SJ77 Posted October 26, 2021 Share Posted October 26, 2021 I have noticed lot's of failed ACP attempts. How secure is the ACP? Are there any tips to harden security? Thank you in advance. Link to comment Share on other sites More sharing options...
Randy Calvert Posted October 26, 2021 Share Posted October 26, 2021 There are a number of things you could do... Require the use of 2FA for any account that can access the admin area. Rename the admin directory to something more obscure. (/ugaboogatest) Use a separate .htaccess password for the admin folder. Limit access to the admin folder to only known/trusted IP addresses. Use a Zero Trust solution to limit access to the admin folder (such as Cloudflare Teams) SJ77 1 Link to comment Share on other sites More sharing options...
SJ77 Posted October 26, 2021 Author Share Posted October 26, 2021 2 minutes ago, Randy Calvert said: There are a number of things you could do... Require the use of 2FA for any account that can access the admin area. Rename the admin directory to something more obscure. (/ugaboogatest) Use a separate .htaccess password for the admin folder. Limit access to the admin folder to only known/trusted IP addresses. Use a Zero Trust solution to limit access to the admin folder (such as Cloudflare Teams) What are the steps I need to take to rename the admin directory? Link to comment Share on other sites More sharing options...
Mark H Posted October 26, 2021 Share Posted October 26, 2021 Please keep in mind that the ability to rename the ACP folder is going to be deprecated in a future release. We do not recommend doing that. Instead use the 2FA feature to secure your ACP, and you can also add an .htaccess login form to its folder for an extra layer of protection. (If you want to be even more secure, and assuming your staff have IP Addresses which do not change frequently, you can use an "allow,deny" block in it with those IP's to further secure it.) SJ77 1 Link to comment Share on other sites More sharing options...
SJ77 Posted October 26, 2021 Author Share Posted October 26, 2021 3 minutes ago, Mark H said: Please keep in mind that the ability to rename the ACP folder is going to be deprecated in a future release. We do not recommend doing that. (If you want to be even more secure, and assuming your staff have IP Addresses which do not change frequently, you can use an "allow,deny" block in it with those IP's to further secure it.) HI thank you for the information. I won't change the ACP in that case. Do you have some nginx specific tips? Link to comment Share on other sites More sharing options...
Daniel F Posted October 26, 2021 Share Posted October 26, 2021 28 minutes ago, Randy Calvert said: Use a Zero Trust solution to limit access to the admin folder (such as Cloudflare Teams) I'm using this on all my installations. Link to comment Share on other sites More sharing options...
SJ77 Posted October 26, 2021 Author Share Posted October 26, 2021 7 minutes ago, Daniel F said: I'm using this on all my installations. Is there a resource to explain how to get this set up? Link to comment Share on other sites More sharing options...
Recommended Posts