Keep hearing of other forums getting hacked. I realise that if a hacker is that determined, they will find a way, but what are the actions that you can take to try to ensure, wherever possible, that it doesn't happen please ?
You can never say how to be 100% safe from hackers, but you can at least follow some security policies to minimalize the risk.
- Use strong root password,
- track critical issues on net and fix them asap,
- use captcha for continuous logins,
- use e-mail confimation for new registrations,
- disable HTML in posts and signatures.
There will be another vulnerability in PHPBB3, and you will be hacked. Try and keep PHPBB3 up to date. I know for a fact that Simple Machines Forums is a lot more secure because I have manually audited both of them.
1)Without a doubt the most important thing you can do to make any web application more secure is to use a web application firewall such as Mod_Security.
2)Make sure you are using a modern linux distribution that is using ether SELinux or AppArmor, SELinux is more secure. DO NOT USE WINDOWS.
3)Make sure your mysql user account only has access to the PHPBB3 database, and NOTHING ELSE. Most importantly make sure PHPBB3's account cannot access the mysql.user table! "File privileges" is by far the worst thing you can give a web application. File privileges is much worse than "grant" because an attacker will try to inject sql like this: ' union select '<?php eval($_GET[e])?>' into outfile "/var/www/backdoor.php"--
to upload his backdoor, "grant" can only be used if the attacker can "stack" queries and mysql_query() does not allow this and there for cannot be used in a sql injection attack.
4)Firewall off port 3306, or whatever port mysql is using. You should only allow ports that you absolutely need, and be extra careful with your database.
5)Run PHPSecInfo and make sure that that it doesn't throw "Red" warnings.
6)Run OpenVAS against your server, this is probably the first thing a hacker will do.