Secure XenForo


These are a couple of tips I thought I'd share on how I secure my own XenForo installations with .htaccess

I'm lucky enough to have static IP addresses at work and home, so I lock down the admin.php and /install/ directory to access only from my own IP addresses

First, securing admin.php
#Limit Access to ACP
<Files "admin.php">
Order Deny,Allow
Deny from all
  allow from
  allow from yyy.yyy.yyy.yyy

The order is important, as it will first Deny all request, unless they are from the allowed list. We then deny all requests, and only allow from the listed addresses

My own .htaccess file has the 403 set to simply redirect back to the root URL
ErrorDocument 401 default
ErrorDocument 403
ErrorDocument 404 default
ErrorDocument 500 default

The same is done in the /install/ directory
order deny,allow
deny from all
allow from
allow from yyy.yyy.yyy.yyy

ErrorDocument 404
ErrorDocument 403

So when anyone other than myself tries to reach the admin.php file or the /install/ directory, they are bounced back to the forum home.