Store
Community Documentation

v3 Knowledgebase

PHPFox Security Settings

This article is valid for PHPFox v2.1.0build4, v3.4.1build3, v3.5.1build4 & v3.6.0beta2 or higher.

Rename the file include/setting/security.sett.php.new to include/setting/security.sett.php

Next, let's open the file include/setting/security.sett.php

In order to enable/disable some of these security settings we use a Boolean value of either true, which will enable the feature or false, which will disable it.

As an example you will find the setting:
PHP:
$_CONF['core.enable_html_purifier'] = false

You will notice that this feature is set to false, which means its off. Set it to true and you will enable this feature. The setting will then look like this:
PHP:
$_CONF['core.enable_html_purifier'] = true


Security Settings


$_CONF['core.force_secure_site']
Enable to make all connections secure when a user is logged in. Note that your server must have an SSL certificate. You must also have the setting Secure Pages with HTTPS enabled. This can be found in your AdminCP.

$_CONF['core.use_custom_cookie_names']
Enable to use custom cookie names.

$_CONF['core.custom_cookie_names_hash']
Add your unique cookie name.

$_CONF['core.protect_admincp_with_ips']
Allow access to the AdminCP if IP is added to this list. Comma separated. An example of 2 IPs:
PHP:
$_CONF['core.protect_admincp_with_ips'] = '127.0.0.1, 127.0.0.2'


$_CONF['core.use_custom_hash_salt']
Enable to add a custom salt to cookie values.

$_CONF['core.custom_hash_salt']
Create your own custom salt for cookie values.

$_CONF['core.admincp_http_auth']
Enable HTTP authentication in order to access the AdminCP. This is an additional login routine in order to get into the AdminCP.

$_CONF['core.admincp_http_auth_users']
Array of users that can access the AdminCP. Here is a sample value:
PHP:
$_CONF['core.admincp_http_auth_users'] = array(
    
'1' => array('name' => '''password' => '')
); 

The key "1" represents the users ID#. The "name" and "password" are unique for this user. Make up your own name and password, which is in no way connected to the main login info. Here is an example when adding 2 users to this list:
PHP:
$_CONF['core.admincp_http_auth_users'] = array(
    
'1' => array('name' => 'user1''password' => 'abc123'),
        
'2' => array('name' => '2user''password' => '123abc')
); 


$_CONF['core.auth_user_via_session']
If this setting is enabled it will modify how database sessions are handled for a specific user. This provides a very secure way of keeping your users logged in and making sure browser cookies cannot be hijacked. If you enable this feature the current list of online users will not work as we do not store guests in the session table any longer. Additionally a user can only access the site via 1 device/browser. If they attempt to log on from another device/browser they will be able to log in, however they will be booted from all other devices/browsers.

The key with this feature is to prevent cookie hijacking. If someone was able to get a hold of a users cookies they could manually add these cookies via their web browser and log in as that person. This setting assists to prevent that as the person attempting to steal the cookie would need an active session for this user based on specific parameters that are unique to that user.

$_CONF['core.include_ip_sub_id_hash'
If enabled, it will include a sub-string of the users IP in order to create a unique hash for the users session. You can control the sub-string count from the AdminCP.

$_CONF['core.id_hash_salt']
Create your own unique salt for a users hash.

$_CONF['core.check_body_for_text']
If your site has been defaced this setting will attempt to show a default message instead.

$_CONF['core.check_body_regex']
Regex to check if a site has been defaced. Make sure this is something very unique to your site and is on every page.

$_CONF['core.check_body_offline_message']
Text to show if site has been defaced.

$_CONF['core.check_body_header']
Response code to send the browser in case the site has been defaced. Handy if you have a site uptime checker, which they can notify you via email or SMS.

HTML Purifier


We have included a 3rd party library that will assist in cleaning and preventing XSS exploits for sites that allow HTML.

First, you need to rename the file include/setting/htmlpurifier.sett.php.new to include/setting/htmlpurifier.sett.php

Next, let's go back and open the security config file include/setting/security.sett.php

Look for:
PHP:
$_CONF['core.enable_html_purifier'] = false

Replace that with:
PHP:
$_CONF['core.enable_html_purifier'] = true


Your site at this time is using Htmlpurifier. If you wish to modify our default settings open the file include/setting/htmlpurifier.sett.php
For a better understanding how their product works, check out this detailed documentation:
http://htmlpurifier.org/live/configdoc/plain.html

The setting you will probably end up editing the most is the following:
PHP:
$config->set('HTML.Allowed''br,p,em,u,ul,li,font,ol,div,span,blockquote,strike,b,img[src|alt|class|height|width],a[href|rel],iframe[src|width|height|frameborder],object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height]'); 


This controls what elements and attributes are allowed on your site.

Additional Tips



1) We advice you open the file include/setting/server.sett.php and look for the setting:
PHP:
$_CONF['core.admincp_do_timeout'] = false

Enable this by changing it to:
PHP:
$_CONF['core.admincp_do_timeout'] = true

This will force Admins to log in one more time before they can access the AdminCP.

2) Enable the setting Brute Force Prevention: Time Limit

3) Disable the Member Snoop feature.

4) As an Admin do not use the "Remember Me" feature.

5) If possible, try to dedicate 1 unique browser that is only used to manage your website. Do not visit any other sites with this specific browser or open links via emails. Just use it to manage your community.

6) Backup your site. This needs to be at least on a weekly basis.