Home
Better Admin Security
This tutorial deals with better securing an admin app. Commonly, third party app admin control panels are secure using form-based authentication. Better than nothing, but they can be compromised. Here is a better solution you can use in addition.
A. Admin Control Panel as Directory
Typically, the admin control panel is located in its own directory. This is ideal. It is how Password Sentry, WordPress, and many apps do it. Here is how you can maximize security of the admin area.
1. Password protect your admin directory using Basic Authentication. You can use our
PassProtector Tool to do this. Even if your admin scripts are password protected (via form-based authentication), you should still password protect the directory to maximize security. Note that Password Sentry already does this.
2. Rename the admin directory to something random. For example, rename the 'admin' as 'x4Gf29LmN'. That will go a long ways to keep it hidden, and out of the hands of hackers.
3. Limit access to admin directory to only your IP address. You can do this by adding the following lines to the .htaccess file in your admin directory:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Replace xxx.xxx.xxx.xxx with your IP address. You can add additional IP addreses in a similar fashion. For example:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Allow from zzz.zzz.zzz.zzz
B. Admin Control Panel as File
This applies when the admin control panel exists not in a directory, but as a file. For example, admin.php. Here is how you can maximize security of the admin script.
1. Password protect your admin file using Basic Authentication. You can use our
PassProtector Tool to do this. Even if your admin script is password protected (via form-based authentication), you should still password protect the file to maximize security. Since you are only password prtecting a file rather than a directory, you need to make a change. Change:
require valid-user
to:
require valid-user
2. Rename the admin file to something random. For example, rename the 'admin' as 'x4Gf29LmN'. That will go a long ways to keep it hidden, and out of the hands of hackers.
3. Limit access to admin file to only your IP address. You can do this by adding the following lines to the .htaccess file in same directory as admin file:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Replace xxx.xxx.xxx.xxx with your IP address. You can add additional IP addreses in a similar fashion. And, if you are combining with Basic Authentication of file:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
require valid-user