How to Secure your SMF forum

In this tutorial we will review the security features that Simple Machines Forum 2.0.x provides us with. In order to check and change the secure configuration you will need to login as the administrator of the forum. After the successful authentication navigate to the Security and Moderation menu via Administration Center>Configuration>Security and Moderation.

This page of the Configuration offers several security related settings that we can configure in order to meet our needs.

Step 1 General Security in SMF

The general option will allow you to lock down some of the personal information that is being handled on your website. For example, you will be able to hide contact details of your members to guests on your forum, set a trigger for failed login attempts and many more features that will protect your forum better.

The options that we recommend using are:

• Do not reveal contact details of members to guests - Self-explanatory
• Failed login threshold - Set the number of failed login attempts before directing the user to the password reminder screen. Recommended: 3
• Enable error logging - This will log any errors, like a failed login, so that you can see what went wrong.
• Require reactivation after email change - When this option is checked all members who change their email address in their profile will have to reactivate their account from an email sent to that address
• Enable reporting of personal messages - This option allows your users to report personal messages they receive to the administration team. This may be useful in helping to track down any abuse of the personal messaging system

Step 2 Anti-Spam Security in SMF

The Anti-Spam configuration in SMF provides three options that will strengthen it properly. The first section is the Anti-Spam Verification. The options in it allow us to set verification checks in order to ensure the user is a human and not a bot. There are a lot of options that you can configure for the purpose and we recommend reviewing them carefully for proper setup.

The second section is called Configure Verification Methods. It allows you to set which anti-spam features we wish to have enabled whenever a user needs to verify they are a human. The user will have to pass all verification so if you enable both a verification image and a question/answer test they need to complete both to proceed.

If you have enabled the options above, you also have to configure the Verification Questions. We should pick relatively simple questions; answers are not case sensitive, though you should not use a 0 (zero) or a space as an answer to a question. You may use BBC in the questions for formatting, to remove a question simply delete the contents of that line.

Congratulations! Now your Simple Machines Forum application is more secured.