Jump to content

Any ideas for securing access to AdminCP?

6ichem

By 6ichem
in General Questions

 Share

Recommended Posts

6ichem Enthusiast

6ichem

Posted
Posted

I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password. I was wondering if anyone has any ideas for some extra good security measures when it comes to that (extra auth or something). thanks

Link to comment
Share on other sites
6ichem Enthusiast

6ichem

Posted
  • Author
Posted
2 minutes ago, Nathan Explosion said:

Enable 2FA.

Use different accounts - one with no Admin privileges for the front-end, one for the ACP - with different passwords.

 

 

Is there any extra authentication settings? Like you authentication to your account/admin panel using google auth or something like that?

Link to comment
Share on other sites
6ichem Enthusiast

6ichem

Posted
  • Author
Posted
1 minute ago, Nathan Explosion said:

No.

"I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password."

So don't use the same account for front-end and back-end.

Or protect your account by ADDING A SECOND FACTOR OF AUTHENTICATION as mentioned.

Yup I've done those steps already, gonna change the admin login directory as well instead of domain.com/admin

Link to comment
Share on other sites
Morrigan Grand Master

Morrigan

Posted
Posted

Moving your admin directory, htaccess and removing the link from your theme are archaic and proven to be meh in this day and age.

Google Auth 2FA is enough to secure your account. The person would actually need access to your google auth account, password and backup password to even begin to login to your ACP.

Hiding an ACP is at best a "deterrent" and never a real solution. Additionally, the ACP link is ONLY given to those that have an administrative level account (so they have an account that can access the ACP.

I'll be honest, if 2FA isn't enough for you, then you are really going outside of the box. Who is in your personal data far enough that you are worried that 2FA isn't enough?

It sounds like you're going through extreme measures to solve an already solved problem.

Link to comment
Share on other sites
CoffeeCake Veteran

CoffeeCake

Posted
Posted

I'd totally recommend moving the default ACP directory. Security through obscurity is not a wonderful thing to rely on, but in concert with two factor authentication, separate administrative logins, and limiting IP ranges, setting HTTP authentication in addition, etc. you have multiple layers across multiple products to help protect things.

Security is all about layering protections, and it's a good question to raise and discuss. Some other solutions, like Magento as an example, randomize the path to the administrative area. 

What you don't want to happen is for an exploit for IPB to be identified, and then some automated script hits the known URL for the administrative login (or to leave a path that makes trying to guess your login over time by automated things and easy task).

You can do things like mark connections that try to access the default path to your ACP as suspect and block further access through your firewall solution as another example. Nothing should be trying to login there except for those people that you've provisioned, so anything that hits it can be safely blocked from accessing anything further.

Link to comment
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2023 IPS, Inc.
×
×
  • Create New...