Jump to content

Community

Square Wheels

Any value in renaming the admin directory?

Recommended Posts

I believe one of the security suggestions in the ACP is to rename the admin directory.  Even if I do that' it's very easy to expose it.

On my two sites, if I go to any post and simply add a number to the URL (https://MySite.com/index.php?/topic/50809X-some-post) and hit enter, I get an error message that says Get Support on the bottom.  If I click that link, it tries to log me in to my ACP.

Is it me?  Did I set up something incorrectly?

Share this post


Link to post
Share on other sites
3 minutes ago, Square Wheels said:

I believe one of the security suggestions in the ACP is to rename the admin directory.  Even if I do that' it's very easy to expose it.

On my two sites, if I go to any post and simply add a number to the URL (https://MySite.com/index.php?/topic/50809X-some-post) and hit enter, I get an error message that says Get Support on the bottom.  If I click that link, it tries to log me in to my ACP.

Is it me?  Did I set up something incorrectly?

Do you see this also as guest / normal member? AFAIK only administrators with ACP access see the  'get support' message.

Share this post


Link to post
Share on other sites
2 hours ago, Daniel F said:

Do you see this also as guest / normal member? AFAIK only administrators with ACP access see the  'get support' message.

Not surprisingly, you are correct.  I logged it now I see the Contact Us at the bottom of the error message.

Thanks!

Share this post


Link to post
Share on other sites

As long as you are self hosted you'd create a custom constants.php. We only recommend this for advanced users as it can break your entire site. The specific one is CP_DIRECTORY:

 

We honestly think instead of moving the location of the ACP you should just use 2FA instead to secure your ACP.

Share this post


Link to post
Share on other sites
1 hour ago, Jennifer M said:

As long as you are self hosted you'd create a custom constants.php. We only recommend this for advanced users as it can break your entire site. The specific one is CP_DIRECTORY:

 

We honestly think instead of moving the location of the ACP you should just use 2FA instead to secure your ACP.

Or you could use a password for directory again need be self hosted.

Share this post


Link to post
Share on other sites
25 minutes ago, Ryan Ashbrook said:

Personally, I recommend Two Factor Authentication with Google Authenticator or Authy. That way it's tied to your mobile device.

If one loses their phone and they have forced Google Auth, can this situation ever be fixed?

Share this post


Link to post
Share on other sites

I actually asked support about this and they told me

"Hello.

The feature whereby the admin panel URL could be renamed is being deprecated in an upcoming version, so we strongly recommend not doing that.

We suggest you instead enable and force the use of Two Factor Authentication (2FA) for anyone who has access to the Admin Panel.

It is far more secure than merely renaming the admin directory. Google Auth is the most common authenticator app and available on all phones now.

On the off chance that one of your staff does not have a mobile phone, when they first setup 2FA they can choose 3 questions from a provided list, with answers that only they would know, rather than use the auth app"

Share this post


Link to post
Share on other sites
On 8/13/2019 at 5:40 PM, SJ77 said:

If one loses their phone and they have forced Google Auth, can this situation ever be fixed?

Authy also has a Chrome app allowing you to get the codes without dragging your phone out. Its password protected as well and if you phone goes AWOL you can restore it on the new phone.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...