Jump to content

7 ways to secure your community

Security should never be an afterthought for your community. All too often, site owners consider beefing up their security only when it's too late and their community has already been compromised. Taking some time now to check and improve the security of your community and server could pay dividends by eliminating the cost and hassle of falling victim to hacking in the first place.

Let's run down 7 ways that you can protect your community with the IPS Community Suite, from security features you may not know about to best practices all communities should be following.


1. Be selective when adding administrators

Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Granting access to the AdminCP is like handing someone the keys to your house, so before doing so, be sure you really trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?).

Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have AdminCP access by clicking the List Administrators button on the System -> Security page.

2. Utilize Admin Restrictions

In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth. IPS4 allows you to limit administrator access to very specific areas of the AdminCP with the Admin Restrictions feature, and even limit what can be done within those areas. This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future.

3. Choose good passwords

This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are simply too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential.

We recommend using a password manager application such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them.

Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for others sites too.

4. Stay up to date

It's a fact of software development that from time to time new security issues are reported and promptly fixed. But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community.

When we release new updates - especially if they're marked as a security release in our release notes - be sure to update as promptly as you can so you receive the latest fixes. Your AdminCP will also let you know when a new version is ready for download.

5. Use .htaccess protection for your AdminCP

In addition to IPS4's own AdminCP login page, you can set up browser-level authentication, giving you a double layer of protection. This is done via a special .htaccess file which instructs the server to prompt for authentication before access to the page is granted. IPS4 can automatically generate this file for you - simply go to System -> Security in your AdminCP, and enable the "Add a secondary admin password" rule.

And it should go without saying, but to be clear: don't use the same username or password for both your .htaccess login and your admin account, or the measure is redundant!

6. Restrict your AdminCP to an IP range where possible

If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist. This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment. If you're a Community in the Cloud customer, contact our support team if you'd like to set up this protection for your account.

7. Properly secure your PHP installation

Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We therefore recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs:

disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system

Another critical PHP configuration setting you need to check is that open_basedir is enabled, especially if you're hosted on a server that also hosts other websites (known as shared hosting). If another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too.

Naturally, Community in the Cloud customers needn't worry about either of these steps - we've already handled it for you!


So there we go - a brief overview of 7 common-sense ways you can better protect your community and its users. As software developers, we're constantly working to improve the behind-the-scenes security of our software, but as an administrator, there's also a number of steps you should take to keep your community safe on the web.

If you have any tips related to security, be sure to share them in the comments!



Recommended Comments


disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system

Is going to be updated in the suite in the security center?

Link to comment
Share on other sites

56 minutes ago, rllmukforum said:

How do you implement admin restrictions? It isn't obvious from the ACP.

Create a new adminsitrator (user or group) and then allow/disallow items they have access to it - thus you are 'restricting' what they can or cannot do.

Link to comment
Share on other sites

On 08-04-2016 at 10:44 AM, Nathan Explosion said:

By deleting the files you uploaded to implement the step.

Thanks, but there wasn't file upload


IPS4 can automatically generate this file for you - simply go to System -> Security in your AdminCP, and enable the "Add a secondary admin password" rule.


Link to comment
Share on other sites

Hi Rikki,

The recent Ashley Madison hack, and others like it, definitely help to highlight the dangers.

Two things that I've implemented on our forum to help beef up our security are:

1. Run the entire site on SSL (most people might already do this, it's an easy yet useful step)

2. Encrypt email addresses (or other personally identifiable data fields) - this was really most important in our situation as it helps to protect the identity of our members in the event of a hack.  It's not for everyone though, as it is a bit of work to setup as well requires template changes to be considered with updates.

Edited by Stormlilly
Link to comment
Share on other sites

After getting endless trouble with SQL injected malware that was almost impossible to flush out ourselves (the evil stuff kept backdooring its way in again and again, and online instructions for cleaning it up were - at best - inadequate and time consuming), we bought a Sucuri subscription.  Got us fully cleaned within a couple of hours and properly monitored and clean ever since.  Best investment in my site ever, tbh.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...