HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla Security

Hi my name's Doug and I'm happy to find this forum.

My big question now is; What are people doing about securing Vanilla sites from hackers? I have run many WP Blogs and (as you probably know), precautions have to be taken with WordPress to thwart would-be hackers.

So what is the protocol for securing a Vanilla Forum???

Thanks In Advance
Doug (aka DiamondDug


  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    What are people doing about securing Vanilla sites from hackers?

    Build a Wall….they might be mexicans... >:)

    what is the protocol for securing a Vanilla Forum???

    Don't give the wrong permissions to users, use plugins that help you avert forced attacks by bots.

    It is the same advice anyone can give without knowing the threat.

    WP has many plugins that have demonstrated to be the source of hacker doors. Where they inject script and render your site useless.

    You can be vigilant by scanning your site on a regular basis and if you have rogue files delete them.

    Vanilla stays up to date with credible threats that are reported in a professional way by people who know the code well. And then they update the code to fix the potential flaw.

  • Options
    LincLinc Detroit Admin

    Web security is an entire profession / trade skill. There is no "special list" for Vanilla per se, and I chafe at the notion that there is one for any well-developed application (such as WordPress) or that you can simply follow some 5-point list and never get compromised.

    You need, in part:

    • Strong password policies & individual communication.
    • Conservative access and permission rules.
    • Carefully considered server configuration by knowledgeable people.
    • SSL enabled, non-secure FTP disabled.
    • Good upgrade and maintenance policies.
    • Isolation from unrelated services / servers.
    • Redundant backups on isolated devices with their own security policies.
    • Code auditing.
  • Options
    R_JR_J Ex-Fanboy Munich Admin

    I think it is unfortunate that the dashboard (i.e. admin) functionalities are not "behind one slug" so that you would be able to additionally use .htpasswd easily. It would be very easy that way to add a security layer that would persist even if the admins credentials are compromised.

Sign In or Register to comment.