HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla Forum Security Tips. [Also share your own]

edited February 2013 in Feedback

by default the vanilla forum directory browsing is allowed in .htaccess file. for example: domain/plugins/ or domain/themes etc.
I added this code to .htaccess file to fix this:

# disable directory browsing
Options All -Indexes

do you have anymore tips? please share :)

Tagged:

Comments

  • businessdadbusinessdad Stealth contributor MVP

    I think you could have a look at the
    Comprehensive guide to .htaccess
    , it contains some general practices that can apply to (almost) any website.

  • aeryaery Gtricks Forum in 2.2 :) ✭✭✭

    Best security tip - Stop Spam Plugin

    Also dont forget to disallow low quality pages like activity/profile pages/inner pages to appear to google from robots.txt

    There was an error rendering this rich post.

  • @businessdad @aery
    Oh! that's awesome! thanks :)

  • businessdadbusinessdad Stealth contributor MVP

    @aery said:
    Also dont forget to disallow low quality pages like activity/profile pages/inner pages to appear to google from robots.txt

    True. Not a strict security tip per se, but a very good advice indeed, especially for old people like me, who tend to forget about all the SEO stuff.

  • LincLinc Detroit Admin

    @iChocolate said:
    by default the vanilla forum directory browsing is allowed in .htaccess file. for example: domain/plugins/ or domain/themes etc.

    This is something that shouldn't be enabled on any server, ever. It isn't part of Vanilla's purview to secure your server for you. I will go so far as to say I think that should be handled in your httpd.conf, not down in the htaccess file.

  • businessdadbusinessdad Stealth contributor MVP

    @Lincoln said:
    I will go so far as to say I think that should be handled in your httpd.conf, not down in the htaccess file.

    I agree with this. Unfortunately, that cannot always be done. For example, shared hosting doesn't give access to httpd.conf and the only solution is a copy/paste of rules after rules in the .htaccess for every site. After all, for a few bucks a month, one can't expect much...

  • fr3em1ndfr3em1nd ✭✭
    edited February 2013

    so far my best contribution would be adding cloudflare you your forums :)
    there's alot of stuffs in it,

    blacklisting IP, anti Ddos attacks, cache, minify , ip cloaking, and other optional upgrades and addons :)

    it's basically a total package for me :)

  • I hate cheapo shared hosting.

    I there is no reason why they couldn't implement cheap hosting where you can do this properly, like proper permissions with correct ownership. Agreed it should be limited to a small selection of users, but not assigning ownership correctly has lead people to believe that setting file permissions high is somehow normal.

    As these solutions are mostly clones it is not as if they can't implement it an replicate millions of times over.

    Limited by done properly, should be the motto of cheap hosts.

    A decent host will prevent directory browsing, by default.

    grep is your friend.

  • businessdadbusinessdad Stealth contributor MVP

    @x00 said:
    I hate cheapo shared hosting.
    Limited by done properly, should be the motto of cheap hosts.
    A decent host will prevent directory browsing, by default.

    I agree, 100%. In my experience, the following Providers allow browsing by default:

    • Bluehost
    • HostGator
    • 1&1

    It may be that settings vary from server to server, but I would recommend anyone on shared hosting to check directory browsing before going live with any site (even better, before putting up any site at all).

  • It may be that settings vary from server to server, but I would recommend anyone on shared hosting to check directory browsing before going live with any site (even better, before putting up any site at all).

    this one is very crucial Options All -Indexes is the best solution and will still be, but sometimes it causes errors occasionally especially for vanilla which has no tailing .php .html .htm im speaking from my experience because after i enabled this Options All -Indexes option i got directory errors on http://www.mysitexample.com/discussions on my errorlogs.

    my workaround would just go directly to each folders which has highrisks of downloadable file by adding empty file with filename index.html to every folder :D

  • @Lincoln said:
    This is something that shouldn't be enabled on any server, ever. It isn't part of Vanilla's purview to secure your server for you. I will go so far as to say I think that should be handled in your httpd.conf, not down in the htaccess file.

    Yes, that's true :) Actually, I thought vanilla can write rules to .htaccess during the one click installation :)
    But .htaccess is related to hosting category, and I added some rules with the help of @businessdad. May be my host in not that much good, I'm planning to move my forum to vanilla.com once I reach at my goal (more members). Thanks for all the suggestion :)

Sign In or Register to comment.