MyBB Documentation

MyBB Security Guide

Hardening & Best Practices for Securing Forums

General Advice

Forum users with elevated permissions should follow universal digital security recommendations, including the use strong, unique passwords and password managers and Two-Factor Authentication (2FA) for their forum accounts as well as any related personal accounts (e.g. used for password recovery). Universal 2nd Factor (U2F) and on-device TOTP types are preferred to SMS-based codes.

Scanning devices with antivirus tools and installing security software is also a good idea. Consult reputed publications and organizations for recommendation appropriate for used platforms (e.g. AV-Comparatives, AV-TEST, MRG Effitas, SE Labs).

Software & Updates

MyBB

MyBB, besides normal development, runs a Security Research program to prevent, and respond to, threats and vulnerabilities that may affect forums running MyBB. Solutions for discovered and reported issues are included in subsequent updates. Such security releases should be installed by board administrators as soon as possible to prevent exploitation.

We recommend subscribing to at least one of the several announcement channels to follow notifications of new MyBB version releases.

By default, MyBB installations contact mybb.com to check for updates daily and display a warning in the Admin CP when new versions are found. This happens as long as the Version Check task (Tools & Maintenance → Task Manager) is enabled. Administrators should confirm that no network problems occur by running Home → Check for Updates.

Extensions

Similarly, installed MyBB extensions should be kept up to date, especially if new releases address security issues — we recommend subscribing to plugins and themes in use on the Extend section (or other official sources) to get notified of extension updates.

It’s recommended to keep the number of extensions to a minimum and only install those that are really needed, since the more plugins (and, to a lesser extent, themes) are installed, the more code can be potentially exploited. Extensions should only be downloaded from trusted sources and authors. Inspecting the code (including updates) by technical staff before installation may help prevent security issues and familiarize themselves with new functionality better.

Admin CP

Plugins and themes that affect the ACP should not use resources (like images, CSS, or JavaScript files) hosted on, or attempt to send or receive data from, external servers. Connections to third-party domains can be spotted using browsers’ Inspect feature by observing Network requests during page load.

Regular Backups

Making backups of all forum files and database is extremely important. The copies should be routinely verified to make sure the forum can be fully restored without any problems.

Forum administrators can enable and customize frequency of the included Weekly Backup task (Tools & Maintenance → Task Manager) to let MyBB create copies of the database ready for download.

MyBB Documentation › Backups →

MyBB — General Configuration

The forum should only be available over the https:// protocol with a valid certificate and safe configuration including secure redirects, no mixed content issues, suitable security headers and Secure cookies.

We recommend to set up basic HTTPS support before installing MyBB to use it during the installation; passwords, tokens, and other sensitive values entered on the forum with no HTTPS should be changed.

MyBB Documentation › Setting up HTTPS →

Disable HTML Parsing

Parsing HTML in all user content (like posts and profile fields) is highly dangerous and should be kept disabled.

The following Settings should be set to No:

  • Posting » Allow HTML in Announcements (announcementshtml)
  • Private Messaging » Allow HTML (pmsallowhtml)
  • Profile Options » Allow HTML in Signatures (sightml)

To disable HTML in individual Calendars, Forums, and Profile Fields, you can execute the following SQL query:

UPDATE mybb_calendars SET allowhtml = 0;
UPDATE mybb_forums SET allowhtml = 0;
UPDATE mybb_profilefields SET allowhtml = 0;

Afterwards go to Tools & Maintenance → Cache Manager and Rebuild the forums and profilefields cache to make sure these changes are applied immediately.

Some web attacks can be prevented by having the Site Details » SameSite Cookie Flag setting (Configuration → Settings) set to Yes (default).

Apply Server-Specific Directives

The MyBB package contains htaccess.txt and htaccess-nginx.txt files in the MyBB root directory.

  • Apache servers

    • htaccess.txt should be renamed to .htaccess and kept in the same directory,
    • the installation should contain a .htaccess file in the admin/backups/ directory (already renamed in the package).
  • nginx servers

    The directives included in the htaccess-nginx.txt file should be inserted into the nginx configuration file of your server.

Limit Access to Private Hosts and IP Addresses

The MyBB configuration file (inc/config.php) contains host names and IPv4 addresses the application should not be connecting to (e.g. while attempting to download remote avatars), mitigating a Server Side Request Forgery (SSRF) vulnerability. Board administrators should update their configuration files by adjusting default values (or adding the fragment included below to the PHP code of the file for older installations).

If the forum’s server infrastructure contains additional hostnames or IPv4 addresses that may point to private network servers, they should be appended to the arrays.

The $config['disallowed_remote_addresses'] array supports wildcards and address groups in CIDR notation.

/**
 * Disallowed Remote Hosts
 *  List of hosts the fetch_remote_file() function will not
 *  perform requests to.
 *  It is recommended that you enter hosts resolving to the
 *  forum server here to prevent Server Side Request
 *  Forgery attacks.
 */

$config['disallowed_remote_hosts'] = array(
	'localhost',
);

/**
 * Disallowed Remote Addresses
 *  List of IPv4 addresses the fetch_remote_file() function
 *  will not perform requests to.
 *  It is recommended that you enter addresses resolving to
 *  the forum server here to prevent Server Side Request
 *  Forgery attacks.
 *  Removing all values disables resolving hosts in that
 *  function.
 */

$config['disallowed_remote_addresses'] = array(
	'127.0.0.1',
	'10.0.0.0/8',
	'172.16.0.0/12',
	'192.168.0.0/16',
);

Hide the Version Number

Displaying which MyBB version the forum is running may make it easier for potential attackers to establish whether it contains vulnerabilities related to older versions. The Site Details » Show Version Numbers setting (Configuration → Settings) should be set to Off.

Restrict Web Access to Internal Files

Depending on installed extensions, you can disable access to internal files and directories.

  • Apache servers

    Create a .htaccess file in chosen directory with the following content to deny access to it:

    • Apache 2.4
      Require all denied
      
    • Apache 2.2
      Order deny,allow
      Deny from all
      
  • Nginx servers

    In the server block for the forum, add to disable access to the inc/ directory:

    location ~ /inc {
      internal;
    }
    

Change the Default Table Prefix

Changing the table prefix can prove to be helpful in certain cases. If an attacker manages to run an SQL query, they can easily damage the forum, but if they don’t know what the table prefix is (and therefore don’t have a table name to query) it would slow them down.

Remember: Before making any changes to the database, perform a database backup so that if something goes wrong, it will be trivial to recover your data.

  • Using phpMyAdmin

    1. Select all of the MyBB tables (at the bottom), click the dropdown and select Replace table prefix.
    2. In the from box, type in mybb (or whatever the old prefix was, ignoring the underscore); in the to box, type in your new prefix.
  • Manual SQL execution

    SET @database   = "mybb";
    SET @old_prefix = "mybb";
    SET @new_prefix = "mybb123232"; -- Example new prefix
    
    SELECT concat(
        "RENAME TABLE ",
        TABLE_NAME,
        " TO ",
        replace(TABLE_NAME, @old_prefix, @new_prefix),
        ';'
    ) AS "SQL"
    FROM information_schema.TABLES WHERE TABLE_SCHEMA = @database;
    

    The output will be a list of SQL statements that can be run to rename the tables.

After renaming the tables, adjust the value of $config['database']['table_prefix'] in the Configuration File accordingly.

MyBB — Admin Control Panel

Use Two-Factor Authentication (2FA)

All forum administrators should enable Two-Factor Authentication to protect against compromised passwords.

MyBB Documentation › Using Two-Factor Authentication with MyBB →

Rename the Admin CP Directory

We recommend renaming the admin/ Admin CP directory to a value known only to forum administrators, reducing the impact of potential password/2FA compromise and XSS attacks. To do this:

  • rename the admin directory from admin to something random, such as d8e8fca2dc0f896 (pick your own random value!),
  • in the inc/config.php file:
    • modify the name of the directory in $config['admin_dir']:
      $config['admin_dir'] = 'd8e8fca2dc0f896';
      
    • disable showing links to the ACP to make it undiscoverable even after logging in on the forum:
      $config['hide_admin_links'] = 0;
      

Confirm that the rename was completed successfully by browsing to your Admin CP and logging in. The address can be securely distributed to other administrators and bookmarked locally for convenience.

Note: after this change, extension files intended for upload to the admin/ directory will have to be uploaded to the renamed directory instead.

Limit Administrative Access

The MyBB ACP can be used not only to cause damage using assigned permissions, but also to escalate them and inject malicious code executed by administrators with more permissions (which is mostly related to HTML support in many fields editable through the ACP).

You should only allow Admin CP access to people you know well and trust, and potential administrators should be carefully selected and thoroughly reviewed. It is a good idea to distribute tasks between accounts, removing all permissions not relevant to performed tasks.

User and Group Administrator permissions can be inspected and modified in Users & Groups → Admin Permissions.

Admin Permissions that may be dangerous include (but are not limited to):

  • Configuration:
    • Can manage settings? (unfiltered HTML, sensitive data, security configuration),
    • Can manage custom profile fields? (unfiltered HTML),
    • Can manage custom MyCode? (unfiltered HTML),
    • Can manage language packs? (unfiltered HTML),
    • Can manage help documents? (unfiltered HTML),
    • Can manage calendars? (unfiltered HTML),
  • Forums & Posts:
    • Can manage forums? (unfiltered HTML),
  • Users & Groups:
    • Can manage users? (permission escalation),
    • Can manage user groups? (permission escalation),
    • Can manage admin permissions? (permission escalation),
    • Can manage group promotions? (permission escalation),
  • Templates & Style:
    • Can manage themes? (unfiltered HTML),
    • Can manage templates? (unfiltered HTML),
  • Tools & Maintenance:
    • Can manage cache? (sensitive data),
    • Can manage backup database? (sensitive data).

MyBB extensions may introduce additional areas to be wary of.

Configure Super Administrators

Super Administrator accounts cannot be deleted, banned, or otherwise altered by regular administrators in most sections of the Admin CP. During the MyBB installation process, the first user (with ID 1) is set as a Super Administrator.

The $config['super_admins'] variable of the MyBB configuration file (inc/config.php) defines a comma-separated list of user IDs.

E.g. to set users with ID 1 and ID 2002 as Super Administrators, the variable would be saved as:

$config['super_admins'] = '1,2002';

Use Private Browsing

It is recommended that forum administrators use separate browsers for public pages of the forum and the Admin CP or, preferably, use private browsing for ACP activities, limiting potential impact of vulnerabilities affecting the forum front-end and those originating from external sites. In this approach:

  • a new browser session with no saved data should be opened before logging into the ACP,
  • the ACP URL should be entered directly,
  • no external pages, including the forum front-end, should be visited within the browser session involving interaction with the ACP.

Protect the Admin CP with HTTP Basic Auth

Also known as htpasswd protection, adding HTTP Basic Auth protection to the Admin Control Panel directory is one of many ways to put sensitive settings behind another layer of security, independent from MyBB authentication mechanisms.

  • cPanel

    1. Search for the Directory Privacy menu item (icon: blue folder with lock),
    2. select the directory you wish to protect (the Admin CP directory),
    3. check the Password protect this directory checkbox,
    4. fill out the given form with a username and strong password,
    5. click Save.
  • DirectAdmin

    1. Search for the Password Protected Directories menu item,
    2. click Find a Directory to Password Protect,
    3. find the directory you wish to protect (the Admin CP directory) and click the Protect Action,
    4. fill out the given form with a username and strong password,
    5. check the Protection Enabled checkbox,
    6. click Save.
  • SSH — Apache Servers

    This method requires Apache to be configured to allow .htaccess files to override configuration values.

    1. Create a new .htaccess file in the Admin CP directory (Apache will interpret the file as a local configuration file in the directory and any subdirectories inside of it),
    2. Insert the HTTP Auth configuration into it:
      AuthUserFile /PATH/TO/.htpasswd
      AuthGroupFile /dev/null
      AuthName Restricted
      AuthType Basic
      require valid-user
      
    3. Run the following shell command:
      htpasswd -c -b /PATH/TO/.htpasswd DESIRED-USERNAME DESIRED-SECURE-PASSWORD
      

    Note: replace /PATH/TO/.htpasswd in both places with the respective file location.

  • SSH — Nginx Servers

    1. Open the nginx configuration file,
    2. within the server block, add the HTTP Auth configuration:
      location /admin {
        auth_basic           "Restricted";
        auth_basic_user_file /PATH/TO/.htpasswd;
      }
      
    3. Run the following shell command:
      htpasswd -c -b /PATH/TO/.htpasswd DESIRED-USERNAME DESIRED-SECURE-PASSWORD
      

      If the command is not found, install the apache2-utils, httpd-utils, or similar package for your Linux distribution.

    Note: replace /PATH/TO/.htpasswd in both places with the respective file location.

When finished, browse to the Admin CP again, and you should receive an additional username/password prompt before seeing the Admin CP login or interface.

Admin CP PIN

The Admin Control Panel login, besides passwords and 2FA tokens, can include a Secret PIN that serves as an additional, global password required to access the ACP. To set it up, edit the $config['secret_pin'] variable in the configuration file (inc/config.php):

$config['secret_pin'] = 'RANDOM-VALUE-HERE';

The Secret PIN can be securely distributed to other administrators to save in a safe place.

Inadvertent Data Disclosures

MyBB uses tokens which confidentiality allows security mechanisms to work properly. Those codes usually contain random, alphanumeric characters and may be appear in:

  • details of MyBB’s internal operations:

    • database exports, query results, and manual lookups (e.g. using phpMyAdmin),
    • Database Queries listed in MyBB Debug Information,
    • configuration (inc/config.php) and cached settings (inc/settings.php) files,
    • MyBB settings (usually secret API keys for external services),
    • Cache content (usually in the ACP’s Cache Manager),
    • Database Backup file names,
    • error logs and access logs,
    • information displayed by additional debug code,
  • normal MyBB usage artifacts:

    • cookie values in users’ browsers,
    • page source (usually named my_post_key, logoutkey),
    • URL parameters (...&my_post_key=...),
    • error messages.

Administrators, users, and visitors should take caution when seeking technical support and reporting problems to avoid including such data in code samples and diagnostic information (especially publicly), e.g. by limiting snippets to areas specific to the problem in question or replacing sensitive codes with [REMOVED].

Examples of sensitive Values:

var my_post_key = "0c153ee1b3a6f3847d98ab660fc0a64b";
<input type="hidden" name="my_post_key" value="0c153ee1b3a6f3847d98ab660fc0a64b" />
<a href="https://example.com/member.php?action=logout&amp;logoutkey=e77ed4a03c8ae73f3aada970f0230d3f" class="logout">
SELECT * FROM mybb_sessions WHERE sid='2ab3cb1c5142e42654cab26aa9fd0ee9' AND ip=X'4d794242'

Likewise, the password and salt values in the mybb_users table should not be shared, regardless password hashing, as such disclosures may make it easier to guess the original passwords and any tokens generated using such values.

Monitoring

Error Logs

PHP, SQL, or other errors that appear during normal MyBB usage may indicate incorrect behavior that may pose a security risk or result from malicious activity. To observe such events, you can take advantage of the server’s error reporting features or use the Server and Optimization Options » Use Error Handling setting (Configuration → Settings) with suitable Error Logging Medium.

Activity Logs

We recommend to regularly review Administrator Logs (Tools & Maintenance) to look out for malicious activity. While MyBB does not record failed login attempts, the Security Log plugin can be used to add this functionality.

Files and Database

The File Verification (Tools & Maintenance) can be used to check MyBB source files for modification. With the DVZ Integrity Tools plugin, forum Super Administrators will be also able to compare files showing specific changes and list changes applied to database table structure.

Admin CP Honeypot

The Admin CP Honeypot installs a fake Admin CP that may be used together with a renamed Admin CP directory, recording the IP of anyone who tries to login to it and emailing you a small report.

External Tools

Some search engine webmaster tools offer alerts upon discovery of problems affecting websites, including malicious activity (e.g. Bing, Google, Yandex), which may also help identify the issue.

Environment

We recommend choosing reputable and trusted providers for domain, hosting, and other infrastructure services.

Forum staff with access to such administrative accounts should have 2-Factor Authentication (2FA) enabled and make sure hidden features like reset password cannot be used to easily bypass it. Server management tools and other installed web applications should only be used over a secure connection (HTTPS, SFTP, SSH).

Domain

Domains associated with the board should have a registrar lock and DNSSEC enabled to limit attempts of domain and traffic hijacking.

Server

  • Shared Hosting and Managed Servers

    You should verify that server software and tools (underlying operating system, web hosting control panel — cPanel/DirectAdmin, HTTP server, database system, PHP, phpMyAdmin, etc.) are kept up to date and the organization is capable of quickly responding to security concerns.

  • VPS and Dedicated Servers

    Virtual or dedicated servers should be maintained by experienced system administrators. For more information you should look up articles on maintaining and securing servers relevant to the operating system and software (HTTP server, PHP, database system, etc.).

If the forum traffic is cached by accelerators or caching servers (e.g. Varnish), you should make sure they are configured properly and never cache the HTML content of MyBB-generated pages, especially those intended for authenticated users, as it may leak secret security tokens intended for individual users or visitors.

Third Party Software

Applications installed on the same server may affect each other’s functionality directly — by accessing foreign files, database or executing foreign code — and indirectly — e.g. by accessing server software. Vulnerability in third party software may threaten the security of the forum, therefore all web applications should be kept up to date and secured, similar to MyBB. For more information you should look up articles on securing any other software you have installed.

Response Readiness

Administrators running MyBB forums should be familiar with steps and tools involved in the response to potential security incidents and data breaches:

MyBB Documentation › Security Incident Response & Recovery →


See also:

Edit this page on GitHub