Been reading your NoNonsenseForum code, and two things you might want to consider:
1) per-user random salts
2) You have a potential race condition in your code with regards to posting replies in a thread. A new post can have been posted (and written to the XML file) between the time the server reads the current XML and when it writes the updated XML, thus loosing the post written in between.
And just out of curiosity: Why do you limit the lengths of usernames, passwords when they're being hashed? And why limit the length of posts at all?
Also, you might want to put the mods in an array after first fetch, and on later use in the same execution just read from the array to avoid reading the file many times. This is not an issue now, but could be in the future if you, for instance, would want to highlight moderator posts or do something else that required you to call isMod multiple times.
Otherwise a great initiative - we need forum software that remember the motivation behind forums in the first place!