1. Always use latest stable XOOPS core.
2. Keep your modules updated to the latest stable release.
3. The .htaccess file

Remote File Inclusion Protection


Various protections


Disallow displaying content of folders which don't have index.html within


Next 2 must be added directly after RewriteEngine On
Blocking Download Managers and Proxies


Blocking Bad Robots


The following 4 lines

blocks the access to services such as Facebook and Google Translate, if u don't comment them out.

Check that all files are with permissions 644 and folders with permissions 755.
The following lines must be added in php.ini and placed in your XOOPS root folder


safe_mode - must be Off.
safe_mode is a security risk; it was supposed to add a new layer of security to PHP, but it ended up creating more bugs.

allow_url_fopen - must be Off
allow_url_fopen might allow an attacker to include his own PHP scripts in your XOOPS website, ultimately taking control of the webserver.

allow_url_include - must be Off
allow_url_include might allow an attacker to include his own PHP scripts in your XOOPS website, ultimately taking control of the webserver.

disable_functions - recommended to be used
disable_functions disables dangerous PHP functions. It is recommended to disable: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

open_basedir - recommended to be used. open_basedir restricts access to specified directories only.

Do not use administrator user name such as: admin, administrator, root. Make password with random chars.

Do not install modules which are from:
Dead authors
Abandoned
Not Trusted Sites
Not Trusted Authors

IP Blocking:
Use

For blocking specific IP Address Range
or


[EDIT by Mamba]
Using IP2Country IP Address List you can ban those countries from which you're receiving most spam in your Website, or which are historically known for spam activities, and your Website is not interested in traffic from them
[/EDIT]

(Some more stuff will be added later.... XOOPS should be changed a bit too)

Edit: Proposed PHP.INI may conflict with some XOOPS installs.

Nice and docile tutorial DCrussader.

Excellent tutorial.
Every webmaster should implement these techniques.

Of course, allow who you want, block who you want....

I had to put my moderator hat today and make some edits.

We don't need to pinpoint particular countries for banning - it's up to the individual Webmaster to decide based on his records of who is spamming his Website.

So let's focus on the technical aspects of the issue, i.e. once you see that most of the spam is coming form country ABC, how can you ban them and protect your Website.

With that - Happy Xoopsing!

Heh... ok
--------------------
Next step is activating reCaptcha in comments and registration.

You have to edit /class/captcha/config.php
on Line 29 to add 'recaptcha'

next file for edit is /class/config.recaptcha.php
Lines 24-27
Private and Public keys (obtain yours fromhttp://www.google.com/recaptcha
Theme of reCaptcha (clean, mostly used)
Line 27 'lang' -> change _LANGCODE to 'en'

demo (till next deletion)
Registration (http://xoops.cmsbg.info/modules/profile/register.php)
Comment (http://xoops.cmsbg.info/modules/TDMDownloads/comment_new.php?com_itemid=1&com_order=0&com_mode=flat&cid=2)

Some good advice.

I found the single biggest prevention against script attacks is to keep PERL off your server. I posted how to do this in htaccess here.

The Perishable Press 4G blacklist mentioned in that thread also covers a lot of exploits, although you may need to disable some prohibited characters or expressions to use Xoops.

These are two very good articles, however Xortify is for more Captcha Sweat Shops, Captcha beating bots, signup fraud, harvesting and other things as well, I would recommend running it, most people i have spoken to who are getting attacked with signup captcha sweat shops seem to have them beat with xortify.