Comment by Bender

Absolutely avoid all the extensions. Supposedly that got tightened up in v3.x but I saw some boards get pwned in 2.x from the extensions. Another issue is that most people were too lazy to harden php.ini yup this is a thing and their servers allowed outbound connections so exploiting some of the core code was much easier. Maybe I am just lucky but I never had a security issue with phpBB. One of my earliest forums using phpBB had over 50k people on it. That may not sound like much but it was a niche community and very early in the Internets existence.