Jump to content

Ryan Boyd

Members
  • Posts

    181
  • Joined

  • Last visited

Reputation Activity

  1. Like
    Ryan Boyd reacted to Charles for a blog entry, Coming Soon in 4.1.17   
    Version 4.1.17 is in the final stages of development and will be released soon!
    Check out the release notes for the full list of what's new and our preview articles for details on some of the most interesting changes:
    Better Analytics Integration Tag Quick Edit Default Warning Notes Custom RSS Feeds Word and Link Filters Leaderboard Moderation Improvements Security and Privacy Embeds and Integration We hope you enjoy all these new additions coming in 4.1.17 and be sure to read the release notes for many smaller changes. The big feature in 4.1.17 is the new Leaderboard which we really think will enhance your community.
    If you like using pre-release beta versions, the public beta of 4.1.17 will be available in the client area on 28 November. We support betas on live installs with some exceptions so give it a try if you like to be first to try the new features!
  2. Like
    Ryan Boyd reacted to Rikki for a blog entry, Introducing our new Developers area   
    I'm pleased to announce we're finally ready to open our new Developers area. The aim of this project has been to improve our existing developer documentation by building a central place to contain it, as well as update and expand the content available.
    As of today, we have the regular documentation and REST API documentation ready to use. Over the coming weeks and months, we'll be expanding what's available further, going into more detail about the tools available within the framework. We've also started work on comprehensive Getting Started guides, that will walk you through simple developer projects from start to finish - these will be available soon, once they're complete.
    If there's a particular aspect of IPS4 development that you don't feel is adequately catered for right now, please let us know! This will help us direct our efforts to the most useful places.
    Enjoy!
  3. Like
    Ryan Boyd reacted to Rikki for a blog entry, 7 ways to secure your community   
    Security should never be an afterthought for your community. All too often, site owners consider beefing up their security only when it's too late and their community has already been compromised. Taking some time now to check and improve the security of your community and server could pay dividends by eliminating the cost and hassle of falling victim to hacking in the first place.
    Let's run down 7 ways that you can protect your community with the IPS Community Suite, from security features you may not know about to best practices all communities should be following.
     
    1. Be selective when adding administrators
    Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Granting access to the AdminCP is like handing someone the keys to your house, so before doing so, be sure you really trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?).
    Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have AdminCP access by clicking the List Administrators button on the System -> Security page.
    2. Utilize Admin Restrictions
    In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth. IPS4 allows you to limit administrator access to very specific areas of the AdminCP with the Admin Restrictions feature, and even limit what can be done within those areas. This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future.
    3. Choose good passwords
    This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are simply too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential.
    We recommend using a password manager application such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them.
    Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for others sites too.
    4. Stay up to date
    It's a fact of software development that from time to time new security issues are reported and promptly fixed. But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community.
    When we release new updates - especially if they're marked as a security release in our release notes - be sure to update as promptly as you can so you receive the latest fixes. Your AdminCP will also let you know when a new version is ready for download.
    5. Use .htaccess protection for your AdminCP
    In addition to IPS4's own AdminCP login page, you can set up browser-level authentication, giving you a double layer of protection. This is done via a special .htaccess file which instructs the server to prompt for authentication before access to the page is granted. IPS4 can automatically generate this file for you - simply go to System -> Security in your AdminCP, and enable the "Add a secondary admin password" rule.
    And it should go without saying, but to be clear: don't use the same username or password for both your .htaccess login and your admin account, or the measure is redundant!
    6. Restrict your AdminCP to an IP range where possible
    If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist. This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment. If you're a Community in the Cloud customer, contact our support team if you'd like to set up this protection for your account.
    7. Properly secure your PHP installation
    Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We therefore recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs:
    disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled, especially if you're hosted on a server that also hosts other websites (known as shared hosting). If another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too.
    Naturally, Community in the Cloud customers needn't worry about either of these steps - we've already handled it for you!
     
    So there we go - a brief overview of 7 common-sense ways you can better protect your community and its users. As software developers, we're constantly working to improve the behind-the-scenes security of our software, but as an administrator, there's also a number of steps you should take to keep your community safe on the web.
    If you have any tips related to security, be sure to share them in the comments!
  4. Like
    Ryan Boyd reacted to Charles for a blog entry, Coming soon in 4.1.10   
    We are wrapping up testing in preparation of version 4.1.10 release. This is a follow up to 4.1.9 which introduced a lot of great enhancements.
    Changes in 4.1.10 include:
    Instant notifications are now dismissible. The sidebar has been added back to the Activity Stream pages. You can now sort by most downloaded in Downloads app.  The ModeratorCP and AdminCP IP Address Tools now allow you to track the IP addresses used to vote in polls. A new setting has been added to disable the RSS feed for activity streams. A new setting has been added to specify the minimum display name length. Adds a new "can unban" moderator permission separate to the "can edit profiles" permission being used previously. IP addresses now show in reports. There is now a constant-level setting to disable the ACP IP address check in case of being locked out of the ACP. Several improvements to Commerce to make some features clearer: the Shipping Rates configuration pages now indicate to the admin if a potential mistake has been made, the front-end indicates to admins if no support departments have been set up, and the renewal settings wording has been clarified. And of course countless bugs fixed and performance enhancements. View our full release notes for more details.
    If you are an existing IPS client and enjoy testing pre-release software, a beta release of 4.1.10 is available. We always appreciate help testing upcoming releases.
    We are already well into development on 4.1.11 which include some larger feature changes and additions.
  5. Like
    Ryan Boyd reacted to Rikki for a blog entry, Theme Tip: Use HTML logic to display content to specific groups   
    HTML Logic is our name for the additional tags available in IPS4's templates that allow runtime logic to be executed. It comprises if/then/else statements as well as loops and more.
    Since HTML Logic has access to all of the underlying PHP framework in IPS4, it's very powerful and a lot can be achieved with it. One common use is to limit certain content within a template to particular member groups. Let's see how that might be done.
     
    Showing or hiding content only to guests
    We'll first look at a simpler idea: showing or hiding content specifically to guests (i.e. anyone who isn't logged in). Within IPS4, the \IPS\Member::loggedIn() object contains information about the current user. Guests always have a member_id of NULL (i.e. no value), so we can simply check that value in our logic tag:
    {{if \IPS\Member::loggedIn()->member_id === NULL}} This content *only* shows to guests, since they have a NULL member_id. {{endif}} {{if \IPS\Member::loggedIn()->member_id}} This content *only* shows to logged-in users since their member_id is a number, which will equal true. {{endif}}  
    Showing content only to specific groups
    Let's go a bit further and this time show content to specific (primary) member groups. First, you need to get the IDs for the group(s) you want to deal with. You can find this by editing the group in the AdminCP, and making a note of the id parameter in the URL. On my installation, the Administrator group is ID 4 so we'll use that in our example.
    Once again, we're using the \IPS\Member::loggedIn() object, but this time we're using the member_group_id property.
    {{if \IPS\Member::loggedIn()->member_group_id === 4}} This content only shows to members in the "Administrators" group (ID 4 in our example) {{endif}}  
    Working with multiple groups at once
    Following the code above, you could simply repeat the check against \IPS\Member::loggedIn()->member_group_id several times, for each ID you want to allow. However, since our templates allow arbitrary PHP expressions to be used, there's a neater way: use an array of member group IDs you want to allow, and check against that using PHP's in_array function. Here's an example where we only show content to group IDs 2, 4 and 6:
    {{if in_array( \IPS\Member::loggedIn()->member_group_id, array( 2, 4, 6 ) )}} This content only shows to members in groups with the ID 2, 4 or 6. {{endif}}  
    Have a request for a theme tip? Let us know in the comments and we'll try and help out in a future tip! 
  6. Like
    Ryan Boyd reacted to bfarber for a blog entry, IP.Board 3.4.9 Released   
    IP.Board 3.4.9 is now available in the client area
    This is a maintenance release to consolidate security updates released since 3.4.8, release additional security updates, and fix some minor bugs impacting many clients. We recommend you upgrade to ensure you have all security updates in place.
    You can download in the client area and upgrade as normal.
     
    We would like to thank newbie LAC for responsibly reporting a potential CSRF (cross-site request forgery) issue related to warnings resolved with the release of 3.4.9.
     
    Support Notes
    IPS will no longer provide upgrade services for self-hosted licenses on the 3.x series. You can do the upgrade yourself (it's very easy) but our support will only do upgrades for you to IPS Community Suite 4. If you are a IPS Cloud client we will still do the upgrades for you.
    IP.Board 3.4.x will reach "End of Support" status soon and we strongly encourage all clients to upgrade to the 4.x Community Suite.
×
×
  • Create New...