Martin A. reacted to Matt for an entry, How to keep your community secure
Security should never be an afterthought. Don't wait until an attack has compromised your site before you take action.
All too often, site owners consider increasing their security only when it's too late, and their community has already been compromised.
Taking some time now to check and improve the security of your community and server will pay dividends.
In this blog, we run down 8 ways that you can protect your community with Invision Community. We go through the security features you may not know about to best practices all communities should be following.
1. Set up Two Factor Authentication
Invision Community supports Two Factor Authentication (2FA for short), and we highly recommend making use of this feature for your users, but especially for your administrative staff.
2FA is a system that requires both a user's password and a special code (displayed by a phone app) that changes every few seconds. The idea is simple: if a user's password is somehow compromised, a hacker still wouldn't be able to log in to the account without the current code number.
You may already be familiar with 2FA from other services you use. Apple's iCloud, Facebook and Google all offer it, as do thousands of banks and other security-conscious businesses.
Invision Community supports 2FA via the Google Authenticator app (available for iOS and Android) or the Authy service, which can send codes to users via text message or phone call. You can also fall back to security questions instead of codes.
You can configure which members groups can use 2FA, as well as requiring certain groups to use it.
Recommendation: Require any staff with access to the Admin Control Panel or moderation functions to use 2FA. This will ensure that no damage will occur should their account passwords be discovered. Allow members to use 2FA at their discretion.
2. Configure password requirements
The password strength feature displays a strength meter to users as they type a new password. The meter shows them approximately how secure it is, as well as some tips for choosing a good password.
While you can leave this feature as a simple recommendation for users, it's also possible to require them to choose a password that reaches a certain strength on the meter.
Recommendation: Require users to choose at least a 'Strong' password.
3. Be selective when adding administrators
Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Giving access to the AdminCP is like handing someone the keys to your house. Before doing so, be sure you trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?).
Recommendation: Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have Administrative access by clicking the Administrators button under staff on the Members tab.
4. Utilize Admin Restrictions
In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth.
Invision Community allows you to limit administrator access to particular areas of the AdminCP with the Admin Restrictions feature, and even limit what can is done within those areas.
This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future.
Recommendation: Review the restrictions your admins currently have.
5. Choose good passwords
This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential.
We recommend using a password manager application, such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them.
Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for other sites too.
Recommendation: Reset your password regularly and ensure you do not use the same password elsewhere.
6. Stay up to date
It's a fact of software development that from time to time, new security issues are reported and promptly fixed.
But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community.
When we release new updates - especially if they're marked as a security release in our release notes - be sure to update promptly.
Invision Community allows you to update to the latest version via the AdminCP. You no longer need to download a thing!
Recommendation: Update to the latest version whenever possible. Remember, with Invision Community's theme and hook systems, upgrades to minor point releases should be very straight forward.
7. Restrict your AdminCP to an IP range where possible
If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist.
This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment.
Recommendation: Consider IP restriction as an additional security layer when you are not able or willing to use 2FA.
8. Properly secure your PHP installation
Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We, therefore, recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs:
disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled. Especially if you're hosted on a server that also hosts other websites (known as shared hosting), if another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too.
Naturally, Cloud customers needn't worry about this, we've already ensured our cloud infrastructure is impervious to this kind of attack.
Recommendation: Review your PHP version and settings, or choose one of our cloud plans where we take care of this for you.
So there we go - a brief overview of 8 common-sense ways you can better protect your community and its users.
As software developers, we're constantly working to improve the behind-the-scenes security of our software. As an administrator, there's also a number of steps you should take to keep your community safe on the web.
If you have any tips related to security, be sure to share them in the comments!
Martin A. reacted to Matt for an entry, 4.4: 6 New Micro Features
I really enjoy writing about the new features the development team have been slaving over for weeks (and sometimes months.)
It's a real joy to be able to share the finished product after we've seen it through inception, discussion, planning, assigning to a developer, coding, peer reviewing and final group testing.
Although sometimes, the features can be explained in a few screenshots, which makes for a pretty thin blog entry.
With that in mind, I've grouped together 6 of the best new micro-features for Invision Community 4.4.
We introduced browser notifications in a previous version of Invision Community.
Once you've opted in to receive them, you'll get a fancy browser notification when new content is posted while you're off browsing other sites.
However, the browser prompt to ask for permission to push notifications isn't subtle, and it attacks you the second you log in for the first time.
In Invision Community 4.4, we've made it, so you're only asked to opt-in once you open the notification drop down.
No more being attacked by a permission dialog
Widget display settings
One of the most popular features we've added to the front end in recent times is the drag and drop widgets.
We see these used on almost every site we visit.
A popular request, though, was to be able to hide them from specific devices. By default, the sidebars appear under the main content when viewed on a smaller device such as a phone.
There may be times where you wish to show a block for those on tablets and desktops, but remove it for phones, so it doesn't take up precious retail space.
Happily, you can now do this on each block with 4.4.
Clubs are relatively new to Invision Community but they incredibly popular as they allow you to run micro-communities within your main community.
You're not limited to just forums either; you can add gallery albums and more to each club.
We've added the ability to re-arrange the club tabs allowing you to prioritise what you members see first.
Rearranging club tabs
Announcements have been a core feature for a long time now. We use them whenever we have a holiday so we can notify our customers about reduced support on those days.
We've made it so you can now link to an item, rather than have to provide new copy for each announcement.
We may have overdone it a bit
Time Frame selector
We noticed that in numerous areas around the Admin CP we had time input boxes. These would sometimes be used for seconds, minutes, hours and even days.
We've seen customers forced to enter things like 86400 seconds when they want the time frame to last a day. The lack of consistency wasn't great either.
In Invision Community 4.4, we've added a new Time Frame selector which is used as standard on all areas we ask for a time frame to be entered.
No more taking your socks off to work out how many seconds in a month.
Time is no longer relative
Group Name Styling
For about as long as I can remember (and as I get older, this is not an impressive amount of time), we've allowed group names to be stylized when shown in the online user list.
A very popular request is to extend that same group highlighting throughout the suite.
Finally, Invision Community 4.4 brings this to the suite.
If the group name is visible, that gets the styling, otherwise the name does
These features may be micro in nature, but we hope they make a significant improvement to your community.
Which are you most looking forward to? Drop a comment below and let us know.
Martin A. reacted to Matt for an entry, Interview with Michael Rielly of ClausNet.com
Did you know that the most magical community in the world runs on Invision Community?
For close to 12 years, Invision client @Michael R has been spreading joy through the Santa Claus Network (ClausNet.com), the world’s largest community for Santa and his followers.
He started building the site in November 2006 and went live in the beginning of 2007, using Invision Community as his platform of choice since the beginning. Michael also founded the James D. Rielly Foundation in honor of his grandfather – a non-profit organization that provides charitable and emotional support to military and first responder families.
As a tribute to the holidays, Mike was gracious enough to be interviewed by Joel on behalf of Invision Community on how he uses Invision Community and engages with his unique community.
J: This is such a wonderful community of passion. How did you get started?
Back in October 2005, I attended the world-famous Charles W. Howard Santa Claus School. It was a Christmas present I received from my wife. At that time, I had already been portraying Santa for 34 years but was a bit skeptical of what I would get out of attending a “Santa School.”
He’s already nailed the Santa look.
At the school I got to meet Santas from all over the World!
It was a wonderful experience and I am still friends with many of the folks, but what I enjoyed most of all was the camaraderie I felt with my fellow brothers and sisters in red. This was the catalyst in creating ClausNet – to recreate the same feeling of fellowship I felt at the school.
J: Your membership must be very unique.
ClausNet is the world's largest online community dedicated to the faithful portrayal of Santa Claus. Our membership also includes Mrs. Claus, Elves, Reindeer Handlers, and all others who devote their time to bringing the magic of Christmas to children and adults throughout the world!
In comparison to other sites, 2,900 isn’t a lot of members. But based on some estimates it’s about two thirds of all the Santas and Mrs. Clauses on the planet!
We are very selective who of we approve for membership. In addition to Invision’s validation process, I personally email each person who registers for an account. I do this to help eliminate trolls and other Grinchy people, but mostly to keep out the prying eyes of children to preserve the Secret of Santa and keep the magic alive for children of all ages!
J: What Invision apps do you use, and how do you use them?
We have all the Invision Community apps and rely upon them for many purposes.
We don’t sell products on the site but we do use Commerce for donations. Members can purchase Supporter Level Memberships at varying prices. We use Pages and Blogs for posting short stories, opinion pieces, and even business advice. We use Downloads for sharing files such as example contracts and business card templates. The Calendar app is a great resource in notifying and scheduling regional get-togethers, workshops, schools, and training sessions.
Articles and short stories written in Pages.
J: What are some of the most innovative features of Invision Community that your members have embraced?
I believe Invision Community is the most robust platform for building online communities. Our members really like the new Clubs feature. We use Clubs for regional and local groups as well as specific topics such as prop making and costuming.
From the Long Leaf Pines to the Northern Pacific, ClausNet uses regional clubs all over the world to foster closer relationship.
J: There must be seasonality with your niche. How do you keep your members engaged throughout the year and what are some special events that you host?
Throughout the year we run several activities designed to keep up engagement.
Member of the Month - Each month, I select a different member of our community to featured. We interview the candidate and post the interview on the site. ClausNet Gazette Monthly Newsletter - We send out a monthly newsletter of content from the website. Surprisingly, it’s the first time many of the members see the content. It is a great way to keep members coming back to the site. Christmas Card and Ornament Exchange – These are two of the most anticipated events we hold. Members sign up and are randomly paired with another, so they can exchange cards or ornaments. It’s very exciting to receive Christmas ornaments from another part of the world! We also run several other programs such as an Annual Raffle, Countdown to Christmas, Picture Contests, and Latest News.
J: As a longtime Invision client whose passion is the holidays, what are your holiday wishes to other Invision clients and clients-to-be?
As many of you know, Christmas is my favorite holiday – a holiday that lives in my heart year-round! May this holiday season be one of health and happiness for you and your loved ones. Happy Holidays, Happy Hanukkah, Joyous Kwanzaa, Festive Festivas, Fröhliche Weihnachten, Nollaig Shona, Boas Festas, Buon Natale, Feliz Navidad, Merry Christmas!
J: Thank you Mike for graciously spending your time with me and other Invision clients to learn how you engage with members using Invision Community. Hopefully this interview has helped inspire and motivate other clients with some extra cheer during the holiday season!
Martin A. reacted to Matt for an entry, Podcast: Online Communities in the Post-Facebook Era
Matt was recently invited onto the Community Signal Podcast, where he spoke with host Patrick O'Keefe.
Everything from how Matt got started with online communities right up to the possibility of a post Facebook era was covered in their 45 minute chat. Matt also gives a little insight into how Invision Community works behind the scenes.
From Community Signal:
Check out the podcast now!
Martin A. reacted to Rikki for an entry, Streamlining our website and community
Many of the regular visitors to our community won't have failed to notice the new look we launched last week. Now that the dust has settled, I thought it was a good time to explain why we've made the change.
Streamlined access to everything we offer
Ever since IPS was founded in 2002, our community has been distinct from our website. The community is also where we kept all kinds of resources, from guides to the Marketplace. For those customers who know us well and enjoy hanging out in our community (and we have many who have been with us since that day in 2002!), this is no problem. Unfortunately, the downside is many new and potential customers didn't see everything we have to offer: all the wonderful addons our contributors offer, additional support resources, plentiful advice from other community administrators, and more.
In addition, we've always used the default theme that our software ships with, but with our self-service demo system now being the primary way new customers get to try out our software, this has become less important.
So, we took the decision to move some parts of the community to the website for more exposure and easier discovery by new visitors. We made some tweaks to our navigation so that finding these areas is easier than before. And, of course, we've brought the website header over to the community, giving it a fresher look and more consistent navigation, wherever you happen to be on our website.
Of course, all of our website is built in IPS4, as you would expect. Whereas before our website existed on a separate installation, as part of the update we merged our community and website together. This means you can sign in from anywhere, see your notifications and so on.
This is just the first step we've taken on improving what we offer and how we offer it. We have many plans in progress. You may have seen the theme tip we posted this week, which is the first in a series of regular tips we'll be sharing to help you get the most out of the IPS Community Suite. We'll also be highlighting some of the incredible work our customers do, whether it's a unique use of our software, or something in our Marketplace that adds a great feature.