Jump to content

How secure is the ACP? Any tips?

SJ77

By SJ77
in Classic self-hosted technical help

 Share

Recommended Posts

SJ77 Veteran

SJ77

Posted
Posted

I have noticed lot's of failed ACP attempts.

How secure is the ACP? Are there any tips to harden security?

Thank you in advance.

Randy Calvert Grand Master

Randy Calvert

Posted
Posted

There are a number of things you could do...

  • Require the use of 2FA for any account that can access the admin area.  
  • Rename the admin directory to something more obscure.  (/ugaboogatest)
  • Use a separate .htaccess password for the admin folder.
  • Limit access to the admin folder to only known/trusted IP addresses.
  • Use a Zero Trust solution to limit access to the admin folder (such as Cloudflare Teams)
SJ77 Veteran

SJ77

Posted
  • Author
Posted
2 minutes ago, Randy Calvert said:

There are a number of things you could do...

  • Require the use of 2FA for any account that can access the admin area.  
  • Rename the admin directory to something more obscure.  (/ugaboogatest)
  • Use a separate .htaccess password for the admin folder.
  • Limit access to the admin folder to only known/trusted IP addresses.
  • Use a Zero Trust solution to limit access to the admin folder (such as Cloudflare Teams)

What are the steps I need to take to rename the admin directory?

Mark H Mentor

Mark H

Posted
Posted

Please keep in mind that the ability to rename the ACP folder is going to be deprecated in a future release. We do not recommend doing that.

Instead use the 2FA feature to secure your ACP, and you can also add an .htaccess  login form to its folder for an extra layer of protection.

(If you want to be even more secure, and assuming your staff have IP Addresses which do not change frequently, you can use an "allow,deny" block in it with those IP's to further secure it.)

SJ77 Veteran

SJ77

Posted
  • Author
Posted
3 minutes ago, Mark H said:

Please keep in mind that the ability to rename the ACP folder is going to be deprecated in a future release. We do not recommend doing that.

(If you want to be even more secure, and assuming your staff have IP Addresses which do not change frequently, you can use an "allow,deny" block in it with those IP's to further secure it.)

HI thank you for the information. I won't change the ACP in that case.

Do you have some nginx specific tips?

Daniel F Grand Master

Daniel F

Posted
Posted
28 minutes ago, Randy Calvert said:

Use a Zero Trust solution to limit access to the admin folder (such as Cloudflare Teams)

I'm using this on all my installations.

SJ77 Veteran

SJ77

Posted
  • Author
Posted
7 minutes ago, Daniel F said:

I'm using this on all my installations.

Is there a resource to explain how to get this set up?

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...