mybb Security Tutorial

20+ tips ULTIMATE Guide you NEED to SECURE your MyBB Forum from Hackers

MyBB is a popular free bulletin board software and is used by thousands of community forums. Two main reasons of its popularity are because its free and can be very easily customized with plugins and themes. Forums are often targeted by hackers and spammers who want to steal user information like email, username and passwords. This data is later used for brute forcing users other accounts and for other malicious purposes.

I am also using MyBB to run my forum you can visit it here –

I have used MyBB for years and have done a lot of searching to learn how to secure forums and made this list of best security practices that I apply to all my forums to harden them. If you have come here following link visit this thread on forum to learn more about it.

20 Tips to Secure your MyBB Forum

Take a Backup of your forum before making any of these changes, if possible first try it on a test forum.

  1. Hide Errors and Warning – Errors on your forums could reveal crucial information about your database which could be used by hackers to do sql injection attacks and getting access to your database. To do so go to your ACP and check settings in server and optimization options.

mybb error logging

2. Change file permission – By default mybb keeps file permissions to 644 and for some folders 777 which is dangerous and should be avoided. From some support threads I have checked 777 permission is suggested in their officials docs because a lot of new admins use poorly configured shared hosting and that causes problems, so 777 permission is a band aid fix and advanced/experience admins are expected to set correct permissions themselves. So I would recommend for most important file ./inc/config.php which contains your database information you should set it to 400. And change all folders permission to 755. /inc folder contains all important files and you should restrict access to that folder.

mybb config file security permission

3. Enable Scrutinize user ip – If you use cloudflare and your server is not properly configured you will see cloudflare ip instead of your users real ip. This option will check headers for real ip.

mybb scrutinize ip address

4. Enable Same site cookie flag – This option will prevent CSRF attacks basically someone can trick your forum users to do action on your site without them knowing.

5. Secure cookie flag – If you are using HTTPS which is recommended, enable this option to avoid cookie stealing attacks.

mybb cookie security settings

6. Use HTTPS – Getting ssl certificate has become so easy and also google gives you some SEO benefits everyone should use HTTPS on their site. This also increases your user trust and prevent MITM attacks in which an attacker could see all information sent to your forum including sensitive info like your username and password.

7. Enable .htaccess – After installing mybb in your root folder you will see there will be a file htaccess.txt rename it to .htaccess (If you use nginx there is a different txt file) Read official installation instructions. 

mybb htaccess file permission

8. Disable Html Everywhere – Search for html settings and disable all html.

9. Change default table prefix – Do not use default mybb_ prefix if hackers don’t know your table prefix they cannot run queries. This is also recommended in official docs to harden security.

10. Lock access to admin dashboard – If you have a static ip restrict access to /admin to your ip only. You can buy a proxy if you don’t have static ip. If your password is compromised hackers cannot get access to ACP. Alternatively you can also restrict access to admin panel with HTTP Basic authorization.

11. Rename default admin dashboard – This is optional and I would suggest to avoid if you have already locked access to admin folder already. Learn how to do it here.

12. Use pin for admin login – During installation you can set a pin required for login to Admin area along with your password. This will give extra security incase your password was compromised. If you have not enabled it during installation you can set it in .inc/config.php file. This pin is stored on file and cannot be retrieved from database.

mybb admin login secret pin

13. Ensure lock file is there – After installation mybb places a .lock file in /install folder this is important to prevent unauthorized re-installation so check this file is present in the install folder. In some control panels files starting with . (dot) are hidden by default so you have to check if . (dot) files are enabled to be visible or not.  

mybb installation lock file

14. Enable soft delete – In case a mod or admin goes rogue and start deleting files all posts soft delete will create a restore point and that brings us to our next point.

15. Don’t give unnecessary access – Don’t make everyone admin or mod unless you trust them completely.

16. Backup – I cannot stress more about this. Take regular backups nothing is 100% secure and accidents can happen a rouge admin, mod, update could ruin your forum. Before making any critical changes always take backups. MyBB by default gives you option to generate database backup from ACP this doesn’t include all attachments and customization you have made to theme and other files, so take back up of files too. 

17. Limit file upload type – This is my personal preference I like to keep uploads disabled to prevent uploading of shells and other malicious files. But you can limit types of files that can be uploaded and accessed from upload folders. 

18. Remote avatar can expose your server ip – Disable remote avatar it is easy to ignore this setting and this could reveal your server ip which some attackers can use for doing DDOS and bypass cloudflare.

19. Do not use nulled themes and plugins – Often nulled things and plugins are filled with codes that give backdoor access to hackers so download themes and plugins only from official sources. This is the official site for mods –

20. Change admin failed login & timeout settings – In ACP change you can decrease failed login attempts for ACP and longer timeout settings before login can do tried again to slow down and brute force attacks. If you have already locked down access to admin folder this will be not required.

21. Use cloudflare – Cloudflare gives you free CDN and WAF which can be used to slow hackers and save bandwidth. I will make a different to explain how to use cloudflare properly. A lot of my security measure use cloudflare WAF it is very powerful if configured properly.

cloudflare for mybb

22. Don’t use auto installers like Softaculous and Fantastico – They often create problems sometimes ACP pin is not configured properly by auto installers.

23. Use a good host – Don’t go for the cheapest host or some random re-sellers they often do not configure their servers properly and can make your forum slow and vulnerable. You can check my recommend host lists.

24. Enable Mod security – This is only for advanced users, mybb by default adds code to htaccess to disable mod security, if you know how to configure it. I would suggest you to enable it but there will be a lot of conflicts false flags so test it thoroughly before enabling it. No one likes to write a thread and then lose it all because mod security blocked your connection.

25. Keep yourself updated – MyBB release information about new updates and vulnerabilities on twitter so you can follow them for latest updates or visit there also you can read all announcements.

26. Check vulnerable plugins – Plugins and themes are the most vulnerable part of any forum and even if you downloaded from the official mybb Extend site you should keep an eye on the list of plugins marked vulnerable and take necessary action to patch them.

If you have any questions go to forum and create a thread about it.

This article was published on

Credits Note: All images and screenshots are taken by the author and is copyrighted.