So, dear friend, for some reason you put PhpBB on your site.
Maybe because I haven't read the magazine] [, or maybe because you like this engine. However, the chance of not being hacked is minimal. Army Kiddis scour the internet in search of another victim. How to protect yourself from the primitive
hacking the forum? I'll try to give you some ideas. You can use most of them in other scripts as well.

Update

This is by default. It is necessary to update the forum. And the fact that you have 5/10/15 (underline the necessary) mods is not an excuse. Simply in this case, you should use the "code changes", carefully laid out by the developers of the forum in the form of the same mods. I also recommend subscribing to the newsletter about new versions of the forum. However, you can't keep track of everything, and even laziness
happens, right? Therefore, I offer you several passive ways to protect the forum.

Hiding the version

Recently appeared in PhpBB and helps a lot against google hackers. And if you still do not update the forum, I think it will not be difficult for you to correct the simple_footer.tpl and overall_footer.tpl files. However, you can go further and write the evil phrase "Powered by PhpBB" using javascript

There is little loss if javascript is disabled for the user, although you should not remove the phrase at all for purely moral reasons. Or you can make fun of it by writing "PhpBB 2.0.6". When a hacker, nevertheless hacking you, finds out the real version, he will drop the entire database out of anger 😉 You can also write "Php BB" ... It's not entirely fair, but it works!

Custom style

It will not only decorate your forum, but also slightly increase protection against exploits ripping information out of an HTML page. And then the standard style creates the feeling that the admin either scored on the forum or lamo.

Table prefix

Why not put something of your own there, for example "ExBB". By the way, this can be done after installation by editing config.php and renaming tables.

Database modification

A reliable way to protect against SQL-injection-Union attacks is to modify the database. Add extra empty fields to the tables, go through the code and primitive (!) Exploits will go through the forest due to the mismatch in the number of fields. Or another way: rename the user_password field to blahblahblah and fix the sources (you can easily automate this process). That's it, now when you try to get the admin password hash, the exploit will hang in surprise 🙂 And not only the exploit.

Hiding config.php

It will make your life easier if the haxor gets the ability to read files on the server thanks to the include bug. Of course, in this case, the contents of the file will still be of little use to him, unless you just put the same passes on everything.

Normal password

It is not trite, but the password should be of the form Sdh66rH904hG - this is the only way you can not worry about breaking the hash. You will store it in Password Commander. Tell me, how often do you have to enter it? Now, if the hash is still stolen, then there will be less sense from it.

Cut off search

And so it would not hurt. It works terribly buggy, consumes an incredible amount of space in the database and degrades performance terribly. And then it is the source of bugs, the same highlight. Unfortunately, this cannot be done using standard means, but it's not in vain that you read] [? Remove files related to it, drop tables and clean up raw materials and themes. The result is increased productivity and safety. If you are too lazy to figure it out, then I will tell you: eliminate calls to functions located in functions_search.php. Except for the last one, of course. And what tables to drop it yourself think .... I had no problems.

Fake admin panel

Hide the real admin panel away, and in the fake delete all queries to the database like INSERT, UPDATE, etc. Better yet, instead of executing them, log them into a file, along with IP and other useful data. Can you imagine how a hacker will slow down when the changes he makes are not applied? It's a honeypot, not a forum!

Changing the hashing algorithm

Generally a useful trick. Change all hash-related function calls to your own, which, after calling the standard ones, slightly modify the hash. For example ac45e53bc8dc478e-> ac45e53bc8da478e.
A hacker will hardly suspect a trick ... Moreover, looking at these two hashes, he will not immediately notice the difference ...

Well, this union was invented, it brought so many holes .... So open the include for working with the database and add query filtering with UNION!

Conclusion

The more you rename files, tables and fields, the more

• Haxor will be more difficult
• It will be more difficult for you to update the forum
• More mistakes you make

So know when to stop and do not be sick with paranoia. By turning all these tricks, you will scare / stop both Kiddis and Haxor, unless the latter has a specific goal to hack you. Although renaming the table fields gives almost impenetrable protection against SQL-injection, because there will be no sorts before the haxor.

Well, let's start giving small tips on optimization and promotion of sites (forums) on phpBB. In this case, we will do a little hack that will help get rid of the external link of the form " Powered by phpBB ©... ". In this publication we will consider 2 ways with which you can do this - a trick for phpBB 3.x.x.

Removing external link Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group and Russian phpBB support

First way to remove xref labeled Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group... And so, the easiest way is to uninstall using the admin panel. We go to the administrative panel, go to the "Styles" menu item, on the left we see the panel where the block in the menu is located, we are interested in the "Style Components" block, and in it "Templates". By standard, in the proposed window, we will see the following: prosilver and subsilver2, although there may be others if you installed them. In general, not the point. From the proposed set, select the default one. Click on the "edit" button next to the template. Next, a window appears with the offer "Select a template file". Next, select "Template file" - "overall_footer.html". Below the HTML editor appears. We find the following code: " Powered by phpBB 2000, 2002, 2005, 2007 phpBB Group"and just delete it, although you can set your own link and caption."
(TRANSLATION_INFO) "(which is below, can also be deleted) - this code is responsible for localization, for example an external link labeled" Russian phpBB support ".

Second way to remove external link labeled Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group... This method is similar, but we connect to the site using ftp pratacol. Go to the following path styles / template_name / template / overall_footer.html. And we edit the same code that we edited above. If you change the code, then do not forget to set the UTF encoding - so "krakozyably" (squares and other incomprehensible characters) may appear in place of the anchors.

In one of the comments to my article, I was asked to tell you how to remove the copyright field of the creators of the phpBB engine: "Created on the basis of phpBB". Since this information may be useful to other visitors, I decided to write this article about it.

Why delete this field? Many of you may express indignation, they say, removing this field will be regarded as violation of copyright. However, this is not entirely true - phpBB is a free, free source web forum. Therefore, any changes you make assume that you fully own the copyright for your particular product. In other words, after creating a forum on this engine, it becomes your intellectual property. The phpBB authors wrote a mechanism, a forum building tool, not a finished product. In this case, if you remove the copyright notice in the footer of the forum, it will not be a violation of copyright. On the other hand, if you do leave this inscription, it will be a sign of gratitude and support from the developers, which is definitely good!

So, if you still decide to get rid of this inscription, then the first step is to find out where the parameter is responsible for displaying information about the copyright. To do this, we need to open any page of the forum where the forum is visible in one of the browsers that support the function of viewing the page code (Opera, Google Chrome, Firefox, etc.), and by right-clicking on the inscription itself, select from the drop-down menu option Inspect element.

After opening the code inspector, we can see that the block we are interested in is called " copyright". In it, you need to make changes in order to edit, hide or delete information.

The second step is to find the file that contains the "copyright" block. Since we do not know the name of the file, the manual search will take a very long time. Therefore, we will use a convenient function - search by content, which is possessed by my favorite file manager - Total Commander, then TS (there are other ways to search by content, but they will not be considered in this article). In the file manager, open the folder where the forum is installed on the local server or on the FTP server of your hoster. To facilitate the search, we will immediately open the folder in which the files of the default style are stored. Next, select the search for files in the menu " Commands"Or just click Alt + F7... In the search window that appears, we ignore the field “ Search files“, Since the name of the file is unknown to us. In field " Search location"The path to the folder with the installed forum engine must be specified, by default the TS picks up the path automatically if the search window was called from the active part where you view the contents of the folders. Next, put a check mark next to the field “ With text"And enter" copyright "into the search bar, after which we boldly press the button" To start searching»And wait for the output of the results.


The search gave us several files, in theory there should be 5 of them, which mention the name of the copyright block. From all the issued files, we clearly see that we are interested in a file with the name " overall_footer.html»Since the block is located in the page footer, and the word overall suggests that this file contains global settings, that is, for the entire forum. Now we have 2 options for how to edit the file we need - through the built-in phpBB template editor or using a third-party editor. First, we will look at the option of editing through the native phpBB interface.
We need to go " Admin center"And go to the" Styles". In the style management section, we look at which style is set by default, as indicated by an asterisk after the style name. In the example, only one is set, the basic style is prosilve, but you can have several of them.

Further, in the section for managing style components, we go to the subsection " Templates"And select the item" Change»Next to our active topic.


Now we need to select from the drop-down list the file of interest to us under the name “ overall_footer.html»


In the appeared editing area, we go to the very bottom of the page and find the line: