Square Wheels Posted June 1, 2017 Share Posted June 1, 2017 I believe one of the security suggestions in the ACP is to rename the admin directory. Even if I do that' it's very easy to expose it. On my two sites, if I go to any post and simply add a number to the URL (https://MySite.com/index.php?/topic/50809X-some-post) and hit enter, I get an error message that says Get Support on the bottom. If I click that link, it tries to log me in to my ACP. Is it me? Did I set up something incorrectly? Link to comment Share on other sites More sharing options...
Daniel F Posted June 1, 2017 Share Posted June 1, 2017 3 minutes ago, Square Wheels said: I believe one of the security suggestions in the ACP is to rename the admin directory. Even if I do that' it's very easy to expose it. On my two sites, if I go to any post and simply add a number to the URL (https://MySite.com/index.php?/topic/50809X-some-post) and hit enter, I get an error message that says Get Support on the bottom. If I click that link, it tries to log me in to my ACP. Is it me? Did I set up something incorrectly? Do you see this also as guest / normal member? AFAIK only administrators with ACP access see the 'get support' message. Link to comment Share on other sites More sharing options...
Square Wheels Posted June 1, 2017 Author Share Posted June 1, 2017 2 hours ago, Daniel F said: Do you see this also as guest / normal member? AFAIK only administrators with ACP access see the 'get support' message. Not surprisingly, you are correct. I logged it now I see the Contact Us at the bottom of the error message. Thanks! Link to comment Share on other sites More sharing options...
toprobroy Posted August 13, 2019 Share Posted August 13, 2019 So is there anywhere that advises and shows how to do this in 4.4.x? Link to comment Share on other sites More sharing options...
Jennifer M Posted August 13, 2019 Share Posted August 13, 2019 As long as you are self hosted you'd create a custom constants.php. We only recommend this for advanced users as it can break your entire site. The specific one is CP_DIRECTORY: We honestly think instead of moving the location of the ACP you should just use 2FA instead to secure your ACP. Link to comment Share on other sites More sharing options...
Pete T Posted August 13, 2019 Share Posted August 13, 2019 1 hour ago, Jennifer M said: As long as you are self hosted you'd create a custom constants.php. We only recommend this for advanced users as it can break your entire site. The specific one is CP_DIRECTORY: We honestly think instead of moving the location of the ACP you should just use 2FA instead to secure your ACP. Or you could use a password for directory again need be self hosted. Link to comment Share on other sites More sharing options...
Tripp★ Posted August 13, 2019 Share Posted August 13, 2019 1 hour ago, Pete T said: Or you could use a password for directory again need be self hosted. Why not both? Link to comment Share on other sites More sharing options...
Pete T Posted August 13, 2019 Share Posted August 13, 2019 Just now, Tripp★ said: Why not both? well yes both are good plus are more then few other ways. Link to comment Share on other sites More sharing options...
Ryan Ashbrook Posted August 13, 2019 Share Posted August 13, 2019 Personally, I recommend Two Factor Authentication with Google Authenticator or Authy. That way it's tied to your mobile device. Link to comment Share on other sites More sharing options...
SJ77 Posted August 13, 2019 Share Posted August 13, 2019 25 minutes ago, Ryan Ashbrook said: Personally, I recommend Two Factor Authentication with Google Authenticator or Authy. That way it's tied to your mobile device. If one loses their phone and they have forced Google Auth, can this situation ever be fixed? Link to comment Share on other sites More sharing options...
Ryan Ashbrook Posted August 13, 2019 Share Posted August 13, 2019 1 minute ago, SJ77 said: If one loses their phone and they have forced Google Auth, can this situation ever be fixed? Yes. Link to comment Share on other sites More sharing options...
Hexsplosions Posted August 13, 2019 Share Posted August 13, 2019 5 hours ago, SJ77 said: If one loses their phone and they have forced Google Auth, can this situation ever be fixed? You can reset it via email. Link to comment Share on other sites More sharing options...
CyanideBurial Posted August 15, 2019 Share Posted August 15, 2019 I actually asked support about this and they told me "Hello. The feature whereby the admin panel URL could be renamed is being deprecated in an upcoming version, so we strongly recommend not doing that. We suggest you instead enable and force the use of Two Factor Authentication (2FA) for anyone who has access to the Admin Panel. It is far more secure than merely renaming the admin directory. Google Auth is the most common authenticator app and available on all phones now. On the off chance that one of your staff does not have a mobile phone, when they first setup 2FA they can choose 3 questions from a provided list, with answers that only they would know, rather than use the auth app" Link to comment Share on other sites More sharing options...
sudo Posted August 26, 2019 Share Posted August 26, 2019 On 8/13/2019 at 5:40 PM, SJ77 said: If one loses their phone and they have forced Google Auth, can this situation ever be fixed? Authy also has a Chrome app allowing you to get the codes without dragging your phone out. Its password protected as well and if you phone goes AWOL you can restore it on the new phone. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.