Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted June 1, 20177 yr I believe one of the security suggestions in the ACP is to rename the admin directory. Even if I do that' it's very easy to expose it. On my two sites, if I go to any post and simply add a number to the URL (https://MySite.com/index.php?/topic/50809X-some-post) and hit enter, I get an error message that says Get Support on the bottom. If I click that link, it tries to log me in to my ACP. Is it me? Did I set up something incorrectly?
June 1, 20177 yr 3 minutes ago, Square Wheels said: I believe one of the security suggestions in the ACP is to rename the admin directory. Even if I do that' it's very easy to expose it. On my two sites, if I go to any post and simply add a number to the URL (https://MySite.com/index.php?/topic/50809X-some-post) and hit enter, I get an error message that says Get Support on the bottom. If I click that link, it tries to log me in to my ACP. Is it me? Did I set up something incorrectly? Do you see this also as guest / normal member? AFAIK only administrators with ACP access see the 'get support' message.
June 1, 20177 yr Author 2 hours ago, Daniel F said: Do you see this also as guest / normal member? AFAIK only administrators with ACP access see the 'get support' message. Not surprisingly, you are correct. I logged it now I see the Contact Us at the bottom of the error message. Thanks!
August 13, 20195 yr As long as you are self hosted you'd create a custom constants.php. We only recommend this for advanced users as it can break your entire site. The specific one is CP_DIRECTORY: We honestly think instead of moving the location of the ACP you should just use 2FA instead to secure your ACP.
August 13, 20195 yr 1 hour ago, Jennifer M said: As long as you are self hosted you'd create a custom constants.php. We only recommend this for advanced users as it can break your entire site. The specific one is CP_DIRECTORY: We honestly think instead of moving the location of the ACP you should just use 2FA instead to secure your ACP. Or you could use a password for directory again need be self hosted.
August 13, 20195 yr 1 hour ago, Pete T said: Or you could use a password for directory again need be self hosted. Why not both?
August 13, 20195 yr Just now, Tripp★ said: Why not both? well yes both are good plus are more then few other ways.
August 13, 20195 yr Personally, I recommend Two Factor Authentication with Google Authenticator or Authy. That way it's tied to your mobile device.
August 13, 20195 yr 25 minutes ago, Ryan Ashbrook said: Personally, I recommend Two Factor Authentication with Google Authenticator or Authy. That way it's tied to your mobile device. If one loses their phone and they have forced Google Auth, can this situation ever be fixed?
August 13, 20195 yr 1 minute ago, SJ77 said: If one loses their phone and they have forced Google Auth, can this situation ever be fixed? Yes.
August 13, 20195 yr 5 hours ago, SJ77 said: If one loses their phone and they have forced Google Auth, can this situation ever be fixed? You can reset it via email.
August 15, 20195 yr I actually asked support about this and they told me "Hello. The feature whereby the admin panel URL could be renamed is being deprecated in an upcoming version, so we strongly recommend not doing that. We suggest you instead enable and force the use of Two Factor Authentication (2FA) for anyone who has access to the Admin Panel. It is far more secure than merely renaming the admin directory. Google Auth is the most common authenticator app and available on all phones now. On the off chance that one of your staff does not have a mobile phone, when they first setup 2FA they can choose 3 questions from a provided list, with answers that only they would know, rather than use the auth app"
August 26, 20195 yr On 8/13/2019 at 5:40 PM, SJ77 said: If one loses their phone and they have forced Google Auth, can this situation ever be fixed? Authy also has a Chrome app allowing you to get the codes without dragging your phone out. Its password protected as well and if you phone goes AWOL you can restore it on the new phone.
Archived
This topic is now archived and is closed to further replies.