MyBB Forum Owner Interview #1 – Sharree

Posted on by

We recently contacted Sharree with an invitation to be featured as our first Big Board Owner (BBO) Interview. After seeing the results he has achieved with his MyBB forums, we were eager to hear his response. Fortunately for us, Sharree agreed to sit down and have a conversation with the MyBB Team.

storymunch

First of all, he has Sharree.com which is his first MyBB site, recently joined by a board which some of you may have recently seen in the Showcase section on the Community Forums — StoryMunch. The result of the advanced customization is amazing! Here are Sharree’s responses to our questions below.

What inspired you to create your sites?

Sharree is a site for small YouTubers to share and promote their videos. Being someone whose tried YouTube in the past, I know how disheartening it is to put a lot of time into a video and have little reaction or viewership. That is why I’ve aimed to create a platform that’ll ease the struggle for small beginner YouTube channels and bring more attention to them.

There were two MyBB powered forums back in 2013 that got me interested in the software. The first was LeeFish’s BlackCanvas project which was an image gallery for sharing abstract art, the other was brad-t’s Harajuju, a Japanese fashion community. Both sites were heavily customized using the XThreads system, prior to these two I had only seen traditional forums so I was absolutely amazed at MyBB’s capabilities and what could be achieved through the MyBB software. I was inspired by them both and in 2015 it lead to me selecting MyBB to power my site Sharree.com.

Do you have any exclusive plans for your sites?

Currently Sharree is a YouTube sharing platform that allows YouTubers to share and promote their content with other YouTubers. It has been a little over a year since the site’s launch and I feel it’s time for change. I’ve decided to expand the site further by allowing other sharing options including Twitch streams, SoundCloud tracks, Graphics, and Websites. I feel the site should have more leeway for content creators, not just catering to YouTubers. There is so much talent out there that deserves to be discovered, so I hope to make Sharree the hub for all content creators to share their talent whether it be entertainers, musicians, artists, or any other craft. I am seeking more forum growth with these changes. Along with this expansion I am developing a new flat theme inspired by Dribbble, Flarum, and Shade’s MyBBoost. I have been working on these changes and I’m looking to have them implemented by early March 2017.

What do you like about the MyBB software that allows you to create your sites as you desire?

I love the flexibility of the software and the freedom in customization. To be able to develop themes, modify templates and have extensive plugin choices has allowed me to create my site as I desire. If it wasn’t for MyBB’s freedom, I would have likely selected another software. Being someone who had minimal CSS, HTML, PHP, and SQL knowledge prior to Sharree, my coding knowledge is completely self-taught through the flexibility of the MyBB software. Being a complete beginner, the ease of use of the software was a bonus. Navigating the Administration panels becomes increasingly easy over time and once you’ve adapted to the software it becomes your playground for creating anything.

What would you recommend to people looking to start a forum?

With giant platforms like Google+, Reddit, and Facebook groups, social communities for any topic have become readily available and can be created by anyone with ease. I’ve heard people say “There’s a Reddit for everything” or “There’s a Reddit for that”, the fact is giant platforms like Reddit have made it increasingly difficult for starting forums to gain traction. I feel because of these giant platforms, forums have become less popular and relevant compared to the 2000’s. Despite this added difficulty for new forum owners, getting a new forum on its feet is not impossible. Creating and launching a forum is the easiest part, I feel less thought goes into pre-development planning and having a marketing plan for post-development. Have everything thought out and thoroughly consider if your forum concept is something that the internet needs and is worth creating. After development, marketing becomes the bedrock of your forum, without it your forum will have no activity. This was the area where my focus was lacking in past projects and it is where I see most new forum owners lacking as well. Posting your forum in Showcase sections of web-development boards, begging users to join, and shutting down after a couple of months is not a marketing plan. Invest your time into your project, do your research, if you believe in your project then don’t shy away from spending some capital, and don’t jump ship when things don’t go as expected. This is what led to me becoming a Big Board Owner.

What method(s) did you use to gain activity on your forums?

After launching my site I began contacting YouTubers individually, telling them about my site and what it offers. I’ve created a website for those struggling and talented YouTubers who deserve to be brought to the forefront. The site’s concept is something that YouTuber’s really needed and it had many of the people I contacted rushing to join the site. The growth at the beginning was quite slow but seeing many of the positive comments from the YouTubers I contacted, I became more and more confident with the site. The method that brought the most activity to my forum is influencer marketing, in May 2016 I began contacting larger YouTubers who’d recommend my site to their subscribers. I was hesitant about the cost but the turnout was amazing as the forum surged with activity. The sudden influx of users had me upgrading my webhosting plan three times in one day. With the increased activity I began offering users an incentive for creating videos about Sharree where their YouTube channels would be featured in the header of the home page. As of February 2017 there are over 6,000 video results for Sharree.com, all helping bring further activity to the forum.

What do you like most about the MyBB software?

What I like most about MyBB is the freedom in the software. Being able to play around with templates allows me to mold the software into something unique that stands out from ordinary traditional forum layouts. Plugins like XThreads and Template Conditionals by ZiNgA BuRgA are examples of the extensibility that the MyBB software offers, I don’t think turning a forum into a complete video, music, or image gallery would be possible with any other forum software.

What is one thing that you regret most during your development time?

One thing I regret is when my forum began getting a lot more activity, I panicked. Initially I was running the forum on my own with my friend Bobby helping with moderation. With the amount of reports we were getting we really needed more staff members, and we needed them fast. Instead of having applicants and selecting users best suited for the position, I chose the first users who volunteered. It was a disaster. To new forum owners, this should be obvious but I recommend you think thoroughly before giving users moderator privileges.

How much time and effort do you put into maintaining the boards?

On average about 20-30 hours a week are spent maintaining the board, sometimes more if big changes are being made or site updates are being implemented. Although most of the site’s development is done by me, I have to thank my staff team Jennifer, Shayne, and Ryan who help generate new ideas for the forum and ease the workload by voluntarily moderating the site on a daily basis. I’d also like to thank Sharree’s Mentor Team who voluntarily assist users by offering advice as well as their guidance.

Can you share on your forums’ profits?

I do not wish to reveal the exact amount I’m making through the forum, however to give you some idea of my forums’ profits: After one year of running the forum I felt secure enough to leave my part-time job and focus on my forum full-time. I am very grateful for my users as I am currently able to pay for my schooling without taking any student loans.

What are you hoping 2.0 will bring to a site like yours?

I am unsure if I will be upgrading Sharree to MyBB 2.0, it may be difficult to transition to the new version. Plugins that are essential for my forum’s functionality may need to be modified or completely rewritten although that cannot be answered until MyBB 2.0 is released. Based on the screenshots, videos, and demos I am very excited for its release. I will definitely download and experiment with MyBB 2.0 when it’s released, possibly using it in a future project.

Introducing the new Extend MyBB platform

Posted on by

This past October, we announced a comprehensive update was in the works for Extend MyBB. Today, we are pleased to announce that those changes are now live. As we mentioned then, the entire Extend MyBB platform has been completely redesigned with a new, far more intuitive user interface.

The majority of the functionality remains the same; however, there have been some notable changes and improvements worth mentioning.

What’s changed?

New build review process

Previously, when a new build was uploaded, it was marked as a dev build. These builds were available for download to the public. You could then mark a build as stable, which would then place the build in a queue for a member of the MyBB staff to review. This queue often became long, leading to siginifcant delays in reviewing builds. Additionally, the distinction between dev builds and stable builds was not abundantly clear.

Starting today, for both new and existing projects, you will be able to mark builds as development or stable at any time without any review from MyBB staff. Instead, there is a new Reviewed by Staff badge and queue, separate from the dev/stable status, to distinguish builds that have been reviewed by the MyBB staff. Both dev builds and stable builds can be submitted for review by MyBB staff. Whether or not a build has been reviewed by MyBB staff is indicated on the build’s download page.

All builds that, prior to today, had been marked as stable are now also marked as Reviewed by Staff.

Build version numbering

You can now specify a version number for each build rather than relying on the change logs and build numbers to differentiate between builds. Build version numbers do not have to be unique, meaning, for instance, you can upload development builds of a new version of a plugin before uploading a stable build with the same version number. When uploading a new build or editing an existing build, you also have the option of automatically updating the project’s version number to match the build you are uploading or editing.

Recommendations are now Stars

Recommendations have been renamed to stars. The functionality is identical; however, you can now see a listing of all projects that you have starred by going to your My Projects page and clicking on Stars. We felt the name change was appropriate given this added functionality.

Select multiple categories

There are often plugins (and themes) that fall into multiple categories. Previously, you were required to select a single category that best described your project. No more. You can now select multiple categories for plugin, theme, and graphics projects, or, if none of them fit, you don’t have to select any category (eliminating the “Miscellaneous” categories). Most of the plugin categories remain unchanged; however, theme categories have changed significantly and most themes will need to select a new category.

Translations improvements

In an effort to make finding the MyBB translation for your language easier, we have streamlined translations projects to ensure they will be more consistent moving forward. Translations can no longer upload preview images; instead, there are a number of pre-defined languages with pre-selected flags that you can choose from when uploading a translation. If the language for the translation you are uploading is not available, you can manually specify the language. However, we encourage you to contact us in Private Inquiries so your language can be added to the drop down menu, allowing a flag to be displayed alongside your translation.

Changes to preview images

Preview images can now be re-ordered rather than being displayed in an arbitrary order. Additionally, we now recommend you upload a square image of at least 200px x 200px for your cover image.

Additionally, due to changes with thumbnail sizes for all preview images, it is highly recommended that you re-upload your preview images so that the thumbnails can be re-generated at the appropriate size.

Wrapping up

A lot of time has been spent in redesigning and improving the MyBB Extend platform and we hope you find it easier to use. While it has undergone significant testing, it is still likely that there will be a few bugs in the upgraded platform. Please post about any bugs or issues you experience in the MyBB.com Community & Site Issues forum, including detailed instructions on how to reproduce the bug.

Enjoy!

Organizational changes in the MyBB Project

Posted on by

As the MyBB 2.0 development gains traction again — a joint effort of the Team and our technical Community — we are passing an important milestone in the area of the Project’s organization. Entirely new concepts, de-facto standards and unspoken rules, either improving the fluency within the Team or aimed at increasing MyBB’s maturity (and sometimes both), are being continuously brainstormed. We would like to share our progress so far in areas we are confident about.

PSR standards conformance from MyBB 2.0

World Standards Day / International standards day is celebrated internationally each year on 14 October. […] The United States held a 2014 U.S. Celebration […] on 23 October […].

Currently our coding standards are rather specific when compared to other projects in the PHP Community, and may be perceived unnatural (exhibit A: 1.8 development standards) — starting from 2.0, MyBB’s source will be fully conformant with PSR standards. While this means that we will be inevitably choosing a standardized side in one of the greatest arguments in the history of programming, which we have been avoiding for some time (exhibit B: 2.0 Dev Post #5), this decision will assure that our code preserves compatibility of coding style with other PHP projects and frameworks. This should lessen the confusion in Pull Requests and allow new contributors to adapt more easily.

Secure connections to *.mybb.com websites

A simple visit to any of our websites involves many platforms and servers: by connecting to our Documentation on docs.mybb.com, your requests go through our reverse proxy (currently provided by CloudFlare) to hit our Jekyll-powered website hosted on GitHub Pages from the Docs repository, whereas requests to the Blog you are reading this article on go to WordPress.com platform servers instead after following a similar path. Spreading our web presence in such decentralized manner has great advantages with independent availability being the most significant one, however maintaining them all becomes more complicated and introduces security risks with each addition.

In order to aid that, we have launched efforts to start enforcing HTTPS traffic to our websites and inserting security-related HTTP headers — although we don’t control external servers, we were able to set up the most important redirects and directives using the reverse proxy; these changes, combined with Subresource Integrity hashes for external content served on mybb.com and docs.mybb.com, provide a reasonable level of security given access limitations for any project that decides to set up their infrastructure in this fashion. If you happen to randomly browse the Chromium source code, you will discover that the mybb.com domain is now present on the HSTS preload list, making derived browsers enforce HTTPS upon first visit out of the box, helping our case a great deal.

Having control over the server hosting the Community forums and download Resources, we set up additional security headers that are now sent to the browser from both locations and our MyBB installation to serve cookies with the Secure flag, a feature shipped with MyBB 1.8.10. By using a MyBB plugin with a Node.js proxy server, external resources on our forums are now being delivered to users over a secure connection, resolving the issue of insecure content and enhancing their privacy by eliminating the necessity of downloading data directly from third party servers. Even when either one breaks, the Content-Security-Policy header will prevent insecure content from being loaded (the next major version of MyBB will make it possible to include all common security headers, as we will be aiming to eliminate obstacles like inline JavaScript).

You can take a closer look at the gritty details of our current setup here and here.

Team members’ PGP keys now available

The transition of our development process, now headed towards MyBB 2.0, largely impacts the organizational matters of the Project itself — one of recent preparations for an improved release management protocol that are easy to spot is the rollout of PGP keys that can be used to contact Team members, if you have a feeling that your messages sometimes have more recipients than they should (or if you’d rather be safe than sorry and use it out of principle, like we do). These can be found on our refurbished Team page that now also links accounts on social media, acting as backup channels of communication.

Packages integrity and authenticity measures

While keys and fingerprints present themselves excellent on our website, they won’t be used (only) for aesthetic purposes: we will start signing MyBB releases. Designated Team members will be able to submit a public key that will be added an announced on our website and and social media feeds for transparency purposes.
Further, while the hashing algorithm used for internal file verification and passwords in MyBB 1.8 is weak in today’s standards due to the codebase’s age, there is a lot of room for improvement when it comes to verifying the packages. If you’ve been paying attention to the release notes, you’ve probably noticed that we started publishing additional, stronger checksums for each release package as of MyBB 1.8.8. These actions are intended to provide webmasters with a degree of confidence when it comes to integrity of MyBB packages while still maintaining focus on the development of MyBB 2.

Vulnerability assessment with CVSS v3

We always have been trying to provide as much information as we could when it came to security patches after an update, however we were not quite satisfied with limiting the security issue index to a simple low-medium-high scale used in MyBB 1.x. MyBB’s RFC #9 has established one of major foundations of the security process, starting with MyBB 2.0: Each vulnerability fixed in given release will have a CVSS v3 score assigned, as specified in the Common Vulnerability Scoring System, V3 document. The 8 basic metrics will allow us and any third party user, team or organization to assess the exploitability, scope and impact of vulnerabilities and to adjust the rating by adding extra details within the same scale using Temporal and Environmental Metrics, allowing system administrators to prioritize and organize proper responses. For example, a SQL Injection vulnerability in the Moderator Control Panel could be assigned a score of 6.3 (Medium) comprising of base metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, all of which would be published in release notes of corresponding releases.

Spotlight on security research

Another significant part of the Project’s organization plans is to launch a Security Hall of Fame. Researchers reporting security issues and vulnerabilities, provided they follow responsible disclosure standards, will be placed on a dedicated list in recognition of their time and cooperation. In accordance, MyBB will promote post-incident analyses and write-ups, aiming at increasing security awareness and promoting community-based code reviews. To supply you with latest details and articles related to MyBB’s state of security, we have launched a dedicated, technical Twitter feed — make sure to follow @mybbsecurity to let us help you maintain a strong grip on your board’s security.

MyBB 1.8.10 Released – Maintenance Release

Posted on by

MyBB 1.8.10 is now available from the MyBB website, and is maintenance release.

What’s added/changed in this version?

This release fixes 22 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

We’ve decided to publish MyBB 1.8.10 only 3 weeks after the previous release to fix an issue breaking some Javascript-based features that was introduced with MyBB 1.8.9.

Please view the 1.8.10 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.9 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 5 language files and 11 templates were changed or added.

If you’re using MyBB 1.8.9:

  • Download and use the Changed Files Package
    • MD5: 9695cb97ff6928640c72436ce3667b05
    • SHA1: 16fd567b118525e0619c6749f27da96c8ceec1a9
    • SHA256: 6eae4b078283a533797ee9692d436b45309c79af4657c9885f79606c50365ec3
    • SHA512: 124cdafcfad72a72ad71d8bbab1c30c335e20edfa89af1976963531e7bebcfdcb4e353a11191d3ef3b2af66effe402e30e093f52c3bea3b3e17d68f6247ba7d9
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.8 or lower:

  • Download and use the full 1.8.10 Release Package
    • MD5: 40868d918262384ce4c1d31399f66b4d
    • SHA1: 192f0c7949e867c800bafd06640bf4b7d1cac6ea
    • SHA256: 34907b26e7534327b828ae7d98d4ab9e5184f985ef8c155fd2b8690809ce6dc0
    • SHA512: cb4584f00c60b757f9ce72e16a8eb8596cc8d4d22bed38085b6967706ab08c1c1bdeb7effba578c388156b57862266a8b30ce181c47968ddb1c1ce7691bec66b
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix an issue causing incorrect last post information on index.

If you installed or updated your forums using either the full or changed files packages prior to 20:00 p.m. on January 12, 2017 GMT please download a fresh package from the links above and replace the following file:

  • inc/datahandlers/post.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.8.9 Released – Security & Maintenance Release

Posted on by

MyBB 1.8.9 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz

Please view the 1.8.9 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files and 85 templates were changed or added.

If you’re using MyBB 1.8.8:

  • Download and use the Changed Files Package
    • MD5: cd4f736ef9c3b20136203350468ad23d
    • SHA1: 3208c50d35aacc9d51d195de8ccc33aed1e3b1c6
    • SHA256: c153236148457ae1ea2a62b8c7c15a11a093ab436ae6ea416c8cf9ca2bf53687
    • SHA512: 1e16aeae125a1e2edf966866d53c51ce9b5d7568214c6244efc4976d4af16186e3f9f10f8eafbd5f5de3210a1fada6635fea7c97bb09afe3d1c9bf3e368bfa3d
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.7 or lower:

  • Download and use the full 1.8.9 Release Package
    • MD5: b1a8fbdb4d8a888f7757be14cd658662
    • SHA1: d30f95de2e2142a46e4a34e0d26a8d3f5762cb22
    • SHA256: cc4a015edb96b587a74b3d54c00bf2ecd4be6ff2efec8b24caae90c538b42e89
    • SHA512: b18ffd2797f2f6fc775fda7b47c6d4b63d36f0e8c57ee1ce6797de8e600f741df2cc1bce713723b12d2374e723289641ab3a10248f5ba53672f5765bed836056
  • Follow the Docs Upgrading Instructions

To update existing themes the following CSS code needs to be added to global.css:

.deleted_post_hidden {
	border-top: 2px solid #ccc;
	padding: 15px;
}

.deleted_post_collapsed {
	border-top: 3px solid #333;
	padding: 15px;
}

.deleted_post_collapsed .show_deleted_post {
	margin-top: -15px;
}

.deleted_post_collapsed .show_deleted_post a.button span {
	background-position: 0 -400px;
}

Note: JavaScript-related bugs discovered
We have found that some JavaScript-based functions (like the inline moderation) may not work properly under MyBB 1.8.9. Please refer to the Community thread for detailed instructions on how to patch the code while we prepare a fixed package.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Securing your MyBB forums with HTTPS

Posted on by

The Web has been using encrypted WWW connections for over two decades now. First used by entities processing critical information on the Internet like banks and online shops, https:// is progressively becoming the protocol an everyday user would expect as of 2016: the Google Transparency Report shows that the average number of page loads over HTTPS has exceeded 50%, similarly to telemetry data trends from Mozilla, aided by Let’s Encrypt, a new certificate authority issuing free certificates since April.

With the dependency on Internet communications heavier than ever, simple and common mistakes often result in leaks and breaches that endanger not only the security or integrity of services, but also the privacy of their users: passwords, real names, locations, e-mail and IP addresses, browsing patterns and other personally identifiable information. Even static websites receive such data and the argument of not expecting to process sensitive information is not valid.

TLS has exactly one performance problem: it is not used widely enough.
Everything else can be optimized.

The range of possible attacks on unsecured websites is broad and you may not always be aware of the risks of providing and using websites using the unencrypted version of HTTP. Simply launching a rogue Wi-Fi hotspot in a public place can allow anyone to intercept raw traffic without much hassle. Similarly, Internet service providers and mobile network operators can allow governments to put their hands (however tiny they might be — the governments, of course) on your data regardless of intent or permissions, be forced to do so by the law or have their communications eavesdropped by passive interception of traffic.

Besides protecting services and people, upgrading the protocol has many upsides — the new HTTP/2, increasing the speed of web connections, is available only when used with encryption; using HTTPS, Google will prioritize your website in the search results. Encrypted transmissions mean that nobody will be able to manipulate your pages to inject malware or own ads, which is often the case with public access points or airplane connections. In order to push the adoption of encryption, major browsers will start notifying users of the dangers resulting from using unsecured websites. MyBB is proud to support this movement of creating a faster and safer web.

Chrome for Android UI's HTTPS indication

Secure connection to the Community forums — so claims Chrome for Android

The HTTPS setup tools are being constantly improved and the process is getting easier and faster, moreover you can find numerous guides and tutorials for different platforms and scripts. What’s been missing though, is a list of steps specific to MyBB because not every board administrator is experienced enough to make use of instructions that are either very generalized or very specific — for scripts other than ours.
Having jumped into the rabbit hole of technical details of securing our project’s websites and climbed back (which we’ll shed light on soon!), we created a comprehensive guidebook on enabling HTTPS that covers the most vital aspects of securing boards you manage.
We strongly recommend all webmasters and administrators upgrade their installations if they’re not running on HTTPS yet as soon as possible and encourage to consider the security and privacy of their users with utmost importance: every secured location makes a difference in today’s interconnected web.

Setting up HTTPS — MyBB Documentation →

Project Updates November 2016

Posted on by

As there have been a number of changes to both the team structure and some development going on, we thought it was time to share some updates on what’s been happening behind the scenes.

Team Changes

There have been a number of changes to the structure of the team over the last couple of months, with a few people leaving, some fresh new faces and some familiar faces returning to the team.

Resignations

We wish farewell to the following team members, and thank them for all of their hard work and contributions:

All of these members left the team because they had limited time. We wish them all the best and we would welcome them back should they find the time to contribute to the project again.

Additions

As well as departures, we also have some new (and some not-so-new) faces joining the ranks.

  • dragonexpert – Recently joined the support team again! He has been helping clear the mods queue since he rejoined the team and we can only thank him for his hard work so far.
  • Shade – Shade has rejoined us on the SQA team, we welcome him back and we are sure that he will contribute to the project.
  • Brad-T – We invited brad to the team to help share his community management expertise with us. We are sure he will help with community issues!
  • Matslom – If you have been following the 2.0 GitHub repo you will see Matslom has been contributing for some time now, including coding the warning system.
  • Wildcard – Another old team member who joined us back, we welcome him back and we are sure he will contribute fully.
  • JordanMussi – Jordan is also a old team member who has joined the community team, We are glad to have him back on board!

Mods Site Queue

It has been no secret for a while that we have had quite a back log of modification submissions waiting to be checked by the team as part of our extensive approval process. With a special thanks to dragonexpert and shade, the mods queue has taken a severe beating over the last couple of weeks, with there being no projects waiting for review for a short time for the first time in a long time!

As ever, if you’ve submitted a project and not heard anything about it being approved or denied, please do feel free to create a new topic in the Private Inquiries forum.

1.8 Development

Over the recent weeks we have had a lot of development progress on the MyBB 1.8 series. A lot of issues have been either getting PR’s fixing them or we have been rejecting them due to the age of the 1.8 series. We have also been reviewing the 1.8 bugs forum and highlighting any issues we felt need to be fixed. We are looking to get the issues on GitHub to current issues that need to be fixed before we move complete focus (except security fixes) to 2.0. Due to the high amount of bug reports we have been unable to reply to every issue but we have compiled an internal list and we are looking at this.

2.0 Development

Recent development on the 2.0 series has been slow, but recently we have seen a large increase in contributions from outside the team. Matslom (who has since joined the team), for instance recently submitted a great Pull Request to add a warning system to 2.0 which has now been merged into the main branch. Additionally, Paradigm has been working on implementing an installer system for 2.0 – something that has been planned for a while and kept being bumped down the priority list.

A lot of the discussion around these developments has been happening on the #20-development channel on the MyBB Discord server, and we would encourage anybody interested in contributing to the development of MyBB to pop in and see what’s going on!

MyBB 1.8.8 & Merge System 1.8.8 Release

Posted on by

MyBB 1.8.8 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Style import CSS overwrite on Windows servers – reported by patryk
    • Medium risk: SQL Injection in the users data handler – reported by afinepl
    • Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski
    • Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam
    • Low risk: Stored XSS in the ACP – reported by patryk
    • Low risk: Loose comparison false positives – reported by Devilshakerz
    • Low risk: Possible XSS injection in ACP users module – reported by afinepl

Please view the 1.8.8 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.7 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 23 language files and 64 templates were changed or added.

If you’re using MyBB 1.8.7:

  • Download and use the Changed Files Package
    • MD5: 43028accb46eecf8016ef5fdc4fe522a
    • SHA1: 2c9985353e87c8710bdcdcf1856b0a6c63961317
    • SHA256: bb479145b44f169c301c21425f78742d8cacd9fd9ef4543c2a5e39ab540f769e
    • SHA512: 47ddbd601d008e9cb7309b328d36df95f901d1935593ded61e70cef22dc1312257266e056e5ea9d214babfd47a0aeb9560e9d11a5abb8d68a244f442467c41854a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.6 or lower:

  • Download and use the full 1.8.8 Release Package
    • MD5: 2e09c9fd3b2416ac3fea9bada18d61e5
    • SHA1: 2b8469cb42c3a66ec7e3253aa0cced464585d3dd
    • SHA256: e63bd3ce5b8a7c4166102baa75f0aab1d12fc64379658a027d8bf49a437a469a
    • SHA512: 8dec5923737b11deae578ed02f259acda01ca5bcc9032bc01df1e2d77ce36c54f87e66e42850460c8ea07515d99d4b5da4a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

This update includes security fixes that may need your attention:

  • Additional rules disallowing access to the database backups directory (admin/backups/) were added to htaccess.txt and htaccess-nginx.txt, addressing a security issue affecting Windows installations – remember to update your configuration files.
  • $config['disallowed_remote_hosts'] and $config['disallowed_remote_addresses'] variables, containing default loopback hosts and IPv4 addresses, were added to the inc/config.php file, addressing a SSRF vulnerability – remember to update your configuration files and, if applicable, add further hosts and/or addresses that MyBB shouldn’t attempt to access.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.8

MyBB Merge System 1.8.8 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.7, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 5 bug fixes (View all)
  • Preliminary support for merges from vBulletin 5 installations. This module hasn’t had a lot of testing, so please report back with how vBulletin 5 merges go and always test your merge on a local machine first.

Important note

This will be the last release of the Merge System 1.8. We’re instead concentrating development efforts on MyBB 2.0 and a brand new Merge System to accompany it – please stay tuned for more news on the new merge system!

Thanks,

MyBB Team

Project Updates October 2016

Posted on by

Recently we have made a number of notable changes to the community and MyBB website. We’d like to share with you what we’ve done and how you can get involved.

RFC Process and transparency policy

For over a year now, the MyBB Team has been using an internal Request For Comments process as a decision making mechanism for issues with high impact on the Project’s present and future as well as a mean of assuring team-wide consensus on matters related to its organization and development. Recently we have decided to start publishing our RFC documents, putting us closer to the goal of maximum transparency. Accordingly, solid plans, workflows and protocols explaining what exactly happens behind the scenes will be posted on our websites as they emerge to enable external feedback and simplify the process of Team onboarding.

You can find all RFC documents that were cleared for disclosure in a dedicated section on MyBB.com.

Code of Conduct in force

As previously announced, we have joined an impressive group of open source projects you may already have heard of by adopting a Code of Conduct provided by the Contributor Covenant. This addition allows us to centralize rules and guidelines that apply in our development and community ecosystems in order to assure professional and inviting environment for everyone interested in getting involved. You can find the new document on our website.

Moving to Discord from IRC

The MyBB IRC channel over at freenode has not been bustling with activity for a while despite several attempts to bring it to life, so internally we discussed and tested alternatives to IRC. Looking for something that is easier for the whole community to engage with, we circled in Discord, which fulfills our needs for accessibility and moderation features. We invited the community to help us during the testing phase and are grateful for those that did – you can already find many members of the MyBB Team on Discord in addition to other valued members of our Community.

While the adoption of the platform appears to be successful, we’ve decided to continue maintaining our IRC presence at #mybb and registered a freenode group to gain more control over our channels. In order to keep the chit-chat uniform, we plan to connect it to Discord using a bot that forwards messages both ways from the IRC channel to its counterpart on Discord — this will assure that no question will go unnoticed.

We’ll see you there!

Join the conversation →

Up Next: Updates to Extend MyBB

While not ready to go live just yet, we are excited to share an update on something Justin, our lead designer, has been working on for the past few weeks: a major visual update to the Extend MyBB platform, commonly known as the MyBB Mods site.

The visual update touches all public-facing aspects of Extend MyBB, simplifying navigation and making its interface easier to use while maintaining existing features. There’s still some more work to do before it’s ready to launch, but we’re sure you’ll love it.

Shuttering of the 2.0 host compatibility repository

Posted on by

Not long ago, we started a new project to gather information about the PHP versions that various web hosts support. The aim of this project was to gather a list of web hosting companies who would be able to host the upcoming MyBB 2.0 release.

Since starting that project, we have received several contributions. However, we’ve also since changed the PHP version requirements that we will require for 2.0. As such, we are closing the mybb/2.0-Hosts repository and instead asking that users please make use of the PHP Versions website to track the PHP versions on offer at different hosts. This website operates in a similar way to the old MyBB project, but is much more widely used and already contains information for lots of different hosts. For more information on contribution to the PHP Versions website, please see the contributing guide.