Jump to Main Content
Content > XOOPS > XOOPS Protector
XOOPS Protector

The XOOPS Protector Module protects from DOS, SQL injection, and a number of other related attacks. This is a must-install module. As of XOOPS 2.3.x, it's included in the installation files, but you will want to get the latest and keep it updated.

Latest version: 3.22 | Website


This module can help protect the following vulnerabilities

  • DoS
  • Bad Crawlers (like bots collecting e-mails...)
  • SQL Injection
  • XSS (not all though)
  • System globals pollution
  • Session hi-jacking
  • Null-bytes
  • Directory Traversal
  • Some kind of CSRF (fatal in XOOPS <=
  • Brute Force
  • Camouflaged Image File Uploading (== IE Content-Type XSS)
  • Executable File Uploading Attack
  • XMLRPC's eval() and SQL Injection Attacks
  • SPAMs for comment, trackback etc.


Fresh Install

You must edit the mainfile.php with the code below if you are installing Protector to an existing XOOPS installation without protector. When you decompress the archive, you will have a standard modules set of files and another set that goes in a trusted directory (preferably outside of the root of your web-docs). Copy those trusted path files to a non-web-accessible directory, per instructions. Edit the mainfile to include the following line (adds the precheck and the postcheck):

include( XOOPS_TRUST_PATH . '/modules/protector/include/precheck.inc.php' );
if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {
include XOOPS_ROOT_PATH."/include/common.php";
include(XOOPS_TRUST_PATH . '/modules/protector/include/postcheck.inc.php');
//XOOPS Protector EDIT END

Install the module per standard XOOPS module installation using the administration console.


There may be some files in the TRUST_PATH files that you may want to keep. Do a diff to make sure before you upgrade and lose defined filters and such. And/or backup a copy of the files as usual. Otherwise, copy the files to the modules and trusted path and then update the module in the administrator. This pertains to any upgrade from version 3.0 to current. Upgrades from version 2.0 to current requires some changes to the mainfile inserts as the file organization changed.


Set the preferences as desired. Check out the Security Advisory in the administration section of the module. Make changes as appropriate (this may have undesired effects on modules). If you use phpsuexec or suphp, you won't be able to implement the .htaccess solution suggested by this module. Most well-performing sites now use one or the other of these.


Banned IPs are kept in TRUST_PATH/modules/protector/configs/badipsXXXX. If you get locked out, edit/delete this as appropriate.

Other Pages
Previous Page iSearch - Search Stats for XOOPS Content - Static Pages Next Page
Comments are solely the opionion of the author and not to be construed as the opinion of anyone else.



(c) 2006-2007 - Mark Boyden
Privacy - Legal Stuff - Contacts