[yaysloths]

So the background is this: I’m creating a website that is basically just one single forum, and it’s important that it be as private as possible. I understand that it’s impossible to guarantee security for pretty much anything online, and I’m not talking about huge matters of national security or anything; it’s just an online extension of a support group I’m part of, and it would be easier to talk about some of the difficult things we’re talking about if it we felt relatively secure that it was just us reading it.

And I’m being extra-difficult by trying to make the “front page” actually be the forum page – seeing as how there’s only one, it seemed silly to click through two screens to get to the content. I followed chrishajers’ ninja code here and it’s awesome.

Then I tried to find the Force Login plugin but got a 404 when I tried to download it. So I tried the Hidden Forums plugin and chased my own tail for a few hours trying to get it to work. Couldn’t do it, gave up, found this version of Force Login, installed it, all good! (Well, except for there not being an option to register, only log in, but I can deal with that later.)

Then I got paranoid and figured I’d try adding Hidden Forums again (JUST TO BE SAFE DON’T YOU KNOW) and I found this. Neat! Changed that line of code, and everything was great when I logged in as admin/keymaster. It was great when I logged in as a test member who had access to the forum. Then I tried to log in as a test member who did NOT have access to the forum, and it threw Foxfire into a redirect loop and timed out. I couldn’t get the login page back at all, so I manually deleted the Hidden Forums plugin from my server & I could get back in.

It makes perfect sense that bbpress wouldn’t really know what to do when it’s simultaneously told “don’t show any hidden forums!” and “there’s only one forum and it’s hidden!” So I’m wondering what the best way is to proceed…if I just have Force Login working (as well as Approve User Registration), is Hidden Forums overkill? Or is Hidden Forums a stronger plugin, and I should lose Force Login? Or does it make sense to try to get them both to work?

And as far as other security measures go, I’ve got this going on in the header:

<META NAME="ROBOTS" CONTENT="NONE">

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">

…and a robots.txt with this:

User-agent: *

Disallow: /

Am I missing anything? Many thanks for your help, and even more for your patience.

[chrishajer]

I would use the Hidden Forums plugin.

For the meta tags, since bbPress tries to use XHTML 1.1 strict, you should make those lowercase and self-closed:

<meta name="robots" content="noindex, nofollow" />

<meta http-equiv="cache-control" content="no-cache" />

<meta http-equiv="pragma" content="no-cache" />

Also, I’ve never heard of robots =none – read up on that to be sure you have it right. noindex, nofollow is how I’ve seen it.

The meta robots tag and the robots.txt just tell search engines that listen to not index the content. Some search engines still might index the content if they don’t obey the robots ‘standards’. So, you need to ensure the content is not visible to anyone unless that individual is logged in. I would use hidden forums for that. Or password protect the whole installation, like an intranet, and give everyone in your group that login.

[yaysloths]

1. Thanks for the lower-case tip; actually not sure how they ended up in all caps. I’ll blame it on the cat.
2. I hadn’t heard of robots=none either, but a fairly net-savvy friend said it was easier than entering the various individual instructions (since apparently there are some obscure ones besides noindex, nofollow?). A Google search turns up pages that seem to agree (see # 4), but maybe I should change it back to be safe.
3. The intranet idea is a neat one, but I think it’s beyond the scope of my capabilities right now (inasmuch as I have no idea how to go about it). I think I’d feel ok with just the Hidden Forums plugin, but I don’t know how to configure things such that it doesn’t keep crashing the site when someone not authorized (or not authorized yet) tries to log in. I don’t know PHP well enough to manipulate the code such that a person would just be directed to a “sorry, this site is private” page instead of causing the infinite redirect loop. Bummer.

[chrishajer]

2. – apparently none is just shorthand for noindex, nofollow. I’ve always explicitly set them, and there’s really just 4 combinations.

index, follow

index, nofollow

noindex, follow

noindex, nofollow

In any case, looks like you sorted that.

Never having tried to do what you’re doing, I’m not sure what the answer is to making the Hidden Forums plugin work for you.

Making the whole installation require a login is not that big a deal. Sometimes you can protect a whole directory in your host’s control panel. The bigger problem (for me) is getting the password to everyone you want to have it, unless it’s a group that communicates in other ways, then you can distribute it there.