Jump to content

Hiding admin login


msavard
 Share

Recommended Posts

How do you handle hiding the admin logon page in a live site? Currently, all I need to do is append the root url with /admin and I will be presented with the opportunity to log in. I don't want internet users to have that ability. Of course, I want to be able to log in and make changes but allowing other users to see the admin login screen seems to just beg people to try and guess the name/password.

Thanks...

Link to comment
Share on other sites

Until you login, you're an anonymous visitor like every other guy who accesses the site. So if you hide the admin access, how would PW know it was you?

Don't worry. Set up a safe password and you'll be fine. If you really want an extra layer of security, change the admin path to something not obvious like dragan suggested. Anything more isn't worth it.

The admin path isn't listed anywhere, and is not indexed by search engines (nothing tells them where it is), so the only way to guess it is just that, to guess it. It's extremely unlikely someone would try that unless you're making a site for the government or a huge brand like coca-cola.

Also worth mentioning is that if you fail a login 3x, the admin will make you wait 5 seconds before the next attempt. Fail again and it's 10, again and it's 15... Brute-forcing with that protection would take forever.

I've mentioned this in various posts in the past about security. I've NEVER heard of a single PW site being hacked.

  • Like 7
Link to comment
Share on other sites

If you and your site editors have fixed IP addresses you could use mod_rewrite to redirect away from the Admin page based on IP address.

In .htaccess, after RewriteEngine On

# Define allowed IP addresses
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111
RewriteCond %{REMOTE_ADDR} !^222\.222\.222\.222
# Adjust to suit the name of your Admin page
RewriteCond %{REQUEST_URI} ^/processwire/
# Redirect to home page. Use 302 redirect until finished testing.
RewriteRule ^ / [L,R=301]

 

  • Like 4
Link to comment
Share on other sites

  • 2 weeks later...

Thanks for all the helpful information. I am making the site for a local government agency so I will probably use a couple of these suggestions in tandem. Also, all potential editors will have a fixed IP address so the .htaccess solution might be the simplest. 

Link to comment
Share on other sites

On 22.11.2017 at 10:45 PM, msavard said:

but allowing other users to see the admin login screen seems to just beg people to try and guess the name/password

processwire already makes it very hard for attackers to just guess username+password. and you can even adjust those settings:

5a266c00b66f9_2017-12-0510_48_48-ModulesProcessWirebaumrock_com.thumb.png.acf0c57ac3bc4be1d312f279ada40609.png

  • Like 4
  • Thanks 1
Link to comment
Share on other sites

For fun, you could also create a wp-login.php file in your PW root directory so that hackbots get confused (or redirected away, or just show a blank page).

Here's an example of some random website that implements this technique:
http://processwire.com/wp-login.php:)

If you've ever looked at a website's access log files, you'll see that that URL is hit all the time.  Easy way to prevent a bunch of 404s.

  • Like 3
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...