Securing your MyBB Installation

There are many things you can do to keep your MyBB Installation secure – the below list contains 5 basic ways to make sure your MyBB Forum is as secure as possible. I’ve tried to keep it as simple and concise as possible. Leave a comment if you don’t understand and we’ll clarify.

  1. Keep your MyBB Software Up-To-Date – Always make sure your running the latest version of MyBB. Using the Version Check tool from your Administration Control Panel you can always check for the latest version of MyBB and latest announcements.
  2. Sign up to the MyBB Mailing List – By signing up to the MyBB Mailing List you can receive notification of important MyBB updates and releases, allowing you to update your forum in a timely and fashionable manor.
  3. Rename your “admin” directory – Renaming your admin directory to something else will greatly reduce the risk of someone being able to hack their way into you Administration Control Panel.
    1. Using an FTP Program navigate to your forum directory.
    2. Find the ‘admin’ directory and rename it to something less obvious. If you want to be really secure you can use an online program to generate a name for you. For example:
    3. Now that you’ve renamed your admin directory we need to update the configuration file so MyBB knows what it is called. Navigate to your ‘inc’ directory and open up config.php using a Text Editor such as WordPad.
      1. In config.php Find:

        $config['admin_dir'] = 'admin';

      2. Replace with the new admin name (where admin-name is the name of the new admin directory you set):
      3. $config['admin_dir'] = 'admin-name';

    4. Save the file on your server.
  4. Backup Regulary – Backing up your forum regularly is the best defense you can have against hackers. At least once per week! MyBB Offers a Backup solution in the Administration Control Panel under Backup Database. For more information and alternative ways see our wiki: (Note: MyBB 1.4 allows for automatically backing up your database.)
  5. Keep MySQL, PHP, and Apache Up-To-Date – Hackings of your forum aren’t always caused by exploits in MyBB. Often hosts are running months old versions of MySQL, PHP, Apache, and even other programs and extensions riddled with security exploits. If you find your host is running an old version urge them to upgrade as soon as possible. If you own your own server you can respectively find updates at, and

We’ll have another, more technical blog post on security for all of you IT pros (or in training, of course) later on.

22 thoughts on “Securing your MyBB Installation

  1. Great tips! I use all of them

    If your site have SSH feature an easy way to backup databases is:

    mysqldump –databases

    Then download the .sql files with a FTP Client

  2. Thanks for the informative article! I had certainly never thought about renaming the admin folder (although knowing me I’d probably have forgotten the name the next time I logged in) but the step-by-step info really does help πŸ™‚ With regards to database backup, since I use WordPress on the same database, I use a WP plugin to automatically backup the file to another folder on the server, and email the gzipped file to my email account once a day at the very least. However, the latter has stopped working recently due to the size of the .gz file.

  3. I wouldnt have thought of changing the admin area either.
    Makes complete sence though. Will do that right away.
    Certainly helps when they offer how to do it.
    Keep up the great work.

  4. Great tutorial, few simple steps which can help reduce hacking attempt πŸ™‚

    About that last comment, why would that cause problem when you upgrade to 1.4 ? As long as the config.php contains the admin_dir setting I sure can’t see how this could cause any problem…

    Plus, don’t you trust the dev team to be consistent πŸ˜‰ ?
    I know I do…

  5. Am currently considering changing to your BB and currently using WebWiz. The website has member security on a portion using ‘Spooky’. If we were to change to ‘MyBB’ would I be able to easily attach to the ‘Spooky’ user database to couple security issues?

Comments are closed.