(WIP #77) Remove outdated information, give more details, improve style

faq/logout: Grammar UPDATE Login Problems and Cookies links faq/login: ADD Header title caps ADD examples table from cookies.md development/standards: Closing tags not allowed development/cookies: ADD more cookies May be incomplete or inaccurate in played, needs review development/contribute: ADD Oxford comma, ADD/UPDATE GitHub issue tags admin/sec/recovery: UPDATE tools, EXPLAIN purpose of each admin/sec/protection: ADD Auth Basic directions incl., REFACTOR Admin Accounts section (wall of text, hard to read), REMOVE unnecessary words in Protect inc Directory, ADD comma in Disallow HTML in Posts, highlight query, RENAME Keep Plugins to a Minimum -> Minimize Installed Plugins (continues progressive-verb-first standard), admin/sec/2fa: REMOVE unneeded dash from T-F-A (Two-Factor is an adj.), UPDATE App Store image URLs (wrong lang buttons displaying), ADD Troubleshooting section with mention of 30-second window. Files summary: modified: 1.8/administration/security/2fa.md modified: 1.8/administration/security/protection.md modified: 1.8/administration/security/recovery.md modified: 1.8/development/contribute.md modified: 1.8/development/cookies.md modified: 1.8/development/standards.md modified: 1.8/faq/login.md modified: 1.8/faq/logout.md Signed-off-by: Josh Harmon <[email protected]>
mybb · Oct 24, 2015 · bffd28e · bffd28e
1 parent 041a2dd
commit bffd28e
Show file tree

Hide file tree

Showing 8 changed files with 243 additions and 56 deletions.
diff --git a/1.8/administration/security/2fa.md b/1.8/administration/security/2fa.md
@@ -1,10 +1,12 @@
 ---
 layout: page
-title:  "Using Two-Factor-Authentication with MyBB"
+title:  "Using Two-Factor Authentication with MyBB"
 categories: [security]
 ---
 
-The following apps can be used as Two-Factor-Authentication Apps. Note that this list is incomplete and that a lot more apps exist for different operating systems.
+# Authenticator Apps
+
+The following apps can be used as Two-Factor Authentication Apps. Note that this list is incomplete and that more apps exist for different operating systems.
 
 <table>
 	<tr>
@@ -16,13 +18,13 @@ The following apps can be used as Two-Factor-Authentication Apps. Note that this
 	<tr>
 		<th>Google Authenticator</th>
 		<td><a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2"><img alt="Android app on Google Play" src="https://developer.android.com/images/brand/en_app_rgb_wo_45.png" /></a></td>
-		<td><a href="https://itunes.apple.com/gb/app/google-authenticator/id388497605?mt=8&uo=4" target="itunes_store" style="display:inline-block;overflow:hidden;background:url(https://linkmaker.itunes.apple.com/htmlResources/assets/en_us//images/web/linkmaker/badge_appstore-lrg.png) no-repeat;width:135px;height:40px;@media only screen{background-image:url(https://linkmaker.itunes.apple.com/htmlResources/assets/en_us//images/web/linkmaker/badge_appstore-lrg.svg);}"></a></td>
+		<td><a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8" target="itunes_store"><img src="https://devimages.apple.com.edgekey.net/app-store/marketing/guidelines/images/badge-download-on-the-app-store.svg" alt="Download on the App Store" /></a></td>
 		<td>-</td>
 	</tr>
 	<tr>
 		<th>Authy</th>
 		<td><a href="https://play.google.com/store/apps/details?id=com.authy.authy"><img alt="Android app on Google Play" src="https://developer.android.com/images/brand/en_app_rgb_wo_45.png" /></a></td>
-		<td><a href="https://itunes.apple.com/gb/app/authy/id494168017?mt=8&uo=4" target="itunes_store" style="display:inline-block;overflow:hidden;background:url(https://linkmaker.itunes.apple.com/htmlResources/assets/en_us//images/web/linkmaker/badge_appstore-lrg.png) no-repeat;width:135px;height:40px;@media only screen{background-image:url(https://linkmaker.itunes.apple.com/htmlResources/assets/en_us//images/web/linkmaker/badge_appstore-lrg.svg);}"></a></td>
+		<td><a href="https://itunes.apple.com/us/app/authy/id494168017?mt=8&uo=4" target="itunes_store"><img src="https://devimages.apple.com.edgekey.net/app-store/marketing/guidelines/images/badge-download-on-the-app-store.svg" alt="Download on the App Store" /></a></td>
 		<td>-</td>
 	</tr>
 	<tr>
@@ -32,3 +34,7 @@ The following apps can be used as Two-Factor-Authentication Apps. Note that this
 		<td><a href="https://www.microsoft.com/en-us/store/apps/authenticator/9wzdncrfj3rj"><img src="/assets/images/1.8/windows-store.png" style="width:150px;" alt="Windows Store" /></a></td>
 	</tr>
 </table>
+
+# Troubleshooting
+
++ Verify that the server and authenticator device are in the same timezone. The codes are dependent upon time, within a 30 second time span.
diff --git a/1.8/administration/security/protection.md b/1.8/administration/security/protection.md
@@ -12,37 +12,126 @@ One thing we cannot stress enough is to always have your MyBB installation up to
 
 The Admin CP is the most powerful tool in MyBB. If anyone gains access to it, they can easily deface your forum and get complete control over it. It is therefore important to guarantee that only you or your administrators can access it. For starters you should [rename your Admin CP directory and hide all links to it](http://www.mybbsecurity.net/topic-renaming-the-administrator-directory). Once you have done that it is a good idea to install [Admin CP Honeypot](http://community.mybb.com/thread-94406.html). This will take your previous Admin CP location and install a fake Admin CP, which will record the IP of anyone who tries to login to it and email you a small report.
 
-Now your real Admin CP directory should look something like `Svt06wbowXgMVvFmkFaz` (which you should bookmark or take note of) and the fake Admin CP will be located at `admin` (which will record the details of anyone who tries to access it). To finalize, [you should password protect your real Admin CP with HTTP Basic Auth](http://www.mybbsecurity.net/topic-protecting-the-admin-cp-with-http-basic-auth). Additionally you can enable the Admin CP PIN, which was added in 1.8, but having to go through all of these steps might be a little troublesome if you just want to do some quick edits.
+Now your real Admin CP directory should look something like `Svt06wbowXgMVvFmkFaz` (which you should bookmark or take note of) and the fake Admin CP will be located at `admin` (which will record the details of anyone who tries to access it). To finalize, [you should password protect your real Admin CP with HTTP Basic Auth](#Protect_the_Admin_CP_with_HTTP_Basic_Auth). Additionally you can enable the Admin CP PIN, which was added in 1.8, but having to go through all of these steps might be a little troublesome if you just want to do some quick edits.
 
 **Nota Bene**: if you change the Admin CP directory and add plugin using it after, you will have to rename the directory in the plugin source before uploading it.
 
+# Protect the Admin CP with HTTP Basic Auth
+
+Also known as "htpasswd protection," adding HTTP Basic Auth protection to your Admin Control Panel directory is one of many ways to put sensitive settings behind another layer of security, and thus making it theoretically harder for hackers to take advantage of. The procedures differ between web servers, but specific instructions for cPanel, Apache, and Nginx (all on a Linux system) are provided below.
+
+When finished with one of the instruction sets below, browse to your Admin CP again, and you should receive an additional username/password prompt before seeing the Admin CP login or interface.
+
+## cPanel Basic Auth Configuration (without SSH)
+
+Similar to Apache, but with the cPanel UI on shared hosts.
+
++ Search for the `Directory Privacy` menu item (icon: blue folder with lock)
++ Select the directory you wish to protect (your Admin CP directory)
++ **Check** the `Password protect this directory.` checkbox.
++ Fill out the given form with a username and strong password (>85 score)
++ Click `Save`.
+
+## Apache Basic Auth Configuration (with or without SSH)
+
+Requirements:
++ SSH access to site
+    + If not available, use [DynamicDrive's generator tool](http://www.tools.dynamicdrive.com/password/) and upload the files, as if you followed the directions below to create them.
++ Apache configured to allow .htaccess files to override configuration values
+
+First, create a new file in the Admin CP directory named .htaccess. Apache will interpret the file as a local configuration file in the directory and any subdirectories inside of it.
+
++ Open the `.htaccess` file
++ **ADD**:
+        AuthUserFile /path/to/.htpasswd
+        AuthGroupFile /dev/null
+        AuthName Restricted
+        AuthType Basic
+        require valid-user
++ Run shell command:
+        htpasswd -c -b /path/to/.htpasswd desired_username desired_secure_password
+    + **NOTE:** Replace `/path/to/.htpasswd` in both places with the respective file location.
+
+## Nginx Basic Auth Configuration (with SSH)
+
+Requirements:
++ SSH access to site configuration file
+
+Let's begin:
++ Open your nginx site configuration file.
++ Within the `server` block, **ADD**
+        location /path/to/ACP {
+        auth_basic           "Restricted";
+        auth_basic_user_file /path/to/.htpasswd;
+        }
++ Run shell command:
+        htpasswd -c -b /path/to/.htpasswd desired_username desired_secure_password
+   + If the command is not found, install the `apache2-utils`, `httpd-utils`, or similar package for your Linux distribution.  
+
+   + **NOTE:** Replace `/path/to/.htpasswd` in both places with the respective file location.
+
+# Configuring an Admin CP PIN
+
+With MyBB 1.8, an Admin Control Panel "Secret PIN" setting was added to the core, inspired by a popular community tutorial. To enable the PIN:
+
++ Open `inc/config.php`
+
++ **FIND** or **ADD**:
+
+{% highlight php startinline %}
+$config['secret_pin']
+{% endhighlight %}
+
++ Set the variable to a value, such as `'S0me p1n'`.
+
++ **DONE**
+
+Example:
+
+{% highlight php startinline %}
+$config['secret_pin'] = 'S0me p1n';
+{% endhighlight %}
+
 ## Administrator Accounts
 
-No matter how hard you try to secure the Admin CP, if people other than yourself have access to it then it really is a risk. You should only allow Admin CP access to people you know well and trust. Do not randomly allow a user of your forum to access it, even if he promises you to install a bunch of cool plugins or themes. Administrators should be selected carefully and reviewed thoroughly. Be **very careful** in who you trust access to the Admin CP to. If you trust no one, then perhaps you're better off as an administrator. In fact, if you don't need help with webmaster or admin tasks it really is best to remain the only administrator.
+### More Admins = Less Security
+No matter how hard you try to secure the Admin CP, if people other than yourself have access to it then it really is a risk. You should only allow Admin CP access to people you know well and trust. Do not randomly allow a user of your forum to access it, even if they promise to install a bunch of cool plugins or themes. Administrators should be selected carefully and reviewed thoroughly. Be **very careful** in who you trust access to the Admin CP to. If you trust no one, then perhaps you're better off as an administrator. In fact, if you don't need help with webmaster or admin tasks, it really is best to remain the only administrator.
+
+### Give Each Administrator Minimal Permissions
+
+Permissions for each Administrator can be configured at `Admin CP > Users & Groups > Admin Permissions`.
+
+If you have multiple administrators, assign specific roles to apply a "divide and conquer" strategy across your administrators.
+
+Examples:
++ If one is strong in design, give them access to Templates and Style ACP features, but not settings, users, or system tools. They shouldn't need them for design tasks, and if they do, they can ask someone else to perform those actions.
++ Perhaps another admin is great with managing community members. Give them access to Users and Groups, but nothing more.
 
-However, if you need help as an administrator permissions should be limited as much as possible. Distribute tasks between all the accounts. Discuss this with your admins and decide who should take care of what. For example, one of your administrators may be an HTML & CSS guru and could be in charge of making changes to templates and keeping the code clean. The other administrators may not know HTML, so why should they have access to the Templates & Style module? Similarly, if the HTML-guy doesn't like managing users and group permissions, then he definitely doesn't need access to that module. You can configure all of this in Admin CP > Users & Groups > Admin Permissions. Your administrators will be listed there, and you can specify everything they can and cannot access. Be rigorous and only allow access to the parts your administrators really need. As an example, you should probably disable all administrators other than yourself from accessing the database backups section. A backup of your database essentially contains all the information in your forum, which can be quite dangerous in the wrong hands. Provided that you have a proper backup solution (covered later on) there is no need for them to be able to create backups.
+The more features you give to each administrator, the more power you grant to each of them over your community and its security.
 
 ## Protect the `inc` Directory
 
-The `inc` directory in your MyBB installation is something that should not be accessible to the end user at all. It contains sensitive information such as your database details (`inc/config.php`). And even though it is almost impossible for hackers to access that data, it's always a good idea to make things extra difficult to access. And the `inc` directory certainly doesn't need to be publicly available. You should therefore protect it completely by [disallowing access to the `inc` directory](http://www.mybbsecurity.net/topic-protecting-the-inc-directory).
+The `inc` directory in your MyBB installation should not be accessible to the end user at all. It contains sensitive information such as your database details (`inc/config.php`). Even though it is almost impossible for hackers to access that data, it's always a good idea to have an extra layer of protection. The `inc` directory doesn't need to be publicly available, so protect it completely by [disallowing access to the `inc` directory](http://www.mybbsecurity.net/topic-protecting-the-inc-directory).
 
 ## Change the Default Table Prefix
 
-Changing your table prefix can prove to be helpful in certain cases. If a hacker manages to run an SQL query, he can easily destroy your forum completely. But if for some reason he doesn't know what your table prefix is (and therefore doesn't have a table name to query) it would certainly slow him down. Having that said, consider [changing your table prefix](http://www.mybbsecurity.net/topic-security-through-obscurity-changing-the-default-table-prefix).
+Changing your table prefix can prove to be helpful in certain cases. If a hacker manages to run an SQL query, he can easily destroy your forum completely. But if they don't know what your table prefix is (and therefore don't have a table name to query) it would slow them down. Consider [changing your table prefix](http://www.mybbsecurity.net/topic-security-through-obscurity-changing-the-default-table-prefix).
 
 ## Disallow HTML in Posts
 
-Allowing HTML to be used in posts is a terrible, terrible idea. That is why MyBB does not allow it by default. Unless you are absolutely certain that you want to use it (in which case you should install [HTML Purifier](http://mods.mybb.com/view/htmlpurifier)) it should be disabled on all forums. To do this quickly, run the following SQL query.
+Allowing HTML to be used in posts is a terrible, terrible idea. That is why MyBB does not allow it by default. Unless you are absolutely certain that you want to use it (in which case you should install [HTML Purifier](http://mods.mybb.com/view/htmlpurifier)), it should be disabled on all forums. To do this quickly, run the following SQL query.
 
-    UPDATE `mybb_forums` SET `allowhtml` = '0';
+{% highlight sql %}
+UPDATE `mybb_forums` SET `allowhtml` = '0';
+{% endhighlight %}
 
 Afterwards you should go to Admin CP > Tools & Maintenance > Cache Manager > forums > Rebuild Cache to make sure this change is cached and is applied immediately.
 
 ## Hide the Version Number
 
 Displaying which MyBB version you're running is essentially the same as yelling "hey, I'm running this specific version, which contains these specific vulnerabilities". It's an open invitation to hackers. If you're running on the latest version, it's probably nothing to worry about, but there is simply no point in displaying it. To hide it go to Admin CP > Configuration > Settings > Site Details > Show Version Numbers > Off.
 
-## Keep Plugins to a Minimum
+## Minimize Installed Plugins
 
 The more plugins you have installed, the more code can hackers exploit. Most plugins are fairly secure, but if one of them has a vulnerability, hackers can take advantage of it to get access to your forum. And for that simple reason it is highly recommended to keep the number of plugins to a minimum and only install those that you really need. It's also worth considering the popularity and the author of the plugin. Having that said, to improve your forum's security, we still recommend having a look at our list of [security plugins](http://community.mybb.com/thread-109872.html).
 

diff --git a/1.8/administration/security/recovery.md b/1.8/administration/security/recovery.md
@@ -16,16 +16,24 @@ First things first: secure your computer. It is possible that you downloaded som
 
 However if you don't have another computer lying around or other people to help you then you will have to take care of it right now. If you're using Windows we urge you to run tools like:
 
-- [Spybot - Search & Destroy](http://www.safer-networking.org/en/spybotsd/index.html)
+- [HitmanPro 3](http://www.surfright.nl/en/hitmanpro)
+	+ Somewhat similar to HijackThis. Scans the computer for virus activities or suspicous files that have the characteristics of malware.
+- [Kaspersky Virus Removal Tool](http://www.kaspersky.com/antivirus-removal-tool)
+	+ Tool to help remove common malware infections, if detected.
 - [Malwarebytes](http://www.malwarebytes.org/)
+	+ Popular, trusted free solution for malware scanning. Quick definition updates and rigorous detections for more than plain malware.
 - [HiJackThis](http://www.filehippo.com/download_hijackthis/)
+	+ Tool that generates a report about system settings and files commonly modified by malware.
 
-Scanning your computer with your antivirus' own tools is also a good idea and installing a firewall. We recommend the following:
+Scanning your computer with your antivirus' own tools is also a good idea and installing a firewall. We recommend one of the following:
 
 - [Microsoft Security Essentials](http://windows.microsoft.com/MSE)
 - [AntiVir](http://www.avira.com/en/avira-free-antivirus)
+	+ Standard antimalware software. Not especially great, but it is usually good enough.
 - [Comodo Internet Security](http://www.comodo.com/home/internet-security/free-internet-security.php)
+	+ Standard antimalware software. Not especially great, but it is usually good enough.
 - [ZoneAlarm](http://www.zonealarm.com/)
+	+ Inbound intrusion detection system and firewall that is highly customizable, allowing the user to specify what applications can create outbound network connections.
 
 ### Secure Your Online Accounts