Invision Community 5: A video walkthrough creating a custom theme and homepage By Matt Thursday at 04:02 PM
Tirel Posted November 6, 2020 Posted November 6, 2020 (edited) Greetings to all! The task is to create a plugin for the security of the admin panel. There are other ways to secure the admin panel, but it is easier for users to do everything through the admin panel in the plugin itself.Task :See the screenshot.Functionality description for the screenshot 1 - shows the current IP of the administrator. 2 - Security activation: status of enabling and disabling the plugin. When disabled, the rules below are not active 3 - AdminCP Hide: Allows you to hide AdminCP on the front in the User Link menu. 4 - Secret key: The link to access the admin panel your-site.com/admin&eour_key secret key link to the admin panel Usually the link in the admin panel looks like this: "your-site.com/admin" - if the "your_key" field is filled in, then the link "your-site.com/admin" not available and redirects (301 reddirects) to "your-site.com/". The link to the admin panel is available only by the secret key link: "your-site.com/admin?your_key". For example, we wrote in "your_key"- "my-secret-link-that-no-one-knows-about" after that, the admin panel can only be accessed by this link: "your-site.com/admin?my-secret-link-that-no-one-knows-about". All other links will lead to the main page "your-site.com/" And if the link to the admin panel matches the key we can use the admin panel. 5 - Secret world: Secret word that will be used to access the authorization panel A secret word is an additional protection that appears before authorization in the admin panel. 6 - Сaptcha: To use captcha, configure Google reCAPTCHA. 7 - IP access: The list of allowed IP addresses for access to the admin panel, separate by ";". The admin panel is available only for the ip addresses written here Footnote:** If suddenly someone picks up the admin password on the front part, the admin rights will not be available until he is logged in to the admin part. the link must also be hidden*** We should also be able to disable the plugin via FTP if the unique link is lost. for example by commenting out some fileScreenshotsADMIN PANEL: FRONT: ***********************************************************************************************************************Please write me in private messages, thank you! Edited November 6, 2020 by Tirel
CoffeeCake Posted November 6, 2020 Posted November 6, 2020 Hi there, I'm not sure you need a plugin/resource to accomplish what you're seeking to do. Are you aware that you can alter the path of the Admin CP via a setting in constants.php? See: CP_DIRECTORY This would address requirement #4 in your list. For #3, you can remove the link from the theme to the ACP. I'd encourage you to look into authorizing access to known IP addresses at the server or firewall level for requirement #7 and blocking all other traffic. If you are trying to prevent malicious actors from gaining elevated access, I'd encourage a multi-layered approach. You can do things like automatically block traffic for any connections attempting to access URLs that they have no business accessing (i.e. if they try to hit /admin, or /wp-login.php). CDNs offer things like this as well out of the box. Best not to put all your eggs in one basket! Tirel 1
AlexWebsites Posted November 6, 2020 Posted November 6, 2020 Can't you already just enable two-factor authentication? Tirel 1
Tirel Posted November 7, 2020 Author Posted November 7, 2020 @Paul E. @AlexWebsites Greetings to all! Guys, thank you of course, but I am aware of all this, and the task is to create a plugin to configure all this directly from the admin panel! I wrote about it above.. I have very little time for this, so I would have implemented it myself. And I'm not really in a hurry to do it. there are more important things to do.
CoffeeCake Posted November 7, 2020 Posted November 7, 2020 10 hours ago, Tirel said: I am aware of all this, and the task is to create a plugin to configure all this directly from the admin panel! Understood, yet by doing so, my concern is that you'd only be adding the impression of additional security, without actually taking measures that would achieve what you appear to be setting out to do. Remember that anything you can control within the ACP, can be controlled by a malicious actor by virtue of exploiting a vulnerability in the software and elevating access. By taking these mitigations to other layers of your stack, you'd achieve the same result in a more hardened manner. Now, to bypass your restrictions, the malicious actor would need to compromise your web server's configuration, your filesystem, and your firewall solution, rather than just get elevated access through a security issue or brute force attack via IPS. I'd encourage you to strongly consider hiring a consultant to do those things for you according to best practices if time is the issue, rather than hire someone to develop a plugin or application that can simply be disabled and does little to protect your community in the end. Tirel 1
Recommended Posts