Hiding admin login

[msavard]

How do you handle hiding the admin logon page in a live site? Currently, all I need to do is append the root url with /admin and I will be presented with the opportunity to log in. I don't want internet users to have that ability. Of course, I want to be able to log in and make changes but allowing other users to see the admin login screen seems to just beg people to try and guess the name/password.

Thanks...

[dragan]

in the install screens, you have the choice of changing the default backend URL to something else.

If you missed that step, you can always alter it later

[dragan]

Oh, and actually... you're not "hiding" the login URL with that. You're just making it harder to guess.

You would need to add some .htaccess rules to login first via basicauth, adding another layer of security.

[heldercervantes]

Until you login, you're an anonymous visitor like every other guy who accesses the site. So if you hide the admin access, how would PW know it was you?

Don't worry. Set up a safe password and you'll be fine. If you really want an extra layer of security, change the admin path to something not obvious like dragan suggested. Anything more isn't worth it.

The admin path isn't listed anywhere, and is not indexed by search engines (nothing tells them where it is), so the only way to guess it is just that, to guess it. It's extremely unlikely someone would try that unless you're making a site for the government or a huge brand like coca-cola.

Also worth mentioning is that if you fail a login 3x, the admin will make you wait 5 seconds before the next attempt. Fail again and it's 10, again and it's 15... Brute-forcing with that protection would take forever.

I've mentioned this in various posts in the past about security. I've NEVER heard of a single PW site being hacked.

[Macrura]

@msavard have you seen this post?

https://processwire.com/talk/topic/3706-how-to-blockredirect-one-user-role-away-from-admin-pages/?do=findComment&comment=46421

Also, there are these modules:

http://modules.processwire.com/modules/auth2-factor-ppp/

http://modules.processwire.com/modules/session-login-alarm/

[Robin S]

If you and your site editors have fixed IP addresses you could use mod_rewrite to redirect away from the Admin page based on IP address.

In .htaccess, after RewriteEngine On

# Define allowed IP addresses
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111
RewriteCond %{REMOTE_ADDR} !^222\.222\.222\.222
# Adjust to suit the name of your Admin page
RewriteCond %{REQUEST_URI} ^/processwire/
# Redirect to home page. Use 302 redirect until finished testing.
RewriteRule ^ / [L,R=301]

 

[msavard]

Thanks for all the helpful information. I am making the site for a local government agency so I will probably use a couple of these suggestions in tandem. Also, all potential editors will have a fixed IP address so the .htaccess solution might be the simplest. 

[Pixrael]

maybe using hooks and url segments you can throw a 404 if someone visit /admin (trying to guess) but show the login form if they visit /admin/123PIN with a secret PIN for editors.. 

[bernhard]

On 22.11.2017 at 10:45 PM, msavard said:

but allowing other users to see the admin login screen seems to just beg people to try and guess the name/password

processwire already makes it very hard for attackers to just guess username+password. and you can even adjust those settings:

[Jonathan Lahijani]

For fun, you could also create a wp-login.php file in your PW root directory so that hackbots get confused (or redirected away, or just show a blank page).

Here's an example of some random website that implements this technique:
http://processwire.com/wp-login.php

If you've ever looked at a website's access log files, you'll see that that URL is hit all the time.  Easy way to prevent a bunch of 404s.

[Nüsse]

Some backgrounds about the wp-login Jonathan mentioned you'll find here: https://processwire.com/blog/posts/optimizing-404s-in-processwire/

A must-read IMHO.