Getting Started

This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide to site or vBulletin security. It is, however, a great place to get started.

General Guidelines

The first step in making sure that your site stays safe and secure is choosing good, strong passwords for everything that would allow someone to gain access to your site. These include account information for: AdminCP , FTP/SSH, MySQL, etc.

As an example: people using cPanel to manage their website should never use their cPanel login info to manage their vBulletin database. If someone was able to access your vBulletin configuration file, they would then have FTP/cPanel access to your site.

If you’re not sure how to create and manage good passwords, we would recommend looking into something like Keepass (

All of your site’s sensitive information should use a different username and password, to limit the scope of damage as much as possible.

If available, you should always use SSH/SFTP over regular FTP, as to not broadcast your cPanel info over the internet in clear text.

Protecting Sensitive Areas

Whether you’ve just finished installing vBulletin, or if you’ve been running it for forever, you should be restricting access to any potentially sensitive areas. This includes general access to the AdminCP and ModCP folders, as well as your install directory.
In general, your install directory shouldn’t remain on the webserver. If for some reason you need to keep it there, make sure the area is IP address or username/password protected with an “htaccess” file or “NT Auth” authorization. Many webhosts will have ways to enable Directory Protection from within their own control panels. If they do not, most webhosts will be happy to help you create these protections since it increases their own server security.
Your password protection for each directory should be unique and not shared with anything else you use for the site server. Both a custom username and password should be used.

Keeping the software up to date

The biggest thing you can do after protecting sensitive areas is to make sure you’re always running the latest version of the software. You should always be on the latest stable version for your product line, be it vBulletin 3.8.x, vBulletin 4.2.x, or vBulletin 5.0.x (at the time of writing). Running the latest stable version is always recommended, and will generally be the least likely to be exploited.

Third-party addons

There are a lot of great third party addons and modifications for vBulletin. However, before going to install them, you should review the code if you can to make sure nothing looks fishy. If you’re unable to, make sure you read though the author’s previous work and history to make sure that if they’ve had security issues they’re quick to patch them. You should always run the third party addon’s latest release to ensure that your site is safe.
Help, I’ve been hacked

If you’ve already been exploited, we would suggest taking a look at this guide on helping to clean up your site.