Author Topic: extra security to admin  (Read 830 times)

Offline noname8

  • Posts: 151
extra security to admin
« on: December 15, 2019, 09:25:06 PM »
Just for extra layer of security, do you recommend adding .htaccess / apache user file to make /admin folder only accesible if you firsf enter password

Of course this would be bad if the server cookie time is 15 minutes or less, it will kick you out

so alternative, is there a .php file that gets included in every /admin/* get and post that i could add to include cookie based extra login or exit() -type layer of security ??

Offline dbs

  • Betatester
  • **
  • Posts: 8399
  • Gender: Male
  • tioz4ever
    • WebsiteBaker - jQuery-Plugins - Module - Droplets - Tests
Re: extra security to admin
« Reply #1 on: December 16, 2019, 02:34:26 PM »
An alternative is to rename the admin folder (also in config.php).
In many cases is a htaccess also a pain for other users of the website.

Offline noname8

  • Posts: 151
Re: extra security to admin
« Reply #2 on: December 17, 2019, 06:56:50 PM »
That's true, it's a pain
renaming would be good also, thanks. But i've should done this years ago, now changing the admin url would cause too much pain if not make some kind of link to new folder.
link would still prevent automated /admin targeting scripts

Offline crnogorac081

  • Posts: 1945
  • Gender: Male
Re: extra security to admin
« Reply #3 on: December 17, 2019, 09:18:35 PM »
Can you explain me from who and what are you protecting administration ?
Login script/page is pretty much protected.
And when you login there are other types of protection.
There is a saying in coding- never trust user input..
UI / UX Designer

Offline noname8

  • Posts: 151
Re: extra security to admin
« Reply #4 on: December 19, 2019, 09:14:35 AM »
like in wordpress, most exploits come from the admin files
so i would like to protect the whole /admin-folder so that nothing gets run from there if it's not first authenticated.
Even the files that forever what reason do not iclude the normal config and login -methodfiles.

I had an idea that this could be done with .htpasswd
or with .htaccess prepend file