TSP reacted to Matt for an entry, How to keep your community secure
Security should never be an afterthought. Don't wait until an attack has compromised your site before you take action.
All too often, site owners consider increasing their security only when it's too late, and their community has already been compromised.
Taking some time now to check and improve the security of your community and server will pay dividends.
In this blog, we run down 8 ways that you can protect your community with Invision Community. We go through the security features you may not know about to best practices all communities should be following.
1. Set up Two Factor Authentication
Invision Community supports Two Factor Authentication (2FA for short), and we highly recommend making use of this feature for your users, but especially for your administrative staff.
2FA is a system that requires both a user's password and a special code (displayed by a phone app) that changes every few seconds. The idea is simple: if a user's password is somehow compromised, a hacker still wouldn't be able to log in to the account without the current code number.
You may already be familiar with 2FA from other services you use. Apple's iCloud, Facebook and Google all offer it, as do thousands of banks and other security-conscious businesses.
Invision Community supports 2FA via the Google Authenticator app (available for iOS and Android) or the Authy service, which can send codes to users via text message or phone call. You can also fall back to security questions instead of codes.
You can configure which members groups can use 2FA, as well as requiring certain groups to use it.
Recommendation: Require any staff with access to the Admin Control Panel or moderation functions to use 2FA. This will ensure that no damage will occur should their account passwords be discovered. Allow members to use 2FA at their discretion.
2. Configure password requirements
The password strength feature displays a strength meter to users as they type a new password. The meter shows them approximately how secure it is, as well as some tips for choosing a good password.
While you can leave this feature as a simple recommendation for users, it's also possible to require them to choose a password that reaches a certain strength on the meter.
Recommendation: Require users to choose at least a 'Strong' password.
3. Be selective when adding administrators
Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Giving access to the AdminCP is like handing someone the keys to your house. Before doing so, be sure you trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?).
Recommendation: Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have Administrative access by clicking the Administrators button under staff on the Members tab.
4. Utilize Admin Restrictions
In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth.
Invision Community allows you to limit administrator access to particular areas of the AdminCP with the Admin Restrictions feature, and even limit what can is done within those areas.
This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future.
Recommendation: Review the restrictions your admins currently have.
5. Choose good passwords
This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential.
We recommend using a password manager application, such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them.
Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for other sites too.
Recommendation: Reset your password regularly and ensure you do not use the same password elsewhere.
6. Stay up to date
It's a fact of software development that from time to time, new security issues are reported and promptly fixed.
But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community.
When we release new updates - especially if they're marked as a security release in our release notes - be sure to update promptly.
Invision Community allows you to update to the latest version via the AdminCP. You no longer need to download a thing!
Recommendation: Update to the latest version whenever possible. Remember, with Invision Community's theme and hook systems, upgrades to minor point releases should be very straight forward.
7. Restrict your AdminCP to an IP range where possible
If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist.
This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment.
Recommendation: Consider IP restriction as an additional security layer when you are not able or willing to use 2FA.
8. Properly secure your PHP installation
Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We, therefore, recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs:
disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled. Especially if you're hosted on a server that also hosts other websites (known as shared hosting), if another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too.
Naturally, Cloud customers needn't worry about this, we've already ensured our cloud infrastructure is impervious to this kind of attack.
Recommendation: Review your PHP version and settings, or choose one of our cloud plans where we take care of this for you.
So there we go - a brief overview of 8 common-sense ways you can better protect your community and its users.
As software developers, we're constantly working to improve the behind-the-scenes security of our software. As an administrator, there's also a number of steps you should take to keep your community safe on the web.
If you have any tips related to security, be sure to share them in the comments!
TSP reacted to bfarber for an entry, 4.4: Extend Invision Community with the REST API
Ever since its first release, the REST API built into the Invision Community software has proven to be a very powerful and well-received feature.
We love seeing what our clients and modification authors are able to do with the level of integration afforded to them through this capability, and so it is only natural that we have looked to expand the functionality in our upcoming 4.4 release.
Beginning with 4.4, you will now be able to create and update polls for both topics and blog entries through the REST API. Of course, modification authors can use this new endpoint.
You will also now be able to manage warn reasons through the REST API. This includes fetching a list of reasons, as well as fetching an individual reason, creating warn reasons, updating existing warn reasons, and deleting warn reasons.
Event venues can now be listed and individual venues fetched through the REST API, and you can now add, update and delete event venues through the REST API.
You can now retrieve a list of notifications for a specific member through the REST API, useful if you were to attempt to recreate the notifications menu on a third party website (for example).
The REST API will now expose the warnings a user has received through a new endpoint. Additionally, you can fetch individual warnings, issue new warnings, undo and/or delete issued warnings, and acknowledge warnings through the REST API. If you are building a site wrapper around your community, you can leverage this functionality to ensure that users are unable to post elsewhere on your site if they have unacknowledged warnings within the community (and also to provide them with a way to acknowledge those warnings right on your site).
The REST API Reference
Beginning with 4.4, you will now be able to set the permissions for a node when adding or updating it through the REST API (for example, you can now adjust the permissions for a forum or a downloads category through the REST API). Many clients noticed that while they could create new nodes through the API, the nodes would be unusable until an administrator manually went in and specified the permissions, so this change can eliminate this extra step in many situations.
You will now also be able to filter the events you pull through the Calendar REST API endpoints by start and end date (e.g. so you can show events within a specific time frame, such as the current week), and you can now also specify to sort the events returned by the event start date or the event end date.
And finally, for those who leverage clubs on their communities, we have built in full REST API support for clubs. You can list all clubs, return a specific club, create new clubs, update existing clubs, and delete clubs through the REST API. Further, you can list all members in a club, add a specific member to a specific club, remove a member from a club, fetch the content types available for use within a club (i.e. so you can determine which applications are installed and have club support on a given site), fetch the nodes (displayed as tabs/sections within a club) created within a club, and delete nodes from a club. Important behind the scenes steps, such as generating invoices for members requesting to join paid clubs, are all handled automatically for you when using the REST API.
We believe these changes will help clients better integrate with our software and open up new possibilities with their websites.
Would you like us to add any other endpoints? Let us know in the comments below!
TSP reacted to Mark for an entry, 4.4: Increase visitor registrations with Post Before Registering
It's very easy to focus on a single metric to gauge the success of your community.
It's very common for community owners to look at page hits and determine if their SEO and marketing efforts have paid off.
Getting traffic to your site is only half the equation though. The most valuable metric is how many casual visitors you're converting to engaged members.
Invision Community already makes it easy for guests to sign up using external services such as Facebook, Twitter and Google.
However, there has to be a conscious decision to click that sign-up button. For some, this may be a barrier too many.
Invision Community 4.4 reduces this barrier by allowing guests to create a post to a topic they want to engage with.
Once they have posted, they are asked to simply complete their registration. They are more likely to do this now they have invested in your community.
This will be incredibly valuable when you consider how much traffic a forum receives from inbound Google searches. With Post Before Registering, you'll increase your chances of turning that inbound lead into a registered member contributing to your site.
Let me take you through the feature and show you how it works.
When browsing the community guests will see the ability to submit a post, with an explanation that they can post now and complete registration later. The only thing they have to provide in addition to their post is an email address.
Posting as a guest
This works in any application for new content (topics, Gallery images, etc.) as well as comments and reviews. It will only show when a newly registered member would be able to post in that area - for example, it will not show in a forum that only administrators can post in.
After submitting the post, the post will not be visible to any user, but the user will immediately be redirected to the registration form with an explanation to complete the registration. The email address they provided will already be filled in.
Registration form after posting as a guest
At this point, the user can either fill in the registration form, or use a social sign in method like Facebook or Twitter to create an account. After the account has been created, and validation has been completed if necessary, their post will automatically be made visible just as if they had registered and then posted.
If the user abandons the registration after they've submitted their post, an email will be sent to them to remind them to complete the registration.
Email reminding user to finish registering
Invision Community already has a feature that allows guests to post as guests without registration if granted permission. That feature has not been removed and so if you already allow guests to post, the behaviour will not change. This new feature is only available when a guest can't post in a given area, but a member would be able to. The entire feature can also be turned off if undesired. If the area the guest is posting in requires moderator approval, or newly registered members require approval of new posts, the post will enter the moderation queue as normal once their account has been created. Third party applications will require minor updates to support this feature. Once your casual visitor has invested time in your community by crafting a post, they are much more likely to finish the registration to get it posted. If you have set up external log in methods, then registration only takes a few more clicks.
This blog is part of our series introducing new features for Invision Community 4.4.
TSP reacted to bfarber for an entry, 4.3: REST API Enhancements
"No man is an island" wrote John Donne. He wrote that a good 200 years before computers were invented, but it rings true for any well written framework like Invision Community.
The included REST API allows developers to fetch data from Invision Community and also allows data to be added.
This data can be used to power widgets on your website, or to be used within other applications you are already using in a very simple way.
Several enhancements have been made to the REST API for Invision Community 4.3 that we wanted to let you know about.
These changes are developer-oriented, so if you do not use the REST API with your community please feel free to skip this update.
If you would like to learn more about the REST API available with Invision Community, please see our REST documentation.
As previously noted, you can now perform searches through the REST API. You can perform searches based on keywords, tags, or both, and you can limit and filter results with parameters similar to when you perform a regular search on the site (e.g. to specific containers, returning only results over a set number of comments, or searching within clubs).
Several REST API endpoints are now permission-aware when combined with Oauth functionality built into Invision Community 4.3. This means that many REST API endpoints can be called using a specific user's access token, and only results that the specific user would normally be able to see will be returned (and/or they will only be able to submit to areas they normally have permission to).
Ability to search members
While an endpoint has always been available to retrieve (and add/edit/delete) members, the ability to search for members has now been implemented. You can search by name, email address, and (one or more) group(s), and a paginated response will be returned.
You can now start a new private conversation, reply to an existing private conversation, and delete a private conversation through the REST API.
Other REST API changes
You can now specify member's secondary groups when adding or updating a member through the REST API. You can specify the member's registration IP address through the REST API when adding or updating a member. You can now specify other member properties not directly exposed through the REST API when adding or updating a member by setting the rawProperties input field. You can now specify other member properties to retrieve through the REST API through the otherFields request parameter. The REST API now better logs changes to member accounts (so you will be able to more easily identify how a user's name, email address, password, etc. has changed when looking at the member history). You can now retrieve all content a member is following through the REST API, as well as follow a new container/content item, and delete an existing follow. You can now validate an account through the REST API You can now specify a 'perPage' parameter for paginated responses to control how many items are returned per page.
Most of these changes were directly culled from client feedback and implemented per specific requests. If there are other REST API changes you would like to see implemented please don't hesitate to leave your feedback!
TSP reacted to Matt for an entry, New: Promoting Content
There are many strategies for growing your community, such as newsletters, mailing lists and advertising on other sites.
IPS Community Suite 4.2 puts a new tool at your disposal: promotions.
There’s no denying the popularity of social media. Worldwide, Facebook has 1.86 billion users active monthly. Every day, millions of people are using Facebook to speak with friends, to talk about their interests and to find new people to connect with.
Of that 1.86 billion people, a good portion of those are actively discussing topics your forum covers. There is a huge opportunity to tap into social media to join in the discussion and to promote your community and provide a venue to carry on the discussion.
For a while, we’ve had social media log in extensions, which means that your users can sign into your community simply by clicking a relevant button. We’ve also had the ability to share things to a personal Facebook account. These tools are great for your users, but how do they help you, forum owner?
IPS Community Suite 4.2 introduces a way to promote your content directly to your brand’s Facebook page and your brand’s Twitter account.
You can curate fun and engaging topics and share them. The workflow is simple. Simply browse your community and queue up interesting topics, comments, gallery items, blog posts or database articles for posting throughout the day to your brand’s social media accounts. You choose the schedule, the hashtags and the wording to send.
Let’s look at the feature set in more detail.
Your first stop is to set up the feature from the admin panel. The system will guide you through the necessary steps of connecting your Facebook and Twitter accounts. Once Facebook has been set up, you can select any page that you are an administrator of on Facebook.
The admin panel also offers scheduling options and permissions.
You can pre-set the times for when content will be posted. Facebook and Twitter both have analytic tools to determine when your visitors are most frequently online. A good tip here is to set the time to a slightly odd number, so 11:45am is better than 12:00pm as you are likely to catch the attention of someone waiting for lunch, or a lunchtime meeting.
You have full control over who can promote items to your social media accounts. You can specify by group or pick individual members who may not be in those groups.
Now that you’ve set up the backend, we can get promoting.
Each item, that is a topic, gallery album, blog entry or article has its own Promote button.
Each post and comment can also be shared individually, which is an easy way to share great content your visitors add to existing conversations.
Clicking this brings up the sharer.
This is where you can customize the text that is sent out to each social media channel. You’ll also notice space to promote this item within your own community in addition (or instead of) Facebook or Twitter, we will explore that shortly.
The sharer is smart enough to pull attachments already added in the post, and you can upload your own images to be sent. Generally, shared items that have an image get better organic reach than just text alone so you’ll almost always want to choose or add an image. Twitter can use up to 4 images, and Facebook allows 1000 pictures per album, but you’ll never want to upload that many!
Once you’ve filled out your content and picked your images, you can schedule the promotion. Generally, you’ll want to use the auto schedule option as this allows you to just stack up multiple items and let the auto scheduler post the items according to your pre-set schedule. You can also set a specific date and time if you are looking to run a promotion or other time sensitive event.
The promoted content viewed in Facebook and Twitter
It’s easy to see the status of your queued and sent items from the moderator view.
This area allows you to see previous promotions and modify pending promotions.
Earlier, we mentioned that the system has the ability to promote content internally. Promoting items to your own community lets you, the community manager, curate interesting items and comments and present this to your community. This is a great way to allow your visitors to explore content you think they’d enjoy.
Promoting content to your community via Our Picks also allow you to promote content if you cannot or choose not to use social networks. It has the advantage that social networks do not have over a community platform like IPS Community Suite: consistency. The content on your community is always there whereas a social network is all about right here right now. Miss it and you miss out. On your community you can engage and re-engage a subject all you want.
Of course, we’ve built a widget that you can drag and drop to most pages to make this curated list more visible.
IPS Community Suite 4.2 gives you, the site owner and community manager the tools you need to reach out and engage new users already discussing the topics on social media your community covers. With single click sign in and the built in retention functionality the suite offers, you’ll have a powerful way of growing your user base. It furthers that goal by created a list of that promoted content for continual reference and promotion for visitors already on your site.
We’ve got lots more to discuss on this subject, and in the coming months we’ll be putting together some guides on social media best practices and how to leverage Facebook’s excellent post promotion / pay per click tools to further boost your site’s visibility to social media users.
We’re here to help you make a success of your community and to give social media users a venue for when they outgrow Facebook.
TSP reacted to Rikki for an entry, New: Reactions
This entry is about our IPS Community Suite 4.2 release.
IPS Community Suite has long had a reputation system; first we had a simple up/down system, later updated to introduce a Likes system as an alternative. Whichever system you chose to use, it tied in with our reputation system.
We're pleased to introduce the latest updates to the reputation system, and it's something that has been requested for quite some time: Reactions.
Quite simply, reactions allow users to offer more fine-grained sentiments towards content than a simple up/down or 'like'. They are now in common usage on social networks, and so users expect to be able to be more nuanced in their response to something they see.
Let's see how they work in a post, and then cover the options you'll have available.
What you see above is the default setup for a site that has used the Like system in version 4.1. We include 5 reactions by default:
Like Thanks Confused Sad Haha If you currently use the older style up/down reputation system, don't fret - you'll still get the new reactions on upgrade, but they'll be disabled by default and instead the new reaction UI will show up/down reactions. This gives you the flexibility to decide which of the new reactions, if any, you want to allow.
So, those are the basics - but what configuration options can you expect to see? First, you can of course add your own reactions! We expect that beyond the default reactions you'd expect to find, some sites will want reaction types specific to their use-case. On an intranet, you might want to have 'agree' and 'disagree' reactions for staff to use when responding to discussions. On a gaming community, you might replace the icons to be some graphic from a video game that means something to your particular userbase. There's a wealth of possibilities.
Each reaction you set up can be configured to adjust the original author's reputation count - a reaction can be positive (i.e. award a reputation point), negative (i.e. subtract a reputation point), or neutral (i.e. leave the reputation count unchanged). Our default set won't include any negative reactions, but you are free to configure these and new reactions to suit your own use-case. A user's total reputation count is still shown alongside their content and in their profile, of course.
If you don't want to use the new reactions for whatever reason, you can disable all of them except Like, and it'll behave just the like 4.1-and-earlier system:
Sites that currently use the up/down system don't show a list of names of users, and instead show an overall reputation score for the content. With the new reaction system, you can enable this even if you don't use up/down reactions. This is great if you plan to use reactions as, for example, an agree/disagree system, or where the content score is more important to your site than the individual reaction types.
How the reaction UI looks with the 'count only' setting enabled
As you'd expect, you can click individual reaction counts (or the overall reputation score, if you enable that setting) to view who reacted to the content. This remains a permission setting that you can apply per-group.
On touch devices, on-hover functionality is not suitable, and so for these devices the reactions UI looks like this:
Reactions play well with all areas of the suite, including Recommended Replies:
...and activity streams...
...and a couple of places we aren't quite ready to reveal yet
We hope you're looking forward to this new feature as much as we are. It's already been a hit on our internal testing site, and we're looking forward to seeing how clients customize it for use on their own community.
Developer note: Reactions are one of two new features (the other currently unannounced) so far that make use of PHP Traits.
TSP reacted to Mark for an entry, New: Device Management
This entry is about our IPS Community Suite 4.2 release.
One of our more technically-oriented features for 4.2, we have added more detailed logs of user logins, and the devices and IP addresses used. This brings several new features:
Notification of a new device sign in
If enabled, users can receive an email notification when a new device is used to log into their account:
Email sent when a login from a new device is detected
When a user signs in for the first time, a special key is set to recognise the browser on subsequent logins. This mean the notification email does not trigger on a new IP address, which would be annoying when travelling or if using a network where the IP address changes regularly. Instead, the notification is only triggered if someone signs into your account from a new physical device or web browser.
UserCP Device Management
If enabled, a new page will show in the user's settings page showing all the devices which have been used to log into their within the last 90 days (which is recent enough that could still be logged in if "Remember Me" was checked).
Recently Used Devices
Users can see the device, browser, physical location (obtained by a GeoIP lookup) and if applicable, how the login was processed (for example, if the sign in was with Facebook or Twitter, this will show). If they chose "Remember Me" when logging in, they can undo that (handy if you realise you accidentally left yourself signed in on a public computer).
If they see anything they don't recognise, a page to walk them through the necessary steps to re-secure their account is available.
Secure Account Information
New Two-Factor Authentication Setting
"Logging into the front-end" is one of the options of when to prompt for Two Factor Authentication. In 4.2, this has been separated into two distinct settings:
Logging into the front-end from a new device Logging into the front-end from a known device If you enable the former, but not the latter, and the user has previously logged in devices, the system will automatically show an explanation to users alongside the other available recovery option. This can be useful especially if you do not want to offer other recovery options.
AdminCP Device Management
In the AdminCP, administrators can see all the device and IPs a member has used. They can also disable automatic login for any device.
Edit member page shows most recently used device and IP address
Viewing a device's details
The system can also detect if another user is using the same device and will show this in the list of devices.
Users sharing the same device
TSP reacted to Charles for an entry, New Embed Options
We have updated a few of our embed options in version 4.1.9. Our goal was to make the embeds more user friendly and give admins more control over embed in general.
When you paste in a link from common services like YouTube, Twitter, and so on the system tries to embed a nice box instead of just a link. For example, if I pasted in this link:
https://twitter.com/invisionps/status/708019275521363968 It would create this box:
New in version 4.1.9 you can now optionally choose to revert the automatic embed back to a simple text link.
So in the above example, when I pasted in my Twitter link, I saw a bar come up giving me the option to revert back to a link. This is useful when you do not want a formatted embed box but instead simply want to reference something and get the visitor to click the link. It is also useful when you want to reference something as part of a single sentence and not have a break in the flow that an embedded content box creates.
There is also a new AdminCP setting to completely disable embeds across your entire Suite. Some clients have communities where they like to keep things down to just simple, plain text. You could always disable formatting option button in the editor and now you can also disable automated embeds.
As a reminder, the following formats are supported with our embed system. Simply paste a link to any of these services and you will get a nice, rich embed experience that really encourages engagement on your community.
College Humor Facebook Flickr Gfycat Google+ Hulu Instagram SoundCloud Spotify Ted Twitter Vimeo Vine YouTube You can also embed links to anything inside of the IPS Community Suite. So you could paste a link to another forum topic in the comment on a Gallery image and it will show a preview of that topic rather than a simple link.
We are always open to suggestions so feel free to post in our feedback forum. Thank you!