HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla Forum Security Tips. [Also share your own]
iChocolate
New
Comments
I think you could have a look at the
Comprehensive guide to .htaccess, it contains some general practices that can apply to (almost) any website.
My shop | About Me
Best security tip - Stop Spam Plugin
Also dont forget to disallow low quality pages like activity/profile pages/inner pages to appear to google from robots.txt
There was an error rendering this rich post.
@businessdad @aery
Oh! that's awesome! thanks
True. Not a strict security tip per se, but a very good advice indeed, especially for old people like me, who tend to forget about all the SEO stuff.
My shop | About Me
This is something that shouldn't be enabled on any server, ever. It isn't part of Vanilla's purview to secure your server for you. I will go so far as to say I think that should be handled in your httpd.conf, not down in the htaccess file.
I agree with this. Unfortunately, that cannot always be done. For example, shared hosting doesn't give access to httpd.conf and the only solution is a copy/paste of rules after rules in the .htaccess for every site. After all, for a few bucks a month, one can't expect much...
My shop | About Me
so far my best contribution would be adding cloudflare you your forums
there's alot of stuffs in it,
blacklisting IP, anti Ddos attacks, cache, minify , ip cloaking, and other optional upgrades and addons
it's basically a total package for me
I hate cheapo shared hosting.
I there is no reason why they couldn't implement cheap hosting where you can do this properly, like proper permissions with correct ownership. Agreed it should be limited to a small selection of users, but not assigning ownership correctly has lead people to believe that setting file permissions high is somehow normal.
As these solutions are mostly clones it is not as if they can't implement it an replicate millions of times over.
Limited by done properly, should be the motto of cheap hosts.
A decent host will prevent directory browsing, by default.
grep is your friend.
I agree, 100%. In my experience, the following Providers allow browsing by default:
It may be that settings vary from server to server, but I would recommend anyone on shared hosting to check directory browsing before going live with any site (even better, before putting up any site at all).
My shop | About Me
this one is very crucial
Options All -Indexesis the best solution and will still be, but sometimes it causes errors occasionally especially for vanilla which has no tailing .php .html .htm im speaking from my experience because after i enabled thisOptions All -Indexesoption i got directory errors on http://www.mysitexample.com/discussions on my errorlogs.my workaround would just go directly to each folders which has highrisks of downloadable file by adding empty file with filename
index.htmlto every folderYes, that's true
Actually, I thought vanilla can write rules to .htaccess during the one click installation 
But .htaccess is related to hosting category, and I added some rules with the help of @businessdad. May be my host in not that much good, I'm planning to move my forum to vanilla.com once I reach at my goal (more members). Thanks for all the suggestion