was able to load database from the command prompt instead. Installed the Hexagon style, configured the logo, placed a special tile background image and uploaded old icons for forum and topic images. In some cases browser resized them, making them a bit fuzzy. Installed the Advertising Management Extension and added two ads in two locations. Upgraded PHP to 7.1 and tested. Installed the Advanced BBCode Box extension. Uploaded his many old images used in the headers principally to /styles/Hexagon/theme/images.
  • Troubleshooting. Email interface wasn’t working. It was set to send mail via SMTP. I turned it off and tested it and received a sample mass email.
  • Upgraded a forum from phpBB 3.0.11 to 3.2.1. Kept the prosilver style and reapplied the logo. Installed Google Analytics extension. Installed Advertising Management extension but HTTP 403 errors triggered when creating ad. Asked client to file a support request to get this addressed. Advised about placement of skyscraper ads (not a good idea for phpBB). Forum is inside a frame. Recommended this be addressed. Later, working with security rules were setup to bypass modSecurity for ad placement. Installed reCaptcha.

Session hijacking: what’s (probably) going on

Over the last couple of months I’ve had a number of clients come to me because of mysterious things happening on their forums. Going to a forum they find that they are logged in as someone else and can see things they definitely should not see, such as private messages and forums they don’t have privileges to see. I’ve spent a lot of time trying to figure this out talking to client’s web host support teams and scouting phpbb.com for a solution.

The good news is that this is not due to some deficiencies in phpBB. The bad news is that this is due to the way your web host has configured their servers and it’s affecting phpBB.

phpBB is the #1 forum solution, with something like 70% of the market. But as a percentage of popular software installed on websites, phpBB is tiny, on about 1% of websites. What’s the 800 pound gorilla? It’s WordPress, which runs 27% of websites. So web hosts will meticulously tune their servers to optimize for WordPress, giving short shrift to much of the rest of the open source software out there. Most web hosts now say they are optimized for WordPress and market WordPress-specific hosting. phpBB is being left behind along with lots of other software. Because phpBB gets most of its content from a database to be presented on the fly, more than most open source solutions it is not amenable to static content.

The problem is most acute if you have Bluehost shared hosting. The underlying issue is some software called Varnish, more specifically Varnish HTTP Cache. Varnish helps dynamically driven sites perform more efficiently by caching content in your server’s virtual memory. Web hosts can make more money if they can get more utilization off one one web server. Varnish is one way they keep costs down as it allows them to stuff more websites on one machine.

Varnish is kind of pointless with phpBB since phpBB already has its own cache, which you can find in your forum’s cache folder. Essentially phpBB programs, templates, stylesheets and SQL calls are all compiled into .php programs in the cache folder so they can be executed more quickly. So it’s duplicitous but more importantly interferes with phpBB’s default behavior. So if you have the issue, contact your web host to find if they are using Varnish and if so have them turn it off. As for Bluehost, as of this writing they will tell you they can’t turn it off. You have shared hosting so one size fits all. They will however be happy to move you to their cloud product. Varnish is not installed there, so you won’t be affected. However you may have to pay a higher hosting fee.

It’s unclear if Varnish is the sole cause. Other potential problems may be due to Content Delivery Networks (CDNs). This is most typically CloudFlare, since it is bundled free by most web hosts. CDNs attempt to move content closer to the user by having it fetched from server farms geographically close to the site viewer, thus speeding up page load time. This is usually fine with phpBB since CDNs generally only store static files like images. So a CDN shouldn’t cause issues like this, but if you have a CDN you might want to disable it to see if the problem goes away. Note: the one time you do need to do something with your CDN is when you add a style or significantly change the look of your site. Then it’s a good idea to tell the CDN to delete all its cached content. Otherwise, the experience by end users might be mixed or odd.

I also suspect that ModSecurity may be causing issues like this, but I don’t have enough proof yet. If it is enabled, disabling ModSecurity may make your problem go away. As I blogged recently, disabling ModSecurity in general tends to solve a lot of weird phpBB issues, while it may introduce others by potentially making it easier for your site to propagate malware and viruses.

November 2016 work summary

Here is some of the work I did for clients in November. I also released version 3.0.7 of my digests extension that involved a considerable amount of time and effort during November.

  • Some non-phpBB work. I worked on refining a WordPress widget to show a picture of current snow conditions for a client’s WordPress site. Since the client has a retinal device and found the picture uploaded a bit fuzzy, I found and installed a WordPress plugin that creates retinal images and intelligently serves them if it detects the device supports retinal images. I also edited the widget’s stylesheet to reduce the margins so it fits the sizing of other content. I also changed media library medium image setting to 332 pixels width to fit the image container optimally. I also provided instructions on how the client can do this himself in the future so images can be swapped in and out based on current conditions.
  • Digest troubleshooting. Digests stopped going out for a client that had version 3.0.6 of my digests extension installed. It appears this was due to incorrectly programming a system cron. After testing I used my “shared hosting” approach for doing a system cron which recognizes that on shared hosting where cron’s with multiple commands don’t work. This involved changing the cron to call curl instead and turning off the system cron capability inside phpBB. I filed a bug report on phpbb.com about what I think is insufficient explanation text for the system cron control in the ACP.
  • A client upgraded his forum to phpBB 3.1 but there were dead modules in the ACP. Installed us_en language pack to fix certain issues. I deleted bad module links for digests mod and the advanced block mod. I installed Digests 3.0.6 but had to manually change the database to get it to install on 3.1.10. I installed Cleantalk but waiting on activation key. I manually tested digests and it worked. Client chose to defer the cron installation until after rehosting. Days later I ended up redoing the work due to the client moving to a new host running Linux, not Windows. I upgraded forum from 3.0.12 to 3.1.10. I changed email settings to turn off SMTP since client is not on Windows anymore. To get the forum to come up I had to edit the config.php file and change the value of $dbms and $acm_type, which had namespace syntax in it that was triggering an error. I installed the American English language pack again. I installed the Cleantalk extension again. I installed and tested the digests extension. This took quite a bit of time because of known issues with the 3.1.10 migrator. I had to make a number of database changes manually. I then did a manual test of the mailer and it worked. I then created a cron job and verified that it sent digests. I found a peculiar quirk: clicking on the extensions tab generates a HTTP 500 error if debug is not turned on in the config.php file.
  • I programmed a scheduled cron for digests because users like to receive digests in hour requested. As with the other client, I ended up with a scheduled phpBB cron due to shared hosting issues not allowing multiple statement in a cron.
  • I replaced an ad at top of the page with one provided that had slightly different dimensions.
  • I moved a forum from ixwebhosting.com to siteground.com shared hosting. I upgraded the forum from 3.0.14 to 3.1.10. I installed Cleantalk. Later I patched a bug in 3.1.10 that didn’t allow custom profile fields or search engine settings to be changed.
  • I fixed a malware issue for a client. Most directories had a new .php file in it, consisting of six random letters, with an eval statement likely injecting malware. A routing error occurred when accessing the forum. I eventually figured out a bad .htaccess file was the reason the forum did not come up, so I copied in a standard .htaccess file. I then compared his software with 3.1.5 and saw the malware problem by comparing client’s files with a reference. I carefully removed all software files, uploaded a referenced version of these files and manually deleted malware files in some directories that should not be deleted. It solved the problem. I then upgraded the forum to 3.1.10.
  • Client attempted upgrade from 3.1.7-PL1 and it failed with a HTTP 500 error. I puzzled through it but eventually deleted all files but the files, images, store directories and config.php and uploaded 3.1.10. I then ran install/database_update.php and upgrade completed. I re-uploaded the backup I had of his black style and the forum came up. However, I couldn’t login with his old credentials. So I created my own account and gave myself founder permissions in the database. Client could not login either. I provided instructions to use the lost password link.
  • Client with my digest extension said it was sending out duplicate digests. I upgraded digests from 3.0.5 to 3.0.6 but that did not solve the problem. After some debugging I determined this was due to digest exception being thrown if there are no bookmarked topics. This stops remaining digests from going out for the hour and the hour will not mark as completed. I fixed this bug in version 3.0.7 and didn’t charge the client for my work.
  • Client was concerned that the public saw a “no forums” message. His new forum was created without using the copy permissions function. I added these permissions so public could see forums.
  • Issue with using advanced BBCode extension and creating and editing BBCodes so that tables, table rows and table columns could appear in a post. I fixed client’s BBCodes to substitute the correct HTML when creating tables, table rows, table columns and to properly align text.

WordPress and phpBB?

Update 19 February 2017 – FYI, bbPress is a WordPress plugin that can add a forum to your WordPress site. It’s not nearly as sophisticated and functional as phpBB but it may be good enough for your needs.


It’s not too surprising that people will want to integrate WordPress and phpBB. WordPress after all is an extremely popular blogging program, but really it’s a lightweight content management system. I use it for this site. Why? Because it’s much easier than doing everything by hand with HTML or even a fancy web page program like Dreamweaver. There are thousands of themes and tens of thousands of plugins that let you extend the functionality of WordPress in lots of ways. The quality of some of these plugin are amazing. The design of some of WordPress themes are as well. All this plus it is free, except possibly for some plugins where you get nagged to buy a “professional” version.

In my mind, WordPress is the best-of-breed lightweight content management system out there and a phenomenal blogging tool. But WordPress has limits. Like any content management system, at some point it becomes not quite enough. Try managing a hundred pages with WordPress, for example. WordPress also has some drawbacks. Unlike phpBB, where a modification and extension review is rigorous and must be approved by a peer-reviewed team of developers to get listed, in WordPress it’s pretty straightforward to get a plugin listed if you follow their coding standards. The quality of plugins are thus suspect.

There are forum plugins for WordPress that are generally decent. None come close to having the quality and breadth of phpBB. This is not surprising. phpBB is a best-of-breed forum solution. It is continuously updated, quality reviewed and has a passionate set of developers who strive to write very good code. Unsurprising I get regular requests to integrate phpBB into WordPress.

WordPress and phpBB can coexist, as long as you keep each in their own spaces. For example you could put the forum in a /forum folder and have the rest of the site in WordPress. However, phpBB can’t use WordPress’s authentication system, and visa versa. phpBB styles don’t match WordPress themes. A number of clever WordPress developers have tried to bridge the two platforms. The solutions are inelegant. For example, WP-United tries to create a common authentication system, so that if you are a forum user you will also be a user in WordPress. Unfortunately, as of this writing, WP-United supports phpBB 3.0, not 3.1. It’s really just one developer and he seems to not be actively supporting it. Worse, when I have installed it I found it flaky so I didn’t warrant the work. BridgeDD is another effort, but it too only supports phpBB 3.0.

The bigger problem is that clients naturally want phpBB to work inside their WordPress theme, but it won’t. That’s not to say I haven’t done this for a number of clients. I can usually make it work but takes considerable trial and error. Sometimes there are conflicts between WordPress and phpBB styles, such as using similar names for classes. The result is often a solution that looks nice but may run slowly. The larger problem is that if the WordPress theme changes, phpBB won’t automatically pick up the new style changes. Someone has to retrofit it, and that requires someone with expertise in HTML, CSS, phpBB and WordPress.

So phpBB and WordPress don’t dance together and probably never will. One approach I sometimes recommend is to put the forum into a subdomain, like forum.mysite.com so the user sort of expects it won’t look the same. You can also create a domain just for the forum, like mysiteforum.com and link the two. This allows both phpBB and WordPress to inhabit separate areas and do their things elegantly while also setting the user expectation that both have separate purposes.

If you do want to integrate them expect a non-optimal experience at best.

Feel free to contact me if you want me to try but do expect the work to be costly, generally in the hundreds of dollars range, if it can be done at all.