Valid concerns have been raised in this thread. There is no way to absolutely prevent a determined hacker from getting into a system. There are typically two main security problems (others exist, but are mainly targeted against the big guys):
- Spam - easy to control, mostly by preventative measures. Once hacked, not so easy to eliminate
- Email harvesting - relatively easy to prevent, but more of a potential danger to those that use a sensitive email address when registering (I always use an email address that I can dispose of if needed; I never use a sensitive email address
LTBBQ is built on SMF forum software, which is a stable and relatively secure platform (I currently run 3 personal and 1 professional forum built on SMF, and have not had a problem on any of them in 5 years of service - knock on wood). Security mods are available such as StopForumSpam, HTTBL, Forum Firewall, and quite a few others. Each brings a new level of security, but then also adds potential access problems. For instance, I was using HTTBL, and a South African member was being denied access because his IPSs entire domain range was blacklisted. Fortunately he had my email address, else I'd never even have known that he had been denied. Performance issues can also arise due to anti-spam measures checking IP addresses against known bad ranges.
Built into the SMF core are also security and anti-spam measures, among them levels of password complexity, requiring re-validation on email changes, not revealing member details to guests, etc. To ensure that a potential registrant is human, CAPTCHA and answering security questions are options.
One setting that currently appears to be enabled in LTBBQ that might be of concern if an automated registration system were implemented is the setting for viewable email addresses. Currently regular members can see the recipients email address when you click the little envelope under a member's avatar. This would allow a spammer to easily harvest individual email addresses simply by clicking the email envelope and reading the address off the form. This is mostly not a huge problem because spammers are usually more interested in harvesting the entire email list and would not both to go after individuals. However, it could potentially lead to email hacking.
Two things I would recommend in an experiment at LTBBQ:
- If an automated system were implemented, which I actually would be in favor of, I would recommend un-checking the viewable email address option under the General settings of Security and moderation in the Configuration settings, which then hides the email addresses from all but admins. Members can still send emails to recipients, but mail is sent by the SMF handler which does not display the email address.
- Due diligence by a trusted group of admins and moderators who check the forum daily for unwanted activity, and regular behind the scenes checking of the error, administration, and moderator logs for potential problem accounts