Jump to content

- - - - -

System: Security and Privacy

Admin CP --> System --> System Settings --> Security and Privacy

One of the most important settings group in IP.Board are your security and privacy settings. Most of the raw definitions of each setting are explained in-context in the AdminCP. We will go over those needing more explanation and best practices.

Security [Bot/Script Protection]

It is an unfortunate reality that online communities, much like your email box, are the target of spammers every day. IP.Board uses Captchas and question/answer feature to attempt to tell the difference between a human an a bot (computer program) attempting to register on your community.

A Captcha is an image displayed to a user with text. The user is then asked to retype the text in the box to confirm that they are a human. While never 100% full proof, the Captcha systems provide a first line of defense. IP.Board ships with a built in Captcha system and also an option to use the <a href='http://www.recaptcha.net' target='_blank'>reCAPTCHA</a> service. We <i>highly</i> suggest using the reCAPTCHA service as this service is centralized therefore allowing updates to be pushed to your community if a spammer were to find a way to circumvent the protection.

The question and answer option (configured separately from the link on this page) adds a customizable layer of protection to your community. Using this feature you can have IP.Board ask the user a question which they would find easy to answer but a computer program would not. Click the link in the description for more information.

<b>Note:</b> Even with these protections, spammers can still register accounts on your community. Much like email spam, you can lessen the impact but never eliminate it. For example, some spammers may employ real people to break the Captcha codes then give the new account to a bot. There is little that can be done about that at this time but we are working on new solutions. In the interim, consider the user group promotion limitations as a way to control new account permissions.

Default CAPTCHA Options

If you choose not to use reCAPTCHA and use IP.Board's built in Captcha system, this settings controls if IP.Board should look in the <i>/style_captcha/captcha_fonts</i> for fonts to use when generating the image. You can upload your own fonts to this location and IP.Board will randomly use them to generate the Captcha image. By using unique fonts you have a better chance of protecting your community. Note that if you are using reCAPTCHA you can ignore this section.

reCAPTCHA Options

The <a href='http://www.recaptcha.net' target='_blank'>reCAPTCHA</a> service is provided at no cost to you from reCAPTCHA.net and its sponsors. The settings in this area allow you to customize the service as provided by reCAPTCHA.

The API settings are will work as shipped and we would like to thank reCAPTCHA for providing a global API key for use by all IPS customers. This means that reCAPTCHA will work right of the box with no configuration on your part.

Security [General - High]

The settings in this group apply to high-level authentication of a user and, in general, they can be left as they are by default.

Brute-force Account Locking

Brute-force is a method by which someone will attempt to gain access to account by quickly trying various password combinations. If IP.Board detects a number of failed attempts as defined here, it will automatically lock the account for a specified number of minutes. You can also choose if the account should be automatically unlocked or if an admin should review locked accounts first.

Security [General - Medium]

IPS suggests keeping the secure email and flash settings to Yes for general usage.

While any image could be made into a dynamic script, IP.Board uses accepted security practices to minimize the impact of any dynamic images that may be posted. However, for extra security, you can disable image posting globally. If you do please note that your members cannot post any images in their posts: only text will be allowed.

Removing the ACP link from the board is useful when used in conjunction with the option to change the ACP folder name. You can then "hide" the ACP directory by naming it something unique. If you remove the link from the board header, even if someone compromises your account the person will not know the URL to your ACP.

Unless you have highly-sensitive data, using a secure connection for your community (https) is not advised as it will slow down page response time. However, you can use this setting to only enable https for the login page where you enter your password. This setting simply changes your normal board url to https.

Security [Managing Members]

This section contains various settings on managing your member registrations and global permissions.

<b>New registration email validation</b> contains various settings on now new members should be validated when they create a new account. You can disable this completely or choose a combination of email or admin validation. Email validation places the member in a Validating member group until they receive an email and click the validation link in that email. Once validated the user is moved to your default Members group. Admin validation requires that an administrator manually approve new accounts.

IP.Board contains an option through which moderators and administrators can flag a user as a spammer. You can control the behavior of IP.Board when a user is flagged as a spammer. <b>When a member is flagged for spamming</b> you can choose to have IP.Board perform certain actions in addition to logging that report in the spam member list. If you choose to unapprove posts on report, this causes IP.Board to set all the members posts for the specified <b>number days worth of posts</b> to hidden. Moderators can still see the posts but members will not be able to.

You can choose to <b>force guests to log in before allowing access to the board</b> in addition to the settings for the Guest member group. This setting is a global override and, if enabled, will cause your community to only show a login/register screen if a user is not logged in. No other functionality will be available until they login.

The <b>flood control</b> setting is useful to keep malicious users from flooding your community with posts. You can set this setting to cause a delay in seconds between posts a user makes. Note that you can use Member Group settings to override this option per group.


This section contains privacy settings for both the members and administrators.

The active user list shows what each member is currently viewing or the action they are performing in the community. While not inherently a secret, some communities may wish to disable this feature.

Members may choose to be anonymous on login which causes them to be hidden from the online user list. By default, administrators can still view online users with an asterisk (*) next to their name. You can disable both features here.


Elliot Marx
Jul 21 2011 03:16 AM
The reCAPTCHA option is not as effective as the default CAPTCHA. I've used both. When I used reCAPTCHA I had 70 spam logons per day. I've used the default CAPTCHA for over a week and only had 1 logon which was legitimate.

Developer Docs · Error Codes