Easy Security Tips for vBSEO customers

Its a good article. Thanks for sharing your thoughts with us.

thanks you,security completed

On my shared server when I went to lock my config.xml I had to use chmod 444 since I am on a shared apache server, 644 would not work, I could still open it and edit it.

Here is the response from my webhost:

Thank you for contacting us with regards to this matter. I would like to point out that all our servers use suPHP which restricts permissions to the account only and to the username associated with your account. Therefore any file uploaded by a different username would not affect your account. The standard permissions on all our servers are 644 for files and 755 for directories because both files and directories need to be writable using your username as all scripts actually run processes under your username and thus they need serverside write permissions. Having the files chmod'd to 444 is not an issue and indeed it tightens the security, but unfortunately we are actually talking about a shared hosting account where each user needs to identify itself with both Apache and the filesystem and thus changing the ownership is not possible as all your files will become unusable due to the suPHP limitations placed on accounts for security concerns. Please note that there is a huge difference between shared and dedicated hosting plans with regards to user management and ownership.

So in attempting to lock down my writable folders, I have a few questions:

I am a dummy at this so pardon the lack of knowledge, here is what I see when using Cpanel on my server for my folders:

cpstyles 755
custom avatars 777
custom group icons 755

Should I go through all of the folders on my server and the ONLY the ones that show 777 add the following code in a .htaccess file to that folder, is that correct?

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$">
   order allow,deny
   deny from all
</Files>

Also this may be a stupid question but are the 755 folders safe as well since I am on the shared apache servers the webhost mentions?

nm, figured out I only had 3 folders in my vb installation that were 777:


Customavatars
Customprofilepics
Signaturepics

added .htaccess to those

Hi Brian Cummiskey and thank you for your in-depth tips on securing vBSEO on forums which even I can follow.

In view the recent exploit causing problems in many vBulletin forums using vBSEO I was just about to ask the question "Is it possible to protect the vBSEO folder with .htaccess and it seem these questions and more have already been answered.

Mert ought to make your post a sticky.