6ichem Posted January 10, 2021 Posted January 10, 2021 I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password. I was wondering if anyone has any ideas for some extra good security measures when it comes to that (extra auth or something). thanks
Nathan Explosion Posted January 10, 2021 Posted January 10, 2021 (edited) Enable 2FA. Use different accounts - one with no Admin privileges for the front-end, one for the ACP - with different passwords. Edited January 10, 2021 by Nathan Explosion
6ichem Posted January 10, 2021 Author Posted January 10, 2021 2 minutes ago, Nathan Explosion said: Enable 2FA. Use different accounts - one with no Admin privileges for the front-end, one for the ACP - with different passwords. Is there any extra authentication settings? Like you authentication to your account/admin panel using google auth or something like that?
Nathan Explosion Posted January 10, 2021 Posted January 10, 2021 (edited) 5 minutes ago, Nathan Explosion said: Enable 2FA. 2 minutes ago, 6ichem said: Like you authentication to your account/admin panel using google auth or something like that Log in to your ACP - type 2fa in to the search bar, click the result. Edited January 10, 2021 by Nathan Explosion
6ichem Posted January 10, 2021 Author Posted January 10, 2021 2 minutes ago, Nathan Explosion said: I mean extra authentication here instead of just username/pwd:
Nathan Explosion Posted January 10, 2021 Posted January 10, 2021 No. "I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password." So don't use the same account for front-end and back-end. Or protect your account by ADDING A SECOND FACTOR OF AUTHENTICATION as mentioned.
6ichem Posted January 10, 2021 Author Posted January 10, 2021 1 minute ago, Nathan Explosion said: No. "I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password." So don't use the same account for front-end and back-end. Or protect your account by ADDING A SECOND FACTOR OF AUTHENTICATION as mentioned. Yup I've done those steps already, gonna change the admin login directory as well instead of domain.com/admin
CoffeeCake Posted January 10, 2021 Posted January 10, 2021 Some additional steps could be limiting access via your web server to certain known IP addresses or ranges and implement http authentication. 2FA for certain as a minimum.
Jock3r Posted January 11, 2021 Posted January 11, 2021 Also another good measure would be to hide the ACP link from your theme and name the acp folder a random string.
Morrigan Posted January 11, 2021 Posted January 11, 2021 Moving your admin directory, htaccess and removing the link from your theme are archaic and proven to be meh in this day and age. Google Auth 2FA is enough to secure your account. The person would actually need access to your google auth account, password and backup password to even begin to login to your ACP. Hiding an ACP is at best a "deterrent" and never a real solution. Additionally, the ACP link is ONLY given to those that have an administrative level account (so they have an account that can access the ACP. I'll be honest, if 2FA isn't enough for you, then you are really going outside of the box. Who is in your personal data far enough that you are worried that 2FA isn't enough? It sounds like you're going through extreme measures to solve an already solved problem. SUBRTX 1
CoffeeCake Posted January 11, 2021 Posted January 11, 2021 I'd totally recommend moving the default ACP directory. Security through obscurity is not a wonderful thing to rely on, but in concert with two factor authentication, separate administrative logins, and limiting IP ranges, setting HTTP authentication in addition, etc. you have multiple layers across multiple products to help protect things. Security is all about layering protections, and it's a good question to raise and discuss. Some other solutions, like Magento as an example, randomize the path to the administrative area. What you don't want to happen is for an exploit for IPB to be identified, and then some automated script hits the known URL for the administrative login (or to leave a path that makes trying to guess your login over time by automated things and easy task). You can do things like mark connections that try to access the default path to your ACP as suspect and block further access through your firewall solution as another example. Nothing should be trying to login there except for those people that you've provisioned, so anything that hits it can be safely blocked from accessing anything further.
Recommended Posts