How To Maintain A Secure Forum

[Enchant]

Security on forums seems to be an issue for a lot of members. I often am getting PMs from members who are concerned that their forum keeps getting cracked, how can they prevent spammers from violating their forum or a number of other issues that seem to evolve when maintaining a community. So, hopefully this thread will be able to give you some insight to other members experiences and their solutions. It is my hope that you will receive the guidance needed in maintaining a more secure and happy forum.

First off, let me say, if you receive a PM, email,IM, or any other means of communication, requesting your password and the person is claiming to be a member of ProBoards Staff, DO NOT give it to them. No member of staff will ever ask you for your password, EVER! Should this happen to you, do not give it to them and report them, so that we may warn others. Unfortunately, this happens quite a bit and then forums get cracked. So the short of this...Never give anyone your password.

Next, make your password long, unpredictable and try using both numbers and letters in an erratic pattern. If someone is the owner of a Harry Potter Board, don't go and make your password 'Hogwarts' or 'Harry' or anything like that. It is just too simple, predictable and your forum will surely be cracked. It sounds like common sense, or to some highly unlikely, but the point of the matter is, it actually happens more then you would think.

When giving your staff access to the more sensitive areas of your forum, such as the admin area, I would suggest limiting their access to the more common aspects such as board arranging, ip banning, etc and leaving the headers and footers and customizing skins to the admins. This will prevent many unwanted mistakes and confusions. Also, should a dispute get nasty, then their is no irreputable lose due to spite.

Mentioning of disputes, this is a big issue for some. This is one of top complaints I receive. If one of your staff or even member, threatens you, your forum or its members, remove their rank immediately and ban the IP, at least till the situation can be resolved by other means of communication. This will prevent the feud from spilling onto the boards and secured and detered any immediate threats or damages.

As for spammers. We all seem to have this problem. If you have any boards that are open to guest posting, then most likely, you will get spammers. The best you can do, is limited your open boards where guest can post and mod them well. Should you have a repetitive spammer, then I would suggest banning their IP.

Something I found out recently, because I never thought about it, just because your main board is closed to guest posting, doesn't mean your sub boards are. So, when making your boards, make sure you are checking each board to include your sub boards. Spammers will try and come in and gain access to the sub boards through your Most recent Post. So , as a security precaution...double check them.

Please realized that the tips in this thread, are not a guarantee that your forum will be completely secure, but more as deterants and preventions. I am sure there are more tips that can be told and experiences that can be shared, so please feel free in joining this thread and help others feel a bit more safe in maintaining a secure forum.

[Raven]

Great topic Enchat, I agree completely.
As far as spammers, if you're worried about guest spamming, don't allow guest to post. I don't, but I allow them to view most boards. This eliminates that problem. If it's a spamming member, there's nothing like good ol' moderation throughout all of your boards. I rarely have problems with spammers and when I do, they get a warning and clean up their act. As far as securing your password, I've chosen something that I've never said before anywhere online. Making a long password (10-15 characters) is a good idea and randomizing it is an even better idea. At the very least, if you're going to make it simple, don't make it related to your forum.
Let's say you have a fishing forum, don't have your password as bass, something even like fan would be more secure as it is irrelevant to your forum's subject and quite random imo. Adding numbers does a great job to secure passwords as well. Capitalizing some of your letters in your password should help also.
Good luck on maintaining a secure ProBoard!

[∞ ConqueringWolf ∞]

I would have to say I think the 2 biggest issues you touched on are the Password and the Powers of other Staff. People do not take their passwords seriously enough I think. I see too many times where people use simple words related to the topic of their forum. Passwords should be random and at least 10-15 characters long to help prevent someone from guessing it. Also do not reuse passwords between forums. if you are a member of a forum and use the password 'genius' then don't use that as your admin password at a forum you run as the admin of the forum could find out your password and then go on to your site as you and ruin it if they wished.

Giving staff members powers they do not need is another mistake people need. I never give my mods more than the ability to modify posts in case of foul language or so on or the ability to move them to another board if needed. There really is no need for mods to be able to delete entire posts or so on and could cause fights if a mod deletes a post and a member complains and you dont really have any proof as to what the post could have contained before the mod deleted it. Also giving any staff member other than the admins the ability to delete members could also cause major problems. Mods simply need to monitor and police the forums they don't need to control them.

[Shentino]

Another thing that doesn't hurt is keeping a "log" in your staff board...if any.

It's essential for accountability purposes that you have a log of each and every ban.

Unless you just flat out don't give a rat's behind if one of your gmods or subadmins goes gungho and arbitrarily bans someone, fairly or not, then you need to make sure that you have notes of all reasons, and probably evidence, that supports a ban.

Actually being fair is covered under "staff etiquette", but a good log is essential if you want all bans and stuff like that to be official in the records.

And it goes without saying to periodically check your security log...

[Jackie]

I know that I probably shouldn't, but I use the same password everywhere. All of the sites I go on I'm either the admin, or totally trust the admins. My password is the name of an animal, and I spelled it wrong and used some numbers instead of letters, so it would be pretty hard to guess if I didn't tell anyone it.

As for moderators on my site, I only have two people that I ever make staff, I've talked to them both for over a year. Sometimes when my best friend that I've known since JK joins my sites I make her an admin too though. I never give any of my admins access to the headers and footers or the ability to modify profiles. There are other things I don't let them have, but I can't think of them at the moment.

I have staff meetings bi-weekly so I know everything that's happening on the site, and my admins know that I want them to PM me or post in staff boards to tell me if they ban members, modify posts etc. and they have to tell me reasons fir modifying posts or banning members.

And I quite frequently check the security log to see if there is anything being done that I haven't been told about. I have yet to find something that a staff member hasn't told me about, and if I do I will PM them right away and find out what happened there.

[Drewz]

I've gotten a few threats about my forum, everytime it's BS. It's ussually banned members, one banned member seems to be able to come back and register to my forum whenever. I simply ban him and delete his account(s) everytime.

I myself havn't had many problems with my forums security.

[mrsyukisohma]

Unless you just flat out don't give a rat's behind if one of your gmods or subadmins goes gungho and arbitrarily bans someone, fairly or not, then you need to make sure that you have notes of all reasons, and probably evidence, that supports a ban.

I never thought about it before, but after reading this, I created an individual board in the Staff Only Board where all violated threads go, or where we can put the evidence for the violations.

I’ve seen some pretty terrible cases happen on forums occur regarding Internet security. Others failed to mention that if you have a password, and you really don’t want anyone else to find it out, you want to delete it from your e-mail. When you join a forum your e-mail, maybe age, and hobbies are either exposed or set to private. This can automatically be a very invasive thing. Hackers are smarter then those that don’t know how to hack into accounts, computers, etc. obviously because they’re the ones that know how. We don’t. When I talk to others about this issue, they laugh at me, but I’m not stupid. I’m not stupid; I’ve seen things happen.

There’s something else I’d like to mention about passwords. Don’t make it anything you’ve written on the forum, or talked with on someone over the Internet. It should be long, personal, and have numbers involved.

There are some codes that can help with some security issues. You can probably make requests too.

I know that I probably shouldn't, but I use the same password everywhere. All of the sites I go on I'm either the admin, or totally trust the admins. My password is the name of an animal, and I spelled it wrong and used some numbers instead of letters, so it would be pretty hard to guess if I didn't tell anyone it.

You might have spelled the animal wrong, but someone could be attempting to guess because you gave this hint away. I encourage you to change your password. =/

[webmaren]

On the issue of passwords, just today one of my friends who doesn't clearly understand the whole profile thing typed in a guess for my password in the password and confirm password boxes on my profile page and hit accept. He then promply turned to me and said, "Hah! I just guessed your password! It's so obvious, I got it on the first try," and then began laughing. Naturally, I was confused, because my password is random #'s and letters. He told me he had used my name.

That idiot changed my password from a semi-secure random number/letter code to my first name! It turns out that ever since he had started on Proboards, something like 2 years ago, he had thought that you have to enter your password into the boxes when you want to edit your profile. I told him he was wrong, and had the password fixed in about 5 minutes.

And on the subject of codes to protect your forum, they aren't going to be effective because you can always use &noheaders or greasemonkey them out of the headers.

[myke]

mrsyukisohma said:

I don't know how it happened but I did witness a member somehow hacking into a staff only forum, but it was publicly seen for hackers to see it. Then they figure out how to break in.

They didn't hack into a staff only forum. It is more likely that while the board was hidden, you didn't have access restricted to staff only, and they guessed the board URL (ie: board=staff). They would have actually of had to hack into the ProBoards server, access the admin account, track down your forum, then enter the board, and all of that is not likely. A true hacker would not hack a server just to view a staff board. Besides, Patrick has offered money to anyone who can hack into a PB server, and it has yet to be done.

[papalia]

First of all, my password consists of random characters that don't make any sense to anything, which makes it impossible for my password to be guessed (well maybe not impossible - but it's more likely you'd win the lottery twice or 3 times consec than guess my password).

As for spam, I have had the problem recently, but not on my website forum, but on a forum made for my school, in which I am Gmod. The spammer, on finding out the forum was set to allow public access (because we're setting up a website for the school), decided to post images that are resized to not only stretch the page, but actually crash peoples computers (note for newbs: trying it on PBsupport will probably get you permanantly banned so don't even try it, not even in the test board). Luckily the images didn't load on my home PC because my internet connection is a bit slow (although its 1Mb broadband, but its slow on the forum I am talking about).

Luckily since I have the headers/footers power, I was able to install a script to stop guests from posting images. Unfortunately, the guy used a program called IE dom inspector to stop their computer from running the code, which meant I installed a script to make large images shrink to 800x600 (for genuine people who are accepting the codes), but this didn't work if the images don't load, so in the end, I stuck the opening IMG tag and the URL for the site the image is on into the censired words list, so that any images loaded from that site wouldn't work because the opening tag and site name would be replaced with a message like "image blocked". That worked and the spammer stopped.

Also with the staff abuse issue, I usually dont mind so much about posts being deleted, as long as I get a decent explanation afterwards. However, staff members on my forum are required to write a warning note for any warnings/bans imposed, and dont have the power to delete users. In fact, I dont give anyone else [1] delete users [2] mass email [3] modify headers/footers [4] modify ranks [5] skins/custom images [6] the bottom 3 on the list of powers [7] view hidden age. However, I think Gmods should have the Modify profiles power, that's an essential gmod tool. Also, if a staff member made an unnecessary ban/warning and it wasn't accounted for, I'd demod them immediately until I got a decent explanation and they aggreed to comply with my rules in future, of if I was susapicious they were likely to cause trouble, they'd never get their rank back.

Another good security tip is to make good use of the warning system. I think it's best to allow members to see everyone's warning level, so members know how other members get on with the rules etc. if means suspicious members who try to trick other members and stuff will not be trusted.

Luckily I have never really had any problems with members or staff. Maybe its because my forum doesnt have many members, and the members it does have, I know them quite well.

[UndeadDeadGuy]

How to keep your forum safe - by a paranoid admin (aka undeaddeadguy)

Step one: Administration passwords are to be long and need to contain numbers or symbols.

• I recommend a password ~10 characters long. That's 4 more than the required 6 characters.
  
  
• Do not use the number '666' in your password. It's too predictable and does not make you a punk.
  
  
• Make sure you remember your password. Don't make it a bunch of random numbers and letters and do not write it anywhere on your computer. This helps if you ever get spyware. Speaking of spyware...
  
  
• If you ever get spyware, remove it. Then immediately change your passwords for both the admin account and your email.
  

Step two: Staff members

• Never assign an administration position to someone you do not know offline. Close friends should only be considered for these positions.
  
  
• Remember to set powers for GMods. There are default options which you do not want them to have, but then again this is a personal opinion matter.
  
  
• Never give a staff position to someone on another forum which is exactly like yours. They're the competition and will try to sabotage you.
  

Step three: Dealing with your forum

• You must check your forum at least twice a day.
  
  
• Make sure you know the proboards TOS.
  
  
• Be careful of flamers or arrogant members. They are the ones who will pull something crazy.
  

[hisroyaldudeness]

I have had many problems with hackers (well, more like "evil" staff members.) Because our main admin, my best friend, does not know how to say no to people that want to be a staff member. I have since taken over the staff assignment job, and I am proud to say that no one has become a staff member unless they deserved and earned it.

[papalia]

yes dont let inexperienced forum users be admins, especially if they are upgrading accounts unecessarily. if a member violates the proboards TOS, you get 3 days to remove the content to keep your board. If a staff member breaks the TOS and you get reported, your board gets instantly deleted. i'd never give admin powers to anyone i didnt know personally, or anyone i didnt trust. that is a well known security fact.

[Former Member]

I only have one thing to add... don't let anyone have access to your account... not even your best friend. If you share a computer, or use a public one, then log out everytime you leave, and make sure your password isn't remembered by the computer. Remember, If someone logs into your account they have unlimited access to all admin functions... they could even delete your entire forum.

[Snakeair]

cursed said:

I only have one thing to add... don't let anyone have access to your account... not even your best friend. If you share a computer, or use a public one, then log out every time you leave, and make sure your password isn't remembered by the computer. Remember, If someone logs into your account they have unlimited access to all admin functions... they could even delete your entire forum.

This is very good advice. This has happened in the past. Some members create a thread in support board and complain someone hacked there account. Turns out it was either a friend or a family member in the house that used the computer. Me i logout every time i leave Proboards or any other place I'm logged in on the INTERNET. My passwords are written down on paper and i keep in my wallet since it never leaves my side. I use long passwords, with random numbers and letters. Hard to remember it. lol

If a friend or family member gets into your account, he or she could just delete all threads and boards in which can not be restored. That would make anyone get upset. Having to explain to your members why the forum got messed up. Would not make you a good admin in your members eyes. So please, take any measures to protect your account from getting hacked into and make sure all your staff members have hard passwords.