Monday, June 15, 2009

SMF Review

SMF or simple machines forum is a php-based forum software with many features and an active developer community. After searching for several forum software packages, and checking ratings, maturity of the code base, frequency of updates, helpful forums, SMF appeared to be one of the top packages available. Also, my hosting company (GoDaddy) provided free install and setup (another plus!). Pretty much what I wanted, because this wasn't to be a main focus of one of my sites, but I also wanted a forum that was low maintenance, so that I could do other work that was more interesting. SMF also appeared to also have many useful features.

So everything looks good right? Well almost. As a java developer, I learned several things good and bad about php. I also waged a small battle with security. My hats off to the guys that manage LAMP apps full time.

Lessons learned...
  1. Remote file inclusion - PHP without the correct barriers set can allow hackers to send a url that references a remote file. These remote scripts serve different purposes, but in my case a script was used to customize php files and drop in redirects for certain URLs that boost different websites rankings in Google.
    There is a great description about remote file inclusion here. The article also provides a great description and some remedies for this issue.

    Here's the first fix to keep remote file inclusion from being used on my site...

Set allow_url_fopen to OFF
Set allow_url_include to OFF
Set register_globals to OFF

2. Do not allow users to register themselves - As much as I don't want to keep up with users, I soon found that this is the best way to see whats happening on your site after setup especially since I am by no means an SMF expert. After setting up my final SMF 1.1.9 forum, I had 16 spam bots attempt to register users between 1AM and 7AM. The first setup, was to add admin approval for all users. SMF sent me a nice little email that Viagara28 and other creative users were interested in joining. Yeah right!

Allowing users to register themselves will open the doors for spambots, and you will soon have hordes of nefarious advertisements posted on your forum.

One really nice feature about SMF is that with a click you can view and lookup the IP of the requesting member. This helps give you an idea of with whom you are dealing. The 16 member requests were all from spamlands Ukraine and Russia. SMF also allows you to block certain IP ranges if you wish to block out an entire country. Sorry Ukraine!

3. Set the captcha to the highest level of difficulty - This one step filtered out numerous emails from spambots. This article here explains that Captcha can be hacked and should be made as difficult as possible to filter out the bots.

These 3 suggestions kept my SMF forum from being decimated into a heaping pile of ash. Overall, though I believe that SMF/php is a little bit rough around the edges on security, it is by no means a reason to stay away from SMF or php in general. I must note that I did start with SMF 1.1.5 which is the default SMF install from After reading newsgroups about security enhancements, I decided to go out on my own and install 1.1.9. A good move and all remote file inclusions seemed to be wiped clean by making this move.

So here's my analysis on SMF experiences.

1.) Install - (B+) Overall pretty good install. There seems to be a low barrier to setup SMF which is nice. I didn't quite understand upgrade paths.. can i go from 1.1.5 -> 1.1.9 with a simple upgrade package? but in my situation everything appeared to work. Also, the learning curve on setup was pretty small. I had a few issues installing themes and understanding if a theme would fit 1.1.9 but this issue was soon resolved. Also, you have to go back and remove the php pages for install.php and upgrade.php. It would be nice not to need to do that.

2.) Security - (C) Spambots are ready for SMF, but I think following the suggestions above and upgrading to the latest version of SMF will keep you a few steps ahead of the spammers and hackers. Default settings are prone to hacking, and I believe spambots prey on this fact.

3.) User Community (A-) There is large SMF community out there which in my book is worth more than the app itself sometimes. There was a lot of good information and the developers seem to be actively posting. Good job on this!

Another note on this... SMF allows homegrown pre-packaged themes to be installed which I really liked. You can visit a site and browse many different types of themes, pick one, download it and install it.

4.) Features - (A) Lots of features have been added to SMF. Almost too much really for what I needed, but I was able to navigate through the menus and using IP tracking, style sheet editing, and many more.

5.) Usability - (B) Well this is good and bad. The good is that there are a lot of features. The bad is that there are a lot of features. Overall, I was able to navigate, setup, and configure a site pretty quickly. However, there were times where it took me some time to figure out the right way to do something. One example is setting the current theme. After installing the theme I liked, do I simply change the paths on the current theme? I tried changing the path, but for some reason my site turned into garbled mush and couldn't find URLs etc. I soon found the install theme button, and everything cleared up. There were other small things like that, which kept SMF from becoming stupidly simple to use. Some level of technical knowledge is useful for SMF without a doubt.

No comments: