Simon Woods

Security should never be an afterthought for your community. All too often, site owners consider beefing up their security only when it's too late and their community has already been compromised. Taking some time now to check and improve the security of your community and server could pay dividends by eliminating the cost and hassle of falling victim to hacking in the first place.
Let's run down 7 ways that you can protect your community with the IPS Community Suite, from security features you may not know about to best practices all communities should be following.
 
1. Be selective when adding administrators
Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Granting access to the AdminCP is like handing someone the keys to your house, so before doing so, be sure you really trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?).
Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have AdminCP access by clicking the List Administrators button on the System -> Security page.
2. Utilize Admin Restrictions
In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth. IPS4 allows you to limit administrator access to very specific areas of the AdminCP with the Admin Restrictions feature, and even limit what can be done within those areas. This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future.
3. Choose good passwords
This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are simply too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential.
We recommend using a password manager application such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them.
Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for others sites too.
4. Stay up to date
It's a fact of software development that from time to time new security issues are reported and promptly fixed. But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community.
When we release new updates - especially if they're marked as a security release in our release notes - be sure to update as promptly as you can so you receive the latest fixes. Your AdminCP will also let you know when a new version is ready for download.
5. Use .htaccess protection for your AdminCP
In addition to IPS4's own AdminCP login page, you can set up browser-level authentication, giving you a double layer of protection. This is done via a special .htaccess file which instructs the server to prompt for authentication before access to the page is granted. IPS4 can automatically generate this file for you - simply go to System -> Security in your AdminCP, and enable the "Add a secondary admin password" rule.
And it should go without saying, but to be clear: don't use the same username or password for both your .htaccess login and your admin account, or the measure is redundant!
6. Restrict your AdminCP to an IP range where possible
If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist. This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment. If you're a Community in the Cloud customer, contact our support team if you'd like to set up this protection for your account.
7. Properly secure your PHP installation
Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We therefore recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs:
disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled, especially if you're hosted on a server that also hosts other websites (known as shared hosting). If another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too.
Naturally, Community in the Cloud customers needn't worry about either of these steps - we've already handled it for you!
 
So there we go - a brief overview of 7 common-sense ways you can better protect your community and its users. As software developers, we're constantly working to improve the behind-the-scenes security of our software, but as an administrator, there's also a number of steps you should take to keep your community safe on the web.
If you have any tips related to security, be sure to share them in the comments!

When IPS4 encounters an error (be it a simple 404 Not Found or a more complex configuration issue), the user sees a standard built-in error page. That's fine in many cases, but did you know you can create your own error page using our Pages app?
This is a particularly good approach for communities that use Pages for their website too. If you have built a website theme, the standard error page may not fit with your visual style, so building your own error page allows you to improve it. You might want to show some helpful links to other parts of your website, for example.
 
Creating your error page
The first step is creating your error page in Pages. Note that for this page, you must create a manual page - the Page Builder tool can't be used in this case.
In order to show the error on your page, there's two special tags you should insert in the page content. When your page is shown in response to an error, Pages will swap out these tags for the relevant text. They are:
{error_code}
Replaced with the technical error code for this error. This code identifies the exact piece of code that triggered the error, and can be given to IPS support technicians to help diagnose problems. {error_message}
Replaced with a human-friendly description of the error that occurred.  
Configuring Pages to use the error page
Next, set Pages to display the error page. You do this in the Pages section; click the Advanced Settings button, and select your page from the list. Note that this will replace all error pages across the suite - not just errors triggered by Pages itself!
 
Have a request for a theme tip? Let us know in the comments and we'll try and help out in a future tip! 
 

We are wrapping up testing in preparation of version 4.1.10 release. This is a follow up to 4.1.9 which introduced a lot of great enhancements.
Changes in 4.1.10 include:
Instant notifications are now dismissible. The sidebar has been added back to the Activity Stream pages. You can now sort by most downloaded in Downloads app.  The ModeratorCP and AdminCP IP Address Tools now allow you to track the IP addresses used to vote in polls. A new setting has been added to disable the RSS feed for activity streams. A new setting has been added to specify the minimum display name length. Adds a new "can unban" moderator permission separate to the "can edit profiles" permission being used previously. IP addresses now show in reports. There is now a constant-level setting to disable the ACP IP address check in case of being locked out of the ACP. Several improvements to Commerce to make some features clearer: the Shipping Rates configuration pages now indicate to the admin if a potential mistake has been made, the front-end indicates to admins if no support departments have been set up, and the renewal settings wording has been clarified. And of course countless bugs fixed and performance enhancements. View our full release notes for more details.
If you are an existing IPS client and enjoy testing pre-release software, a beta release of 4.1.10 is available. We always appreciate help testing upcoming releases.
We are already well into development on 4.1.11 which include some larger feature changes and additions.

We have released version 4.1.9 with many bug fixes, performance improvements, and feature enhancements. Our thanks to the QA team and all our clients who participated in the beta release.
This is also a security release so please upgrade as soon as possible. All Suites will see the red alert banner show.
To be notified of updates as soon as they are available you can add an email address in your AdminCP under General Configuration.
 
New or Changed Features
When your link auto-embeds in a post such as with an image, YouTube video, Twitter link, etc. an option will now display to revert the embed back to a plain text link if you do not want the embed. New setting to disable embedding. Facebook/Twitter integration improvements If you are an administrator and encounter a system error, additional debug output will now display. Regular members will see the normal error message. Custom Fields for Support Requests in Commerce now show on the front-end. If an advertisement is set up with a main image, but not smaller images for tablets/mobiles, the ad would not show at all on tablets/mobiles. This has changed so the main image will display on all devices unless smaller images are provided. Topics scheduled to automatically lock or unlock will now reflect this in the topic listing and when viewing the topic. Placing a link to a Facebook status will embed when possible. When viewing a report, the container (for example, the forum) the content is from is displayed. Three character searches are now allowed in the Admin CP Live Search. The Account Settings page now uses vertical rather than horizontal tabs to prevent overflow. If Gravatar is enabled, and a user has not defined an profile photo, then their email address will be used to fetch from Gravatar unless explicitly set not to. Gfycat embeds now use their oEmbed endpoint rather than their JS API. Using Amazon CloudFront as https provider will now be recognized as valid secure connection. The member REST API endpoint will now return custom fields. The Developer Center for Plugins now shows the filename in the list of hooks, and when editing a hook, a breadcrumb includes a link back to the list. Inline notifications can now be dismissed Efficiency improvements to the search index You can now close a poll independently of the topic You may want to read a bit more on our embed improvements:
And Activity Stream improvements:
We are well into development on version 4.1.10 which will follow along soon. Keep an eye on our Release Notes for updates on what will be coming in that release.
If you have any issues please open a support ticket. You can also submit reports to our bug tracker. Thank you!

When you use custom templates for a Pages database, you'll often need custom CSS to go along with it to provide the styling. There's two main ways of doing this:
CSS files within Pages
Pages allows you to create CSS files, and then associate them with particular custom pages of your community (you create these in the AdminCP, under Pages > Templates > CSS). So simply create your CSS file, and associate it to the page that your database is displayed on.
The benefit of this method is it applies to all themes, so it's great if you want your database to look the same on all themes. Of course, this is also the drawback - you can't easily use it for per-theme customization.
Targeting the database classname in theme CSS
Alternatively, you can target the database classname in your normal theme CSS files. When a database is inserted into a page, IPS4 helpfully adds a classname to the body element, which makes it really simple to style that page in particular. If your database key is myDatabase, then the classname added to the body element would be cCmsDatabase_myDatabase. Use this in your selectors and you can style everything exactly how you need:
.cCmsDatabase_myDatabase .ipsButton_important { /* Style important buttons differently in this database, for example */ } Combine both methods!
Of course, you can use both approaches when it makes sense. Create a CSS file within Pages for the basic structural styling that will apply regardless of which theme the user uses, and then in each theme target the database classname to customize it for that particular theme - perfect for the colors, font family and so on.

Activity Streams were first introduced in version 4.1 and have been very well received by people who enjoy all the flexibility they create in filtering and sorting content in a community for easy discovery of what is being posted.
As with any new feature, we received a lot of feedback and have had time to take that in and make improvements to mature the Activity Streams with key changes in 4.1.9 being interface, performance, and bug fixes in the system.
One recurring theme we heard were people saying "the new Activity Streams cannot do..." when actually they could do it but the options were not obvious. We used to have the options in a large drop down box that users could edit and then save to update their Stream. This meant that options were not clearly visible and therefore people did not even know all the powerful settings available to them. So in 4.1.9 we have moved those options into a new dynamic filter bar.

With the new filter bar you see all your options available right there. We also changed the interface so Streams instantly update when you make a change. You no longer have to click save and update, wait for interface to collapse, and so on. Now your changes instantly update your Stream.
When you do change your Stream settings a save button appears prompting you to save your new selection. You can choose to save if you like the new options or not if it is just a temporary change you made. If you edit filters on a stream you do not own then it will prompt you to save your options as a new stream.
 
We hope you enjoy this more dynamic approach to Activity Streams.

Many of the regular visitors to our community won't have failed to notice the new look we launched last week. Now that the dust has settled, I thought it was a good time to explain why we've made the change.
Streamlined access to everything we offer
Ever since IPS was founded in 2002, our community has been distinct from our website. The community is also where we kept all kinds of resources, from guides to the Marketplace. For those customers who know us well and enjoy hanging out in our community (and we have many who have been with us since that day in 2002!), this is no problem. Unfortunately, the downside is many new and potential customers didn't see everything we have to offer: all the wonderful addons our contributors offer, additional support resources, plentiful advice from other community administrators, and more.
In addition, we've always used the default theme that our software ships with, but with our self-service demo system now being the primary way new customers get to try out our software, this has become less important.
So, we took the decision to move some parts of the community to the website for more exposure and easier discovery by new visitors. We made some tweaks to our navigation so that finding these areas is easier than before. And, of course, we've brought the website header over to the community, giving it a fresher look and more consistent navigation, wherever you happen to be on our website.
Of course, all of our website is built in IPS4, as you would expect. Whereas before our website existed on a separate installation, as part of the update we merged our community and website together. This means you can sign in from anywhere, see your notifications and so on.
This is just the first step we've taken on improving what we offer and how we offer it. We have many plans in progress. You may have seen the theme tip we posted this week, which is the first in a series of regular tips we'll be sharing to help you get the most out of the IPS Community Suite. We'll also be highlighting some of the incredible work our customers do, whether it's a unique use of our software, or something in our Marketplace that adds a great feature.
Stay tuned!

Several clients have asked how we placed the Twitter feed block on the sidebar of our News page. It's really quite easy and a great demo of how you can place custom HTML in our system. Here is how it was done:
Get the embed code from Twitter Create a custom HTML block in our Pages app Drag and drop that block into the sidebar That really is it! Here is a video walkthrough:
This is a basic example of a custom HTML block that you can use in so many different ways. You could create a "call to action" the only shows to Guests to get them to register. You might also create text that only displays to your staff with quick links to areas they need.
Here we demo dragging the block into the sidebar. You can also put blocks right in theme templates and use them in many more ways. That will be covered in future theme tips.

We have updated a few of our embed options in version 4.1.9. Our goal was to make the embeds more user friendly and give admins more control over embed in general.
When you paste in a link from common services like YouTube, Twitter, and so on the system tries to embed a nice box instead of just a link. For example, if I pasted in this link:
https://twitter.com/invisionps/status/708019275521363968 It would create this box:
New in version 4.1.9 you can now optionally choose to revert the automatic embed back to a simple text link.
So in the above example, when I pasted in my Twitter link, I saw a bar come up giving me the option to revert back to a link. This is useful when you do not want a formatted embed box but instead simply want to reference something and get the visitor to click the link. It is also useful when you want to reference something as part of a single sentence and not have a break in the flow that an embedded content box creates.
There is also a new AdminCP setting to completely disable embeds across your entire Suite. Some clients have communities where they like to keep things down to just simple, plain text. You could always disable formatting option button in the editor and now you can also disable automated embeds.
As a reminder, the following formats are supported with our embed system. Simply paste a link to any of these services and you will get a nice, rich embed experience that really encourages engagement on your community.
College Humor Facebook Flickr Gfycat Google+ Hulu Instagram SoundCloud Spotify Ted Twitter Vimeo Vine YouTube You can also embed links to anything inside of the IPS Community Suite. So you could paste a link to another forum topic in the comment on a Gallery image and it will show a preview of that topic rather than a simple link.
We are always open to suggestions so feel free to post in our feedback forum. Thank you!