Delicate powered by phpbb. Protecting PhpBB

In one of the comments to my article, I was asked to tell you how to remove the copyright field of the creators of the phpBB engine: “Created based on phpBB.” Since this information may be useful to other visitors, I decided to write this article about it.

Why remove this field? Many of you may express indignation, saying that removing this field will be regarded as non-compliance with copyright. However, this is not entirely true - phpBB is a free web forum with free source code. Therefore, any changes you make assume that you own the copyright in your specific product. In other words, after creating a forum on this engine, it becomes yours intellectual property. The authors of phpBB wrote a mechanism, a tool for creating forums, and not a finished product. In this case, if you remove the copyright notice in the forum footer, this will not be a violation of copyright. On the other hand, if you do leave this inscription, it will be a sign of gratitude and support for the developers, which is definitely good!

So, if you decide to get rid of this inscription, then the first step is to find out where the parameter responsible for displaying copyright information is located. To do this, we need to open any forum page where the forum is visible in one of the browsers that support the function of viewing page code (Opera, Google Chrome, Firefox, etc.), and by clicking right click according to the inscription itself, select the option to view the code (Inspect element) from the drop-down menu.

After opening the code inspector, we can see that the block that interests us is called “copyright”. It is there that changes need to be made in order to edit, hide or delete information.

The second step is to find the file that contains the “copyright” block. Since we do not know the name of the file, searching manually will take a very long time. Therefore, we will use a convenient function - search by content, which my favorite file manager has - Total Commander, hereinafter referred to as TS (there are other ways to search by content, but they will not be considered in this article). In the file manager, open the folder in which the forum is installed on local server or on your hoster's FTP server. To make searching easier, we will immediately open the folder in which the files of the default style are stored. Next, select search for files in the “ Commands” menu or simply press Alt + F7. In the search window that appears, we ignore the “Search files” field, since the name of the file is unknown to us. In the “Search location” field, the path to the folder with the installed forum engine must be specified; by default, the vehicle picks up the path automatically if the search window was called from the active part where you view the contents of folders. Next, put a checkmark next to the “With text” field and enter “copyright” in the search bar, after which we boldly click the “ Start search" button and wait for the results to be displayed.

The search gave us several files, in theory there should be 5 of them, in which the name of the copyright block is mentioned. From all the output files, we clearly see that we are interested in the file called “overall_footer.html” since the block is located in the footer of the page, and the word overall suggests that this file stores global settings, that is, for the entire forum. Now we have 2 options for how to edit the file we need - through the built-in phpBB template editor or using a third-party editor. First we will look at the editing option through the native phpBB interface.
We need to go to “Administration Center” and go to the “Styles” tab. In the style management section, we look at which style is installed by default, this is indicated by an asterisk after the style name. In the example, only one basic style is installed - prosilve, but you can have several of them.

Next, in the style component management section, we go to the “Templates" subsection and select the "Edit" item next to our active theme.

Now we need to select from the drop-down list the file we are interested in called “overall_footer.html"

In the editing area that appears, we go to the very bottom of the page and find the line:

after which we remove the following code:

(CREDIT_LINE) (TRANSLATION_INFO) (DEBUG_OUTPUT)

In the end, your code should look like this:

Now we press the “Send" button and voila, we have achieved the desired result - the copyright notice is no longer there.

Let's move on to alternative option how to achieve the same result: when we already have the title the desired file, we go to the “template” folder of the theme, activated by default, and look for the same file called “overall_footer.html”.

Next, right-click on the file and select “Open with" in the drop-down menu and select your favorite code editor, in my case it is Blumentals WeBuilder 2011. After this, just as in the case of the native phpBB template editor, delete the previously specified code and save the changes. The program also has a very convenient built-in FTP client that allows you to edit and save changes to files on a remote server.

Ready! If you followed all the steps above, then you should be able to remove the inscription. Congratulations!

Well, let's start giving little tips on optimizing and promoting sites (forums) on phpBB. In this case, we will perform a small hack that will help get rid of an external link like "Powered by phpBB © ...". In this publication we will look at 2 ways in which you can do this - a technique for phpBB 3.x.x.

The first way to remove an external link that says Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group. And so, the easiest way is to delete using the admin panel. We go to the administrative panel, go to the “Styles” menu item, on the left we see the panel where the block in the menu is located, we are interested in the “Style Components” block, and in it “Templates”. According to the standard, in the proposed window we will see the following: prosilver and subsilver2, although there could be others if you installed them. In general, that's not the point. From the proposed set, select the default one. Click on the "edit" button next to the template. Next, a window appears asking you to “Select a template file.” Next, select “Template file” - “overall_footer.html”. The HTML editor appears below. We find the following code: “Powered by phpBB 2000, 2002, 2005, 2007 phpBB Group” and simply delete it, although you can set your own link and caption. "
(TRANSLATION_INFO) " (which is located below, can also be deleted) - this code is responsible for localization, for example, an external link with the inscription "Russian phpBB support".

The second way to remove an external link that says Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group. This method is similar, but we connect to the site via Pratacol ftp. Go to the following path styles/template_name/template/overall_footer.html. And we edit the same code that we edited above. If you change the code, do not forget to set the UTF encoding - this way, “crackers” (squares and other incomprehensible symbols) may appear in place of the anchors.

So, dear friend, for some reason you installed PhpBB on your site.
Maybe because you haven't read the ][ magazine, or maybe because you like this engine. However, the chance that you will not be hacked is minimal. Armies of kiddies scour the Internet in search of their next victim. How to protect yourself from primitive
forum hacking? I'll try to give you some ideas. You can use most of them in other scripts.

Update

This is by default. The forum needs to be updated. And the fact that you have 5/10/15 (underline as appropriate) mods is not an excuse. It’s just that in this case you should use “code changes”, carefully laid out by the forum developers in the form of the same mods. I also recommend subscribing to the newsletter about new versions of the forum. However, you can’t keep track of everything, and you’re too lazy
happens, doesn't it? Therefore, I offer you several passive ways to protect the forum.

Hiding version

Recently appeared in PhpBB and is a great help against Google hackers. And if you still don’t update the forum, I think it won’t be difficult for you to correct the simple_footer.tpl and overall_footer.tpl files. However, you can go further and write the evil phrase "Powered by PhpBB" using javascript

There is little loss if the user has javascript disabled, although the phrase should not be removed entirely on purely moral principles. Or you can make fun of it by writing “PhpBB 2.0.6”. When a hacker, having hacked you, finds out the real version, then out of anger he will drop the entire database for you 😉 You can also write “Php BB”... It’s not entirely honest, but it works!

Not standard style

It will not only decorate your forum, but will also slightly increase protection against exploits that rip information out of an HTML page. And then the standard style creates the feeling that the admin has either neglected the forum or is lame.

Table prefix

Why not put something of your own there, for example "ExBB". By the way, this can be done after installation by editing config.php and renaming tables.

Database modification

A reliable way to protect against SQL injection-Union attacks is to change the database. Add extra empty fields to the tables, go through the code, and primitive (!) exploits will fail due to a mismatch in the number of fields. Or another way: rename the user_password field to blahblahblah and correct the sources (this process can be easily automated). That’s it, now when you try to get the admin password hash, the exploit will hang in surprise :) And not only the exploit.

Hiding config.php

It will make your life easier if the hacker is able to read files on the server thanks to the include bug. Of course, in this case, the contents of the file will still be of little use to him, unless you put the same passes on everything.

Normal password

As trite as it may seem, the password should be of the form Sdh66rH904hG - this is the only way you won’t have to worry about hacking the hash. You will store it in Password Commander. Well, tell me, how often will you have to introduce it? Now, if the hash is stolen, then it will be of less use.

Disable search

And it wouldn't hurt. It works terribly buggy, eats an incredible amount of space in the database and horribly reduces performance. And then it is a source of bugs, the same highlight. Sorry to do this standard means you can’t, but it’s not in vain that you read ][? Remove files related to it, drop tables and clean out raw materials and topics. The result is increased productivity and safety. If you’re too lazy to figure it out, then I’ll give you a hint: eliminate the calls to the functions located in functions_search.php. Except for the last one, of course. Think about which tables to drop.... I didn’t have any problems.

Fake admin

Hide the real admin panel away, and in the fake one delete all queries to the database like INSERT, UPDATE, etc. Better yet, instead of executing them, log them to a file, along with the IP and other useful data. Can you imagine how slow a hacker will be when the changes he makes will not be applied? Just a honeypot, not a forum!

Changing the hashing algorithm

Generally a useful technique. Change all function calls related to hashing to your own, which, after calling the standard ones, slightly modify the hash. For example ac45e53bc8dc478e->ac45e53bc8da478e.
A hacker is unlikely to suspect a trick... Moreover, looking at these two hashes, he will not immediately notice the difference...

Well, why was this union invented, it brought so many holes.... So open an include for working with the database and add query filtering with UNION!

Conclusion

The more files, tables and fields you rename, the

It will be more difficult for the haxor
It will be more difficult for you to update the forum
You'll make more mistakes

So know your limits and don’t be paranoid. By performing all these tricks, you will scare/stop both Kiddis and Haxor, unless the latter has a specific goal to hack you. Although renaming table fields provides almost impenetrable protection against SQL injection, because there will be no sorts in front of the hacksor.