IPS Suite How to effectively secure the forum?

[Haim]

Hi. For me, the best way to secure the IPS Community Suite forum is:

1. Set access to the administration directory only for your IP address.

We create the .htaccess file in the admin folder by default it is the "admin" folder (unless we changed its name)

In the .htaccess file we add:

order allow,deny
allow from TWÓJ IP

Replace "YOUR IP" with our IP address. From now on, only your IP address will have access to the directory. Attention. The method is effective only if we have a fixed IP address, otherwise we will have to update the IP address in the file with a new one every now and then.

2. Adding a password to the administration directory using the .htpasswd file The web is full of guides on how to configure such a file. You can use the generator and quickly create such a file and then move it to a folder.

3. Changing the name of the directory to the ACP administration panel. IPS has a default name of the directory with the administration panel, it is "admin". In order to increase the level of security, it is recommended to change its name to another one.

Step 1. First, you need to rename the directory manually. Connect via FTP, find the root directory of the IPS Community Suite installation. Find the "admin" directory and rename it to something that is hard to guess but convenient and memorable for you.

Step 2. Create a file named "constants.php". Open it in a text editor and paste the following value:

<?php
define('CP_DIRECTORY','NowaNazwaKatalogu');

Rename "NewDirectoryName" to the one you chose when changing the folder in FTP earlier.

Save the file and send it to the same location as the conf_global.php file.

From now on, you will be logging in to the administration panel using the new name.

 

[Haim]

Hi. I will write some of my ways, although it is nothing new, it is worth taking care of them. If I remember anything, I'll add it.

- CloudFlare hookup
- Use of the latest version of PHP
- Changing the default directory name "admin" to another via constants.php,
- Securing access to the administration directory (e.g. via htpasswd)
- SSL certificate
- 2FA in (Cpanel or DirectAdmin) if possible
- Strong passwords
- Regular software update
- Changing file attributes (chmod) e.g. configuration files to 400 or 644.
- Disable directory listing by using (Options All -Indexes)
- The use of secure headers (Security headers) such as:

X-XSS-Protection
X-Frame-Options
Content-Security-Policy
Permissions-Policy
X-Content-Type-Options
- Disable header (X-Powered-By and ServerSignature)

- Disabling unnecessary functions on the PHP server:

expose_php = Off
display_errors = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
register_globals = Off
safe_mode = Off
allow_url_fopen = Off
allow_url_include = Off
disable_functions=show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
- Performing data backup (copies of files and database, many shared hostings do it for us)