Vbulletin Forums easily hacked?

I recently joined the VB crew as an owner not too long ago. I actually joined because of the negative feedback I always hear about Vb and i was curious to see "what was so bad about it?"

Aside from that atrocious Admin panel....I like the sofware.

As i get ready to launch my VB 4.2 forum in Mid-August, I am a bit worried. I've been reading on various forums I am a member of that VB forums are easily hacked and/or closing down temporarily.

At first it was silly warez forums so of course that was a bit of a laugh to me and others....

But these are some forums I have heard about
having faced some type of hacking or potential hacking.....

1. Android Forums
http://androidforums.com/site-updat...rtant-notice-security-breach.html#post4645422

2. Blackhat
http://www.blackhatworld.com/blackh...-recent-bhw-member-passwords-compromised.html

3. Nvidia
http://www.nvidia.com/content/forums/index.html

So it does get me wondering are VB forums the premium version of Phpbb aka are they more susceptible to hacking attempts vs XF or IPB?

 

@Forever Young I beg to differ. Those getting hacked are those forums that aren't keeping their forums up-to-date. If they're not using the license updates, nor updating certain scripts when exploits are out, then of course, they'll get hacked. I think @Brandon @Dan Hutter @digitalpoint can also touch base on this.

 

I don't think vB is any more susceptible than any other software. Knock on wood, my vB boards have never been hacked. For a while in the last couple of years there would be a release then a security patch or two within a couple weeks. At least you know vB is working to patch issues as they arise.

General rules apply to vB as they do any other software:

1. Keep the software up to date.
2. Use secure passwords (admin account and database).
3. Don't login from open Wifi networks.
4. Only use add-ons that are either widely used or have code that you can read and understand exactly what it's doing.
5. Make sure your file permissions are correct.

 

I am guilty of not doing number 2...My admin password is WAY too easy.

 

www.lastpass.com <---- Awesome service that's what I use. One master password unlocks everything. It's completely free for desktop/laptop use but for a pittance ($12/yr) you can get access on your mobile phone too.

In the mean time go generate yourself a secure password: http://www.pctools.com/guides/password/

 

I am afraid that i'll forget the password.....I know it is bad but i literally use the same password forALMOST everything
with a slight variation.

 

Not good, that means whenever a site gets hacked you have to go around changing all your passwords. I used to use the same password for almost everything (except important stuff) until Life Hacker was hacked a couple years ago and I had to go around changing 50 bazillion passwords. Not fun. Now if a site is hacked I just go there and generate a new password with Lastpass.

Even if you write down your Lastpass password and stick it in your wallet it's still a whole lot more secure than having the same password for everything.

 

I lose my wallet from time to time I am a careless soul. I'd lose my head if it wasn't attached to my body

But i am going to use the site you told me and at least get a good password for my forums. I don't care so much about the password here or on other forums but i should protect myself better than I do on my own website

Off-topic: Did you ever decide whether you were going to switch softwares?

 

Good deal on the password.

Yup, I'm planning on moving back to vBulletin whenever I find someone to lend me an IPB license or can come up with the extra money for an IPB license. I really don't want to drop $175 on IPB that I'm likely never to use. Maybe it will be a good thing as I'll get experince with another platform.

 

It's not any more susceptible to hacking than other commercial software. Once in awhile a security exploit is discovered, and it's quickly patched. But like others have said, just be smart... Don't use easy passwords, don't log in from other people's computers (who knows, maybe they have a keylogger on it that they don't know about), don't log in via wifi unless you are doing it through a VPN, don't allow your web server to be able to write files, password protect your admincp area with an extra HTTP AUTH password (or better yet only allow users from certain IPs into it).

If you want to get fancy, you can build a two-factor authentication system. For XenForo, I actually built a two-factor authentication system that requires you to be in physical possession of your cell phone to log in (I also allow users to use the system as well to protect their own accounts).

 

I think the big issue with all the sites given is a mixture of using outdated versions of vBulletin and possibly some poorly coded modifications. Really, look at the versions they're all using. Many are still using vBulletin 3.8 or whatever, and many of them are using a significant amount of major add ons from sites like vBulletin.org. With those things kept in mind, of course their forums would be more likely to be hacked.

In fact, this is kind of a problem with large forums in general. Why? Well due to all their code modifications and the size of the database they can't upgrade their software at a whim to fix any security issues. So as a result, they're often a sitting duck due to how long it takes them to upgrade, and it's not that likely most of their tech staff have figured out how to code their own patches for the outdated software they're running.

 

Cant you also rename your admin/mod folders so they are not the default folder names in VB?

 

^Yes you can. They suggest doing that to increase security, along with using .htaccess to add another layer of password protection to the admin cp folder.

 

@digitalpoint

That's a nice system. I use the two step verification on my Google account already, but like the idea of it being integrated with forums I use.

Out of interest, what happens if the user loses their phone? Do you offer backup codes like Google do?

 

Right now, in order to utilize the two-step verification, the user has to have their account linked to at least 1 third party account (the system allows them to link to Facebook, Twitter, PayPal, Google Analytics, Google AdSense or Google Plus). Basically to be able to use that as a method to verify the account ownership should they lose their two-factor device.

Depending on how popular it becomes and how prevalent it is that people lose their device, I'll add the one-time use passwords and phone numbers as a backup. But right now it doesn't have that.

 

Yes you can, I have done it. All you need to do is rename them and in the config.php file change the folder name of the admin and mod cp.

 

Actually @cpvr, these hacked sites are for the most part, nulled. So, what the OP is saying, is that if vB is hackable on nulled site, that says a lot about how secure vBulletin is now.

The damage is astromical, that iB has a lot on their plate. And I think vB5 is good as dead at launch. Mark my words.

Why? Because a nulled software is already a hacked software; if a hacker is able to hack a nulled software, then the real meat of the software, as in the software that's being sold to customers is far more vulnerable than it has been in the past..

To reiterate: If iB does not fix this right away, vB5 is dead on arrival.

I expect widespread hackings of vB3/vB4 if iB lets this fester into oblivion.

 

Carlos, I linked two forums that I am almost positive since they are tied into big companies or projects are NOT nulled(Androidforums and Nvidia.....Especially Nvidia)
Blackhatworld I can't be sure about.

What i was saying was it started with hearing about VB hackings which started on warez sites or the likes and now it is spreading to seemingly legit sites.

I head about it hear as well
http://xenforo.com/community/threads/vbulletin-pirate-sites-hit-by-hackers.33714/

While I won't say VB5 is dead on launch....I still think it already will have a leg up on XF 1.3 or whatever is out then....IB really should look into it as on other forums, they are already equating the hacking attack to the quality of VB

 

See, you further prove my assessment. Because I also saw this thread...

As I've said.

 

FYI, Nvidia forums uses IPB and not vBulletin if it hasn't already been mentioned and Android forums was compromised from server level not software http://androidforums.com/site-updates-announcements/580371-important-notice-security-breach.html

And as folks already mentioned there's many reasons for hacked/insecure forums regardless of software used

1. not keeping software up to date
2. compromised email accounts linked to admin user of the forums
3. 3rd party plugin addon vulnerabilities
4. as mentioned by Shawn, insecure wifi access