Matt

Security should never be an afterthought. Don't wait until an attack has compromised your site before you take action. All too often, site owners consider increasing their security only when it's too late, and their community has already been compromised. Taking some time now to check and improve the security of your community and server will pay dividends. In this blog, we run down 8 ways that you can protect your community with Invision Community. We go through the security features you may not know about to best practices all communities should be following. 1. Set up Two Factor Authentication Invision Community supports Two Factor Authentication (2FA for short), and we highly recommend making use of this feature for your users, but especially for your administrative staff. 2FA is a system that requires both a user's password and a special code (displayed by a phone app) that changes every few seconds. The idea is simple: if a user's password is somehow compromised, a hacker still wouldn't be able to log in to the account without the current code number. You may already be familiar with 2FA from other services you use. Apple's iCloud, Facebook and Google all offer it, as do thousands of banks and other security-conscious businesses. Invision Community supports 2FA via the Google Authenticator app (available for iOS and Android) or the Authy service, which can send codes to users via text message or phone call. You can also fall back to security questions instead of codes. You can configure which members groups can use 2FA, as well as requiring certain groups to use it. Recommendation: Require any staff with access to the Admin Control Panel or moderation functions to use 2FA. This will ensure that no damage will occur should their account passwords be discovered. Allow members to use 2FA at their discretion. 2. Configure password requirements The password strength feature displays a strength meter to users as they type a new password. The meter shows them approximately how secure it is, as well as some tips for choosing a good password. While you can leave this feature as a simple recommendation for users, it's also possible to require them to choose a password that reaches a certain strength on the meter. Recommendation: Require users to choose at least a 'Strong' password. 3. Be selective when adding administrators Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Giving access to the AdminCP is like handing someone the keys to your house. Before doing so, be sure you trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?). Recommendation: Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have Administrative access by clicking the Administrators button under staff on the Members tab. 4. Utilize Admin Restrictions In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth. Invision Community allows you to limit administrator access to particular areas of the AdminCP with the Admin Restrictions feature, and even limit what can is done within those areas. This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future. Recommendation: Review the restrictions your admins currently have. 5. Choose good passwords This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential. We recommend using a password manager application, such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them. Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for other sites too. Recommendation: Reset your password regularly and ensure you do not use the same password elsewhere. 6. Stay up to date It's a fact of software development that from time to time, new security issues are reported and promptly fixed. But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community. When we release new updates - especially if they're marked as a security release in our release notes - be sure to update promptly. Invision Community allows you to update to the latest version via the AdminCP. You no longer need to download a thing! Recommendation: Update to the latest version whenever possible. Remember, with Invision Community's theme and hook systems, upgrades to minor point releases should be very straight forward. 7. Restrict your AdminCP to an IP range where possible If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist. This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment. Recommendation: Consider IP restriction as an additional security layer when you are not able or willing to use 2FA. 8. Properly secure your PHP installation Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We, therefore, recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs: disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled. Especially if you're hosted on a server that also hosts other websites (known as shared hosting), if another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too. Naturally, Cloud customers needn't worry about this, we've already ensured our cloud infrastructure is impervious to this kind of attack. Recommendation: Review your PHP version and settings, or choose one of our cloud plans where we take care of this for you. So there we go - a brief overview of 8 common-sense ways you can better protect your community and its users. As software developers, we're constantly working to improve the behind-the-scenes security of our software. As an administrator, there's also a number of steps you should take to keep your community safe on the web. If you have any tips related to security, be sure to share them in the comments!