No question that this was a slow month. Having released a new edition of my book and having updated most of my extensions, there wasn’t much to fill in the slack. I did release version 3.3.15 of my digests extension, but the changes were very minor. And I released a development version of a Notify admin on new error log entry extension for comment.
For my large commercial client, we completed our own testing and patched a number of minor bugs. It now goes to a more formal internal review by the company.
For another long standing commercial client, I helped troubleshoot a number of issues. The server had been moved from one virtual private server to another some months back. This caused a Let’s Encrypt certificate issue to manifest itself. I don’t consider myself a system administrator but was able through trial and error in Plesk to figure it out. Essentially, the new server couldn’t work with an old package that kept Let’s Encrypt updated and I had to install a new one while figuring out why it kept complaining that the certificate was out of date. I also installed the Auto Groups extension to ensure newly registered users were put into a Subscribers group I created. Anyone in this group gets emails when new posts are made.
Other work in May:
A client’s sessions table needed repair. I repaired it then changed all tables to use the INNODB storage engine. I had to write a script to do this rather than use phpMyAdmin because the logged in phpMyAdmin user did not have the permissions to do this. I provided guidance on how to remove or reduce administrator permissions for a user.
Updated a board from phpBB 3.3.0 to 3.3.5. I also changed PHP from 7.2 to 8.1, which required enabling mysqli. I updated the parent Absolution style from version 3.3.0 to 3.3.5. I investigated a WordPress error but only noticed that there was a complaint in the dashboard that PHP 7.2 was no longer supported, so updating PHP to 8.0 solved that. A digest cron was disabled that had to be re-enabled. Had to increase the memory size for PHP to avoid a timeout manually running digests. The simple mentions extension required reparsing of tables to get it working again.
Rehosted a board with 330,000 posts and 43GB of files from Network Solutions to Dreamhost. Worked with customer to determine good plan on Dreamhost he picked a VPS solution. Customer moved files to Dreamhost because he has a much speedier connection than me, saving him some money and time. I loaded and moved events database and software (something I had written for him years ago, and sits outside of phpBB), updating the database connection statements so it would find the right database. I loaded this database from extract provided by customer. I then upgraded the board from phpBB 3.3.3 to 3.3.7. I upgraded the Add user extension from 1.0.4 to 1.0.5. I set up two email accounts on the new host. I changed the DNS to Dreamhost for the client. I also got email integrated again. This feature no longer worked on the old host. I installed a Let’s Encrypt SSL certificate. I remade the search index (chose MySQL fulltext) and disabled Google search extension, which was no longer needed.
I billed a client for miscellaneous work on a site he is relaunching since I last helped him in January. The work involved about three hours of answering questions mostly related to integrating phpBB forum feeds into WordPress. I installed two extensions: Smartfeed and Install External Link in New Windows. I later updated phpBB from 3.3.5 to 3.3.7 and the American English language pack to 4.7.0.
Performed a commercial upgrade from phpBB 3.0.11 to 3.3.7. No mods and no style issues to worry about and only 4000 posts. I disabled contact form. Set up and tested reCaptcha V3 spambot countermeasure. I disabled SMTP because of certificate mismatch issue. I set up home page link.
I created a small extension that lets admins get phpBB notifications if there are new entries in phpBB’s error log. More details can be found on its page.
You can’t run a phpBB board without an administrator, but the privileges granted to administrators in phpBB and how they are assigned and handled are not obvious.
Let’s learn how to create administrators, what privileges administrators have, and how to change or remove administrators.
Easily adding new administrators
If you don’t want to be particular, simply add an existing user to the Administrator’s group. This user will be able to access the Administration Control Panel (ACP) with the Full Administrator’s role privileges, giving them broad powers to do almost anything except add, change or remove founders. ACP > Manage groups > Administrators > Members > Add users
What’s peculiar is while an administrator created this way has the Full Administrator’s role privileges, the role is not explicitly assigned. It appears that phpBB defaults to these permissions if none are explicitly granted, which is inconsistent with phpBB’s otherwise amazingly well thought out permissions system.
Founders
There is a special type of administrator called a founder. If you manage a phpBB board, you probably have this privilege already. Founders can never be banned, deleted or altered by any other administrators unless they are also founders.
This feature is basically a safety feature, ensuring founders can’t be locked out unless another founder is doing this.
An easy way to tell if you are a founder is to look up any user in the ACP using the manage users function. If when editing their settings, the founder field is enabled, you are a founder.
Hint: if you need to become a founder and can access the database outside of phpBB using a tool like phpMyAdmin, you can make yourself a founder. Find your row in the phpbb_users table and change user_type from 0 to 3. You may need to purge phpBB’s cache afterward for it to take effect.
Deleting administrators
The easiest way to remove an administrator is to remove them from the Administrators users group: ACP > Manage groups > Administrators > Members. Select the checkbox for the user, then select Remove member from group and press Submit.
You could also remove permissions explicitly. ACP > Permissions > Global permissions > Administrators > [user name]. Once selected, select their row in the text area and click on the Remove permissions button.
Changing administrator permissions
There are two approaches to changing administrator permissions: assign a role or set custom permissions.
Using a role
ACP > Permissions > Global permissions > Administrators > [user name]. After the page is refreshed, select their row in the text area and click on the Edit permissions button. Select the desired role: Standard admin, Full admin, Forum admin or User and Groups admin. Let your mouse hover over each permission type to see what privileges are assigned to the role. Click Apply all permissions when done.
Custom permissions
ACP > Permissions > Global permissions > Administrators > [user name]. After the page is refreshed, select their row in the text area and click on the Edit permissions button. Click on the Advanced permissions link, then go through each tab and assign the desired privileges. Click Apply permissions when done.
When does the ACP link appear?
If you have any ACP permissions assigned, the link to the ACP will appear. Only if you have no ACP privileges will the link disappear.
April was a fairly quiet month work-wise. This meant some downtime which, for a change, did not involve too much in the work of extension development but actual leisure. This is in part because most of my extensions are pretty stable including most notably the digests extension, which is definitely my most complicated extension. Toward the end of the month I did put out an April 2022 edition of my book on phpBB administration.
For my large commercial client, whose work I am largely wrapping up, we went through a “smoke test” following a detailed testing plan I put together. This precedes a more formal test by a larger group. But as often happens my client was pulled away by other tasks, which meant that meetings and tests were often delayed. But my test plan was good and having a second set of eyes helped a lot. We found a number of issues that had escaped earlier notice and that required some fixing and rework. For example, since phpBB 3.0 the search interface on a forum or a topic has changed and the advanced fields had new controls I had overlooked replicating. This was easily fixed. More problematic was a bunch of Javascript logic tied to a change in a custom header when the device’s screen width slipped below a mobile breakpoint. I spent at least six hours trying to figure out how to fix the Javascript and eventually succeeded.
Other client work accomplished in April:
Upgraded two boards: a read-only archive board and the real currently interactive board, both from phpBB 3.2.7 to phpBB 3.3.7. I replaced Pro Ubuntu Lucid style to version 3.0.6 on both, made changes to two templates that were needed to the custom style that inherits from the Pro Ubuntu Lucid style and upgraded two extensions: Advertisement management to version 2.0.6 and Large Font to version 3.2.3.
Upgraded a board from phpBB 3.2.8 to phpBB 3.3.7. This time I created a custom style called “custom” inheriting from prosilver so future upgrades will require less rework. All style changes are in the custom style’s stylesheet.css file. I updated the board announcements extension to version 1.10 and media embed extension to version 1.1.2.
Rehosted and upgrade a phpBB 3.0.12 board, moving it to phpBB 3.3.7. I updated the style so it was a near match for the old one, but response, on my local server. Client suggested an extension to get the logo image to be responsive, which I was struggling with. It worked very well. After a week or so of delay, I rehosted the board and then upgraded board. New hosting and renaming nameservers issues caused a 24 hour delay. The database had to be moved in chunks, with five chunks for the post table to avoid timeouts on the old host. I had to set an active style in the database, otherwise there were no issues during upgrade. I installed the Tapatalk extension. I then installed the custom style I created earlier. I set a home link and disabled the contact page, then set up reCaptcha V3 as a spambot countermeasure. I created a Let’s Encrypt SSL certificate. I then rebuilt the search index since those tables were not moved over. I removed old dead modules in ACP then added and configured the Header Banner extension.
Spent ninety minutes tutoring a client on Zoom
Updated a board from phpBB version 3.3.5 to 3.3.7 and the advertisement management extension from version 2.0.5 to 2.0.6. Also edited .htaccess file to show the Board 3 extension portal page by default.
Chased an annoying certificate problem for a commercial client on MediaTemple VPS hosting
With a little time on my hands, I updated my book Mastering phpBB Administration. You can find links on the book’s page, at the bottom of any page or post on my site, or on my site’s sidebar. This covers through the latest release of phpBB, which is 3.3.7 as of this writing.
With every release, I find yet even more things to add, change or delete, along with a number of mistakes that make me wonder, “How did I miss this?” or “Why was I wrong about that for so long?” Even someone like me with twenty years on the phpBB platform can find features I hadn’t noticed or assumptions I have made that were not entirely correct. So the book is always in a process of becoming more correct.
One major change since the last edition is the renaming of the update and upgrade types. This is for the good as the old names were very misleading and I criticized them in the past. On phpbb.com’s download page you can see how they renamed the tabs. The old full package method is now the update method and the automatic update method is now the advanced update. So Chapter Nine needed quite a bit of new wordsmithing.
Otherwise, the content is pretty much the same, just new and improved. Like last time, if you bought an earlier edition, if you provide me a sales receipt I will send you a link to the new PDF version of the book.
The first half of March was slow, the second half got busier and busier. So in early March I used the slow time to create new versions of my Digests and Smartfeed extensions.
Work for my commercial client is still mostly in a holding phase while we wait for the start of formal testing, which should start next week. I did upgrade phpBB for them twice (3.3.6 had a critical bug.) Other work in March:
Updated a board from phpBB version 3.3.0 to 3.3.5. I fixed an emailing issue where lost password emails were not being received by changing the board’s email settings to use SMTP settings. I also updated the Cleantalk extension from 5.7.2 to 5.7.4 and reapplied their logo.
Updated a board from phpBB version 3.3.5 to 3.3.6. No issues except for some reason the logo reappeared even though it should have been overwritten.
Provided two hours of tutoring over two days and a bit of troubleshooting. Client wanted to integrate phpBB and with a WordPress plugin. After a lot of trial trying to get the lost password link not to redirect to WordPress, I determined the issue was their buggy WordPress – phpBB plugin. Client is pondering whether to use phpBB separately from WordPress or use a WordPress forum plugin.
Updated a board from phpBB 3.3.4 to 3.3.7. First updated to 3.3.6 then found out 3.3.7 was released. I had to recover two tables and then install phpBB 3.3.7 to recover. I also updated my Digests extension from 3.3.4 to 3.3.14. No other changes were made.
Updated a board from phpBB 3.3.5 to 3.3.7. I installed version 2.1.4 of the Metrolike style and reapplied client’s style changes. I installed a release candidate Auto DB backup extension and set it to make backups every 24 hours. A few days later I answered questions about how to backup files and database offsite.
Updated a board from phpBB 3.3.5 to 3.3.7. I updated the Italian language pack to the latest version. I updated the advertisement management extension from version 2.0.4 to 2.0.5.
Users were unable to post on a board. I analyzed issue and it turned out to be an invalid <textarea> tag. To fix it, I upgraded the board from phpBB 3.2.7 to 3.3.7. I had to fix about five services.yml and routing.yml files to get all the extensions to work under phpBB 3.3. I total I upgraded seven extensions. I installed a new version of we_universal style, replicated background image and hid site title and site description.
The client wasn’t getting email notifications for new posts. This turned out to be because he wasn’t subscribed to the forum. I also updated phpBB from version 3.3.5 to 3.3.7. Because there was no logo, no attachments, and no extensions this turned out to be a very easy update to do.
I upgraded a board from phpBB 3.2.8 to 3.3.7. I determined issue was due to PHP 8, and temporarily downgraded PHP to 7.3 to make the board function. After an upgrade to phpBB 3.3.7, I reverted PHP back to PHP 8.0. I reapplied logo, added Cleantalk, enabled its spam firewall feature and contact form checking feature. I deleted unneeded tables and removed old modules in ACP, MCP and UCP left over from phpBB 3.0 to tidy things up.
Upgraded phpBB from 3.2.1 to 3.3.7 for a client. I changed PHP from 5.5 to 7.4. I installed an updated but beta Image redirection extension (version 2.0.1-b6). I also updated the Dutch casual language pack.
I retrofitted a custom style from phpBB 3.1 to 3.3. I did this by comparing the style with the prosilver style in phpBB 3.1.12, using my Raspberry Pi because I have PHP 5.6 on it and I wanted to see how the style rendered on phpBB 3.1. Lots of trial and error and about eight hours of effort. I removed some HTML tables placed by a previous developer with more responsive code. The project spanned three days.
The phpBB Group made a major error in its 3.3.6 release. The error is understandable, but still surprising as this is the first release I am aware of which if you are affected by the bug cannot be fixed except by recovering two tables you are supposed to back up before upgrading to phpBB 3.3.6.
How can I tell if my board is affected?
One way is to access your board as a guest. If it says your board has no forums, but previously a guest would see your forums, you are affected.
If you can still see forums as a guest, that doesn’t mean you aren’t affected, only that if you can’t, it definitely indicates that you are affected by the bug.
The only way to know for sure would be to compare the phpbb_acl_groups and phpbb_acl_users tables from before upgrading to phpBB 3.3.6 with your current tables and if any rows are missing put them back in these tables. This is not easy. You might want to seek professional help to fix these issues.
If my board is affected, how do I fix this?
Recover your database to before your upgraded to phpBB 3.3.6, then upgrade phpBB
If you are comfortable with losing any content since you upgraded, you fully backed up your database before the upgrade, and it’s stored in your board’s /store folder you could:
Use phpBB’s restore function: ACP > Maintenance > Database > Restore. Make sure you pick the right archive to recover.
Afterward, you may have orphaned attachments. You can get rid of these: ACP > Posting > Attachments > Orphaned attachments
Next, upgrade to the latest version of phpBB using the normal process
Warning: on some servers you may experience timeouts and other issues using the process. The likelihood of this happening increases on shared hosting and if you have lots of posts and users. If you are familiar with using SQL from the command line, it is better to restore your database this way. You may need to explicitly drop all the tables in your database first.
Recover the two affected tables, then upgrade phpBB
If the other options aren’t viable, you have to fix the database directly. And it can be kind of confusing if you are not familiar with SQL or don’t know how to use programs like phpMyAdmin. But you must have a backup of your database before you upgraded or updated to phpBB 3.3.6 and the backup must contain the two tables affected.
Two tables must be emptied using a tool like phpMyAdmin
Your database backup is either in an archive or a long file with a .sql suffix. If it’s in an archive, extract it.
You will need to open the archive in a text editor. If the file is big, it may crash some text editors. BBEdit is an example of a text editor that should be able to handle large .sql files.
Search for your phpbb_acl_groups table. If your table prefix is not phpbb_, search for the correct name, like phpbb3_acl_groups. Find the INSERT INTO statement for the table. Here’s an example:
Empty this table first using a tool like phpMyAdmin (see above). This removes all rows in the table.
Afterward, using a tool like phpMyAdmin, copy and paste the INSERT INTO statement(s) from your editor. Using phpMyAdmin, you could click on the SQL tab and insert them there, and press GO at the bottom of the page to execute the statement(s). This should replace the table’s content to the way it was before you upgraded to phpBB 3.3.6.
Use the same approach for your version of the phpbb_acl_users table. Empty the table and execute the SQL in your editor to recover this table.
Now do a normal upgrade to the latest version of phpBB.
If after the upgrade to 3.3.6 you made any permission changes to users or groups, these would need to be reapplied.
There have been many prominent articles about web sites being taken down by Denial of Service (DoS) attacks. A Denial of Service attack is when a machine on the internet sends so many requests to your web server in a short period of time that the web server can’t keep up with the demand. This makes it unavailable to legitimate users and often returns cryptic error messages to users. It’s like your web server blows a fuse. Even after the attack abates, your server may not be able to recover without a reboot or some internal repairs.
In a Distributed Denial of Service (DDoS) attack, a number of machines across the Internet attack your web server at the same time. DDoS attacks tend to be more severe because more requests can be sent at the same time. These attacks become harder to block too, because the Internet Protocol (IP) addresses of attacking machines change.
In this post I’ll look at how to protect your board from both DoS and DDoS attacks using Cloudflare.
What is Cloudflare?
Cloudflare is a prominent company that specializes in implementing content delivery networks (CDNs). CDNs place copies of files on your web sites geographically close to your users, speeding up the rendering of your web pages.
Cloudflare can also protect web sites so that if a DoS or a DDoS attack occurs, the offending machines can quickly be blocked, minimally impacting your site’s availability to legitimate users.
A phpBB board is often part of a web site. Generally, Cloudflare protects domains. I’ll describe how it protects domains. If you want to use Cloudflare to protect a subdomain but not the domain itself, this is a more complex process described here.
Using Cloudflare is not necessarily free, but it often is. You can start with a free plan. If your domain is not used for commercial purposes, you can use Cloudflare for free. If your site is for professional use, the cost is $20/month. Cloudflare can be very pricey for businesses and enterprises: $200/month or more. But if you have this kind of website, you are probably using Cloudflare or a similar service already.
Cloudflare has competitors, so you can shop around if you need to pay for DoS or DDoS protection. Arguably though Cloudflare was the first to master this market and is its industry leader.
Protecting your domain with Cloudflare is generally pretty easy. Let’s look at the steps.
Step 1. Get a Cloudflare account
If you don’t already have a Cloudflare account, you can create one. It’s a simple process that should not take more than a few minutes.
Step 2. Add your domain to your Cloudflare account
Look for the Websites link on the left sidebar. After clicking on it, click on the Add a Site button and add the domain containing your phpBB board. Cloudflare will find your public domain records and show them to you.
Step 3. Change the nameservers for your domain to use Cloudflare’s nameservers
Next, login to your domain registrar and find your records for your domain. Verify your domain records match those that Cloudflare found. Then change your domain’s nameservers to the nameservers Cloudflare provided. Nameservers tell computers the Internet Protocol (IP) address where your site’s content resides. Cloudflare should provide you with two nameservers.
To make things easier, you may want to access your registrar in a separate browser tab so you can more easily copy and paste Cloudflare’s nameservers into the form provided by your registrar.
Step 4. Wait for the DNS to change
It can take up to 48 hours for your DNS changes to propagate across the Internet, but is generally quick with most ISPs getting updates in one to 2 hours. While it happens, your domain should still be accessible, but may be briefly inaccessible.
Your domain may still be affected if a DoS or DDoS attack during the nameserver propagation process. You can get a sense of whether the DNS changes are complete by using a tool like Who.Is to check your domain and the nameservers it finds for your domain. When complete, the nameservers should match those provided to you by Cloudflare.
How it works
Most attacks attack a domain. DNS resolution is the process of translating a domain name (myspecialboard.com) to an IP address, ex: 123.45.67.89. Attackers will query Cloudflare’s nameservers to get your IP address. Because Cloudflare constantly monitors the web, it generally knows the IP addresses of attacking machines. It won’t provide your server’s correct IP address to these machines, insulating your web server from most of these attacks.
Attacks may still occur, but are unlikely
Targeted DoS and DDoS attacks can still succeed if the attacker knows or randomly picks the Internet Protocol (IP) address of your web server and attacks it, rather than your domain. As your web server’s IP address won’t be generally known, these incidents should be few and far between. If they occur, it is likely due to an attack on a random IP address.
If you detect a DoS or DDoS attack after being protected by Cloudflare, Cloudflare can still help. Click on your website on the Cloudflare web page and set the Under Attack Mode slider control to On. More details are here. Cloudflare will examine the machines hitting your domain and do its best to block them.
If you use shared hosting, you may still be subject to DoS or DDoS attacks you can’t control. This is because the attack may not be happening to your domain directly, but to another domain on the same server using the same IP address as your web server. Such a scenario though is pretty unlikely.
