[guessmyname]

> Hardening

> We’ve installed ModSecurity, a Web Application Firewall, to help prevent > similar attacks in the future.

> We’ve improved our monitoring of vBulletin to ensure that security patches are applied promptly.

What? They _just_ added a firewall in their forum? What were they thinking all these years then? Either none of their engineers thought about adding an extra layer of security to this website during all these years, or the chain of command in this company is so strict that any suggestion from their engineers is dismissed until a security breach is detected. What a shame, first Linux Mint, and now these guys.

[0x0]

A "WAF" like modSecurity is not the same as a network packet firewall. And a WAF might contain lots of heuristics and overly strict rules that might break web applications in subtle ways.

[guessmyname]

What are you talking about? I am saying that they added ModSecurity just now, why didn't they added it years ago? Whether a WAF will affect some features in their forum has nothing to do with my comment that was intended as a critic for the bad timing of their sysadmins. Why add ModSecurity now "after" the breach and not before? Wasn't it obvious that someone would try to hack their forum?

Are you just saying that my critic makes no sense?

[0x0]

Sorry, I thought you assumed they were talking about a "normal firewall" missing since the start. Installing a WAF isn't always standard procedure for LAMP stacks as far as I know, so I wouldn't fault them for not doing that initially. Obviously they have changed their minds now :)