How secure is Flarum?

BrodyStone21

I’ve been told that forums are notorious for getting hacked due to vulnerabilities that are discovered, just like everything else, and the frequency of updates can greatly contribute to this. I was just wondering how secure Flarum is and if I should be worried about my forum getting hacked.

luceos

BrodyStone21 we had a similar discussion with someone not too long ago, though it was for a different reason: https://discuss.flarum.org/d/34202-is-flarum-secure

To answer your question:

BrodyStone21 if I should be worried about my forum getting hacked

Yes, always be worried. Because there's never a 100% guarantee that something is 100% secure. But if you take the correct measures, follow recommendations and periodically revisit the safeguards in place, the risk is minimized.

Aside from that, some thoughts that might actually help answer some things in this context:

Flarum is based on Laravel and Symfony, together they pretty much dominate the PHP field as frameworks; this also means they are well tested, audited, reviewed and receive continuous security patches
we have had our fair share of vulnerabilities, see flarum/frameworksecurity/advisories for instance
we tend to fix vulnerabilities as soon as possible and with the highest urgency
we follow best practices and conventions with a higher priority than ease of use (that's also why the default method of installing Flarum is by using a public path)
community extensions you install can vary in their quality, not just for performance, but also security, take that into consideration when installing your 253'rd extension into Flarum
as Flarum is based on Laravel and Symfony, the ability to re-use addons for these frameworks enables extension developers to easily follow best practices and conventions, but also re-use proven addons for Flarum. An example of this is re-using the PHP League's filesystem drivers in FoF Upload.
the needs for a simple, private friends community differ a lot to an enterprise support community; if you rely on your community (eg for profits or user data), invest in a partner that helps you keep your community secured

BrodyStone21

luceos Thank you very much for the complex answer!

Should I reinstall Flarium using the public path option? I think I can do it right now that I know what went wrong before. If it really is that much better to have it at domain.com/forum, then should I just do that and have a redirect from domain.com -> domain.com/forum?

If I don’t do this, and an attacker gets in, what all information could they access? Anything inside of public_html/ (my root folder)? Does Flarum store all user data within the local path anyway? Like even if it is /public, would they still be able to access my users information? That is my biggest concern. Can they break out of this directory and go backwards?

User31

When I first started off with XF, the actions of a "technician" I'd hired, led to a very serious situation whereby the "tech" had masqueraded as me and proactively antagonized a friend of mine who subsequently became extremely upset at me.

This resulted with my friend mistakenly believing I'd betrayed him and so he decided to reciprocate by making it incredibly difficult for me to maintain my forum.

😅 Basically he (being an experienced developer) began seeking out any weaknesses in my forum & thus XF's defenses with which to exploit.

Barely a day later my forum was almost completely crippled.
XF Client Support engaged their DDoS countermeasures and managed to resolve this after two days, however the following day my forum was again crippled. XF DDoS countermeasures once more dealt with it within a couple of days...yet again by the following day my forum was crippled and this time XF's third attempt at DDoS countermeasures proved entirely ineffective. From this point on my forum became totally unusable and ultimately discarded after two months of unsuccessfully trying to solve whatever my friend was doing to cripple it.

XF never provided me with any answers nor insights for how this was possible and my friend (subsequent to him becoming aware of the "tech" having masqueraded as me) has since only been willing to casually joke about how easy he claims it was for him to cripple my XF forum.

The point I'm getting to here, is that since the revelation of the "techs" shenanigans, our friendship has been reconciled and my friend has subsequently occasionally "hacked" my forums to find and bring to attention any previously unknown security weaknesses, which he then advises on how to correct.

I certainly can't speak to how secure Flarum may or may not be, but if you have any friends like mine who know how to "hack" websites...😄 perhaps it might be worthwhile considering requesting their assistance for preemptively seeking out any "chinks" in your websites "armour".