Secure Your Administration Control Panel

phpBB's Administration Control Panel (or ACP for short) is the most vital part of managing your forum, so it is very important to keep it as secure as possible. In phpBB 2, any administrator level account can use the ACP to make sweeping changes in a forum. Many of the most exploited security issues found in the software allow outside attackers to create new administrator accounts and use them to delete users, forums, posts, and other content. phpBB 3 is not as vulnerable in this area, but the same potential exists if any new security issues should be discovered.

One of the best way to protect against such attacks is to add an extra layer of password protection to the ACP. This can easily be done with .htaccess and .htpasswd files on Apache servers. Using this method creates a secondary password that is stored outside of phpBB's normal architecture, protecting it from most exploits that may allow access to user accounts or passwords.

Find the Absolute Path

Before adding the new password files, you must first determine the absolute path of the location where the files will be stored. If you are using phpBB 3, enter the ACP. On either the General or System tabs, click the "PHP Information" link in the menu to see details about your server. When using a phpBB 2 forum, you will need to add a new file to your forum's admin/ folder to view these details. Create a new file called phpinfo.php containing the following code, upload it, and visit it in your browser by typing the file's URL into the browser. When you are finished with this tutorial, you can delete phpinfo.php, if you wish.

<?php phpinfo(INFO_VARIABLES); ?>

Once you've accessed the list of PHP information, you will see a lot of miscellaneous details about your server. Search for a line labeled _SERVER["SCRIPT_FILENAME"]. The value on this line shows the absolute path of the phpinfo.php file, which will look something like path/to/your/forum/admin/phpinfo.php. Your exact path will differ. In this example, the highlighted portion is the absolute path to the ACP. You'll need this path, without the phpinfo.php on the end, in a moment, so make a note of it.

Create the Password Files

Now, you need to choose a username and password for the additional log in. You should not use a username or password that you have used for anything else, including your forum account. Make the password at least seven character long and a mix of letters and numbers to make it more difficult for attackers to guess.

Visit the Generate .htaccess Passwords utility to create the .htaccess and .htpasswd files that will store the information for the extra password layer. Fill in each field. Use the absolute path you noted earlier for the "Path to password file" option. Click Generate and follow the instructions regarding uploading the generated files on the next page.

Once these files are uploaded, the extra password layer will be in place. Access to your ACP will be restricted to people who know the new username and password.

Don't Forget to Upgrade

The most important aspect of security when running any website is to always keep your software up to date. Security fixes and updates to the phpBB software are occasionally announced at major phpBB related websites. This extra password protection can prevent some exploits from being used to damage your forum, but others exist that target areas not covered by this protection. Remember to always apply the vital security fixes as soon as possible, to protect your site against dangerous intrusions.