It's always worth ensuring you cover the basics when doing a security review, and this includes:
- Ensuring you are using the very latest version of Invision Community. We have a bug bounty program running where people can test the security of our platform and report weaknesses, this has led to several improvements over the years. Likewise, we also receive reports from security professionals who let us know about potential vulnerabilities, and these are fixed and new versions released in a very timely manner. We do tag releases with a security notice when applicable in our release notes. This is also communicated to your AdminCP.
- Consider multi-factor authentication. If you have signed up for an online service, the chances are your email/username and password has been leaked. You can check with "Have I been pwned". Using multi-factor authentication means that even if someone had your username and password from another service and you re-use the same password across multiple platforms, then they could still not log in. I recommend that everyone does this for those with AdminCP access.
- Always use a unique password for each site you sign up to. Use a password manager (built into iOS, or tools like 1Password) to keep track of them. Consider changing your password every few months.
- Review those with AdminCP access and do not grant it lightly. If you can log into the AdminCP and edit themes and languages, you can add code that can execute any PHP command. It is largely why the AdminCP code has different session management, a different login form and a different URL. It is a very powerful tool.
- Review your logs regularly, especially the admin log in logs and actions to ensure there is nothing remiss inside.