How to secure your forums, third part of the planning guide
[Rev 0.1, Requires Revision, please excuse any language mistakes]
Back to the forum planning guide, this part will talk about considering the security in your plan.
8-Security
First let's discuss what security stands for when considering a forum, well securing a forum is concerned with:
1-Privacy of User's details, private messages and any unshared data
2-Protection against Spam
3-Protection of users' passwords
4-Protection against bandwidth abuse
5-Protection against attacks (server, code,...etc attacks)
6-Protection against content overload (multiple registration, posts, ..etc)
7-Protection against abuse and harrasment
8-Protection against misrepresentation
9-Protection against shadowing and cloning
10-Protection against hardware failures
Let's talk about each in more details:
1-Privacy
You need to make your users confident that their profile details, private messages box, dashboards, settings, notepads, private folders and images, all are secured and are shared only according to user's chosen configurations, no other users, moderators or administrators are sneaking around checking his private stuff.
You can ensure that by using technology that encrypts his data on storage, you can make all parties agree on not breaking that rule in the agreement statement and talk about it your disclaimer and legal statements.
2-Spam
Spam is all about unwanted posts, content that is not in its normal place, that is used to advertise for other sites, forums, services or is misleading users and rumouring false facts. You need to have a clear defined strict policy against spam, all your moderators should monitor posts against that content, and punishment, banning, blocking of content, users and ip addresses that were the source of that, should take place.
You need to put certain measures that protects your forum from automated spam that is generated by certain tools. You might need certain photo validation mechanisms before a post is made, or a time span of 5 minutes or so between each post, comment, blog,... and the next one.
3-Authentication
It is very critical that you protect your user's passwords, because once an account is hijacked and someone impresonates another user and starts posting and sending messages around the place phishing his personality, this will result in huge damages in terms of users' trust.
Use the latest technology in authentication, encryption and protection of data transmitted over the wire and in your database.
4-Bandwidth
All servers have certain limitation, according to your hosting plan, you have a limited amount of allowed bandwidth and bandwidth traffic. You have to make sure users are not abusing your forums, refering other users to content on your forum by giving them direct links or just loading the photos or multimedia on their own website without anyone coming to your forum or even knowing it ever existed. Measures to do that are through configuring your web server not to allow serving of content outside the boundaries of requests originating from localhost.
You should also protect your service against users opening multiple sessions of your forum, exhausting your bandwidth. Limit that in terms of sessions per ip address or per user logged in. Most forums as well doesn't allow any content to be served until you register, otherwise guests have nothing to read but disclaimer and privacy statements.
5-Attacks
Hackers will attempt to hack your service, this is just a fact and you cannot escape it. So better take all measures and steps to protect your service. Protect it on all levels, starting by your host, ending by your forum.
Learn more about your host, your server, your web server, the file system, everything related to service, and how far is it protected, are there any updates or vulnerabilities that are published and not patched, check for all that and secure it or ask the host to do it for you.
Then comes the database, secure it by applying patches, using secure connections, using strong passwords, try to have your data encrypted, have it backed up and cleaned on schedule.
Choose proper forums, that have good and proven tight security, be aware of any updates they release, subscribe to their newsletter and have some good developer in your team if possible, he can from time to time forecast vulnerabilities or problems with the service and help you patch them.
Do not expose critical details regarding your host, database or administrative login to anyone unless trusted.
Be ready for denial of service attacks or worms that tends to eat the contact list of users and sends them endless amount of spam. The moment such attack finds way, be ready with a plan to immediately stop the service, take the forum offline, change the password of the database to halt this attack and reduce the damage. If you managed to rescue the logs, find out who did this attack and report it to your host, FBI and all related agencies.
6-Flooding
Take sufficient measures to prevent abusers from posting duplicate posts or comments, registering multiple times thus flooding your service with useless information.
This will irritate your users and might drive them away.
Try certain strategies to prevent that, you could use certain graphic validation photos with characters and numbers in them and the user has to write that again to validate he's human. Ok now it is human, how to prevent that human from repeatedly posting the same content, simply block that ip address or user from posting a second time in less than a certain amount of time.
7-Abuse
Do not tolerate any incident that reports harresment or abuse that occurs to one of your users.
You cannot allow any user to use your forum as a channel for crime or abuse or any type of misconduct, you need to have your moderators checking for any report of that kind. Allow an always open channel to report such kind of activities, either through direct links on forum, an email address or through instant or private messaging to a moderator. Take these reports seriously and consider verifying them first before taking any action.
8-Misrepresentation
Stay alert for what other sites, forums, partners and affiliates write about your site, its users, how they represent your goal and mission. Many won't like a successful site to exist, so they will start fighting you by misrepresenting your service, users and content. Try to handle this and solve it early enough, target the roots of the problem and deal with it.
Be always clear in your content, make your policies transparent and be close to your team and users. This way rumours will never find a place in your community, and all your users will act as your ambassadors praising your service and inviting others to enjoy it.
9-Cloning
Many web masters would plan to build a business using your successful content. They will try to clone, copy and paste, the content you have, invite your members, advertise for their service and claim they were the original owners and authors of your content. There are many ways to fight this back, first of all why not publish and expose a legal channel for any one to consume and read your content without visiting your web site interface but at the same time they are still consuming that service from your web server, it still has your forums name on it, they might also be your registered users. You can do that through feeds, RSS, ATOM or others.
Now to prove your content is genuine and your users are the ones who created it, make sure enough search engine bots are crawling your forums, taking in your content and taging its date.
Your feeds should also have that time tag as well.
Work on having a copyright statement everywhere, investigate on the exact legal required statements that will enable you to protect your content and sue anyone who duplicates it without prior notice.
10-Backup
You will always need that, Backup. You never know what might happen wrong with your configurations, maybe you face an attack and have all your data wiped. What happens if there is a hardware failure and all your stuff is unrecoverable. You always need ready backups, snapshots, incremental ones, have your own backup plan.
You need to consider the available space, media, speed and importance of data when choosing a backup plan. Try to automate that task, try also to automate the recovery task to make it easy to get your service back, up and running fast.
Consider all the above security measures when choosing a host, forum application, database and management team.
More about the revenue and business planning for your forum is in the next part.
Back to the forum planning guide, this part will talk about considering the security in your plan.
8-Security
First let's discuss what security stands for when considering a forum, well securing a forum is concerned with:
1-Privacy of User's details, private messages and any unshared data
2-Protection against Spam
3-Protection of users' passwords
4-Protection against bandwidth abuse
5-Protection against attacks (server, code,...etc attacks)
6-Protection against content overload (multiple registration, posts, ..etc)
7-Protection against abuse and harrasment
8-Protection against misrepresentation
9-Protection against shadowing and cloning
10-Protection against hardware failures
Let's talk about each in more details:
1-Privacy
You need to make your users confident that their profile details, private messages box, dashboards, settings, notepads, private folders and images, all are secured and are shared only according to user's chosen configurations, no other users, moderators or administrators are sneaking around checking his private stuff.
You can ensure that by using technology that encrypts his data on storage, you can make all parties agree on not breaking that rule in the agreement statement and talk about it your disclaimer and legal statements.
2-Spam
Spam is all about unwanted posts, content that is not in its normal place, that is used to advertise for other sites, forums, services or is misleading users and rumouring false facts. You need to have a clear defined strict policy against spam, all your moderators should monitor posts against that content, and punishment, banning, blocking of content, users and ip addresses that were the source of that, should take place.
You need to put certain measures that protects your forum from automated spam that is generated by certain tools. You might need certain photo validation mechanisms before a post is made, or a time span of 5 minutes or so between each post, comment, blog,... and the next one.
3-Authentication
It is very critical that you protect your user's passwords, because once an account is hijacked and someone impresonates another user and starts posting and sending messages around the place phishing his personality, this will result in huge damages in terms of users' trust.
Use the latest technology in authentication, encryption and protection of data transmitted over the wire and in your database.
4-Bandwidth
All servers have certain limitation, according to your hosting plan, you have a limited amount of allowed bandwidth and bandwidth traffic. You have to make sure users are not abusing your forums, refering other users to content on your forum by giving them direct links or just loading the photos or multimedia on their own website without anyone coming to your forum or even knowing it ever existed. Measures to do that are through configuring your web server not to allow serving of content outside the boundaries of requests originating from localhost.
You should also protect your service against users opening multiple sessions of your forum, exhausting your bandwidth. Limit that in terms of sessions per ip address or per user logged in. Most forums as well doesn't allow any content to be served until you register, otherwise guests have nothing to read but disclaimer and privacy statements.
5-Attacks
Hackers will attempt to hack your service, this is just a fact and you cannot escape it. So better take all measures and steps to protect your service. Protect it on all levels, starting by your host, ending by your forum.
Learn more about your host, your server, your web server, the file system, everything related to service, and how far is it protected, are there any updates or vulnerabilities that are published and not patched, check for all that and secure it or ask the host to do it for you.
Then comes the database, secure it by applying patches, using secure connections, using strong passwords, try to have your data encrypted, have it backed up and cleaned on schedule.
Choose proper forums, that have good and proven tight security, be aware of any updates they release, subscribe to their newsletter and have some good developer in your team if possible, he can from time to time forecast vulnerabilities or problems with the service and help you patch them.
Do not expose critical details regarding your host, database or administrative login to anyone unless trusted.
Be ready for denial of service attacks or worms that tends to eat the contact list of users and sends them endless amount of spam. The moment such attack finds way, be ready with a plan to immediately stop the service, take the forum offline, change the password of the database to halt this attack and reduce the damage. If you managed to rescue the logs, find out who did this attack and report it to your host, FBI and all related agencies.
6-Flooding
Take sufficient measures to prevent abusers from posting duplicate posts or comments, registering multiple times thus flooding your service with useless information.
This will irritate your users and might drive them away.
Try certain strategies to prevent that, you could use certain graphic validation photos with characters and numbers in them and the user has to write that again to validate he's human. Ok now it is human, how to prevent that human from repeatedly posting the same content, simply block that ip address or user from posting a second time in less than a certain amount of time.
7-Abuse
Do not tolerate any incident that reports harresment or abuse that occurs to one of your users.
You cannot allow any user to use your forum as a channel for crime or abuse or any type of misconduct, you need to have your moderators checking for any report of that kind. Allow an always open channel to report such kind of activities, either through direct links on forum, an email address or through instant or private messaging to a moderator. Take these reports seriously and consider verifying them first before taking any action.
8-Misrepresentation
Stay alert for what other sites, forums, partners and affiliates write about your site, its users, how they represent your goal and mission. Many won't like a successful site to exist, so they will start fighting you by misrepresenting your service, users and content. Try to handle this and solve it early enough, target the roots of the problem and deal with it.
Be always clear in your content, make your policies transparent and be close to your team and users. This way rumours will never find a place in your community, and all your users will act as your ambassadors praising your service and inviting others to enjoy it.
9-Cloning
Many web masters would plan to build a business using your successful content. They will try to clone, copy and paste, the content you have, invite your members, advertise for their service and claim they were the original owners and authors of your content. There are many ways to fight this back, first of all why not publish and expose a legal channel for any one to consume and read your content without visiting your web site interface but at the same time they are still consuming that service from your web server, it still has your forums name on it, they might also be your registered users. You can do that through feeds, RSS, ATOM or others.
Now to prove your content is genuine and your users are the ones who created it, make sure enough search engine bots are crawling your forums, taking in your content and taging its date.
Your feeds should also have that time tag as well.
Work on having a copyright statement everywhere, investigate on the exact legal required statements that will enable you to protect your content and sue anyone who duplicates it without prior notice.
10-Backup
You will always need that, Backup. You never know what might happen wrong with your configurations, maybe you face an attack and have all your data wiped. What happens if there is a hardware failure and all your stuff is unrecoverable. You always need ready backups, snapshots, incremental ones, have your own backup plan.
You need to consider the available space, media, speed and importance of data when choosing a backup plan. Try to automate that task, try also to automate the recovery task to make it easy to get your service back, up and running fast.
Consider all the above security measures when choosing a host, forum application, database and management team.
More about the revenue and business planning for your forum is in the next part.
posted by voicy at
5/19/2006 04:41:00 PM
0 Comments:
Post a Comment
<< Home