No announcement yet.

Thinking of purchasing, depends upon security

  • Filter
  • Time
  • Show
Clear All
new posts

  • Thinking of purchasing, depends upon security

    I am thinking of switching to vB. Our site was just brought down by someone hacking into the forum software we currently use, which is a free open source product. I know that they somehow gained access to the email system and were sending out spam. I do not know the details at this time, but it is the 2nd time.

    My question is basically what kind of techniques do you use in vB to stop the most common techniques of hacking a php, mySql, Linux forum? I realize that you may not want to go into too much detail and that is ok, but I need enough detail to make an informed decision.

    My second question is, also from a security standpoint, why is purchasing vB better than using an open source solution that is free?

    Thanks in advance for your response. I am looking to make a decision in the next few days.

    R J Staub

  • #2
    I can not answer your first Q , but i`ll will answer the 2nd
    vBulletin is the best in trying to fix the bug in securety things they always try to update the fix batech and upgrade there version and as you know the PHP scribt is open source and its maken by human so there is always another human who can fined a securety bug and try to use this issue for his needs


    • #3
      To ensure the security of your site, our developers work diligently to make sure that incoming data is sanitized and from approved sources. This is their number one concern.

      Some of the tools we you include:
      • Using to protect data is to use a double MD5 hashed password with a randomly generated salt to prevent dictionary or rainbow table attacks on a database.
      • A login strike's system that disables an IP addresses for a period of time after 5 wrong guesses.
      • Password expiration and History to force users to change their passwords regularly
      • Not transmitting plaintext passwords during login (requires javascript to be enabled in the user's browser)
      • The ability to log invalid attempts to log into the Admin Control Center.
      • Incoming data can be restricted to specific domains.
      • Data sanitization to specific variable types as needed
      • And more...

      If a vulnerability is discovered, it is forwarded to the developers and they investigate it as the highest priority. If it is a valid issue, then a fix is released as soon as possible, usually within 24 hours of discovery.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API


      • #4
        Thanks for the quick reply. It sounds like your response to new types of attacks is real good. One more question. You may have answered it with

        >>> "Incoming data can be restricted to specific domains."

        Because our forums have been hacked before, I want to split our site into two parts. Part one is to be hosted on one domain. Part two will be the actual forums and that will be hosted on another domain. Each part will be hosted using a different hosting company. If the forums are hacked again, it will not hurt our portal, as they will be strictly html with NO php scripts. We depend upon our sponsors to help us run our club and we do not want to lose their logo and information on our site.

        Anyway, the question is can vB on the 2nd site be setup that the incoming url's are restricted and must come from either the first domain or from within the 2nd domain. In other words, everyone must enter the site from the first domain to logon.

        Again, thanks for your quick response.

        So far, I think that you have an excellent product.

        R J Staub


        • #5
          I dont think that is supported by default vbulletin, you will need to use customizations from and im not sure if it would be that simple and really not needed for security either.
          Selling my BigBoard Threads: 193 502, Posts: 1 540 045, Members: 718 566 It is listed here


          • #6
            It only restricts POST content, not where the user comes from.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API


            • #7
              I would like to mention something, which you need to take into consideration.

              I use VB myself, as well as many, many other OSS & Commercial website scripts.

              Just because something is Open Source, doesn't mean it's gonna get hacked, and just because something has a price tag doesn't mean it's hacker proof. This is a misconception which most people seem to carry with them when they go shopping for software & scripts.

              We have had a VB site hacked before, as well as SMF & phpBB. They all have / had security issues, and were fixed by the relevant developers.

              Keeping your server (especially shared servers) safe is of uttermost importance. If your webservert isn't safe, then any script can, and probably will be hacked. Bear this in mind!
              SA WebHosting Talk - Running on vBulletin 3.6.0


              • #8
                vbulletin has an excellent track record with security. Once your a customer, you can also post in the server configuration forum to see if there are any glaring holes in your server config that may open the door for explotations.
                Plan, Do, Check, Act!


                • #9
                  Don't take the advice of anyone here. All of our opinions are bias

                  Find 3rd party sites which discuss the differences between forum platforms. You'll get more rounded results.

                  (however, most of the debates I've seen do pretty much lead to vB being the best overall package [including security] which is why I got it )


                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.