Sign in to follow this  
FireDaemon

Protecting /processwire administrative login

Recommended Posts

Hi all,

Apologies if this has been asked in the past. We have a test site setup and running on HTTPS with redirect from HTTP. The site is protected from DDoS and arbitrary malicious attack by CloudFlare. From what I can see the administrative login page is still vulnerable to dictionary attacks. Clearly disabling the admin account and the use of strong passwords are two methods to minimise the success of such attacks. Questions:

1. Is it possible to rename the /processwire URL?

2. Is there any two factor support out there? I've checked out Duo and Okta, however PW is not supported?

3. Is there anyway to add CAPTCHA or second factor security questions to the login process?

4. Is there any form of anti-hammer available? For example, repeated failed login attempts from the same source are blocked for a period of time after a finite number of failures?

Any other suggestions gratefully appreciated.

Share this post


Link to post
Share on other sites

Welcome to the forum @FireDaemon

Did you read this page? https://processwire.com/docs/security/admin/

  1. Yes. In fact, during install process you are asked if you want to rename it. But you can do it later also.
  2. You could try this module.
  3. Yes
  4. That's already in core: see https://processwire.com/docs/security/admin/#preventing-dictionary-attacks

In a test-environment, you can further add stuff like .htaccess allow/deny rules, i.e. only allow access from certain IPs.

  • Like 11

Share this post


Link to post
Share on other sites

Hey Dragan. I had missed reading the "Securing Your Admin" in the security section. Sorry for that. Otherwise - great and thanks for the links.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Jennifer Stock
      Greetings. I would like to restrict access to certain sections of my organization's ProcessWire site using pubcookie. We are rolling out Shibboleth authentication later this year but for now, it seems I can only make use of our institution's single sign-on routine by utilizing rules in an .htaccess file. 
      I am wondering if there is a way to ask PW to apply these rules to certain pages in the site, whether via template type or location in the page tree:
      AuthType UWNetID PubcookieAppID "MyApplication" require type staff faculty  
    • By flydev
      Presentation
      Originaly developped by Jeff Starr, Blackhole is a security plugin which trap bad bots, crawlers and spiders in a virtual black hole.
      Once the bots (or any virtual user!) visit the black hole page, they are blocked and denied access for your entire site.
      This helps to keep nonsense spammers, scrapers, scanners, and other malicious hacking tools away from your site, so you can save precious server resources and bandwith for your good visitors.
       
      How It Works
      You add a rule to your robots.txt that instructs bots to stay away. Good bots will obey the rule, but bad bots will ignore it and follow the link... right into the black hole trap. Once trapped, bad bots are blocked and denied access to your entire site.

      The main benefits of Blackhole include:
       Bots have one chance to obey your site’s robots.txt rules. Failure to comply results in immediate banishment.
       
      Features
      Disable Blackhole for logged in users Optionally redirect all logged-in users Send alert email message Customize email message Choose a custom warning message for bad bots Show a WHOIS Lookup informations Choose a custom blocked message for bad bots Choose a custom HTTP Status Code for blocked bots Choose which bots are whitelisted or not  
      Instructions
      Install the module Create a new page and assign to this page the template "blackhole" Create a new template file "blackhole.php" and call the module $modules->get('Blackhole')->blackhole(); Add the rule to your robot.txt Call the module from your home.php template $modules->get('Blackhole')->blackhole();  Bye bye bad bots!

      Downloads
      https://github.com/flydev-fr/Blackhole http://modules.processwire.com/modules/blackhole/  
      Screen

       

       Enjoy
    • By fbg13
      The 2018 Guide to Building Secure PHP Software
       
    • By benbyf
      HELLO! Anyone ever used Authy.com or Google authenticator on they processwire projects?
    • By bkno
      Hi,
      I'm new to PW and like it a lot so far. With most WordPress and Drupal websites there are frequent updates to core & plugins, some of these are security released so I tend to install any updates ASAP. When supporting many websites this update fatigue is pretty tiresome.
      What is your update strategy when maintaining PW sites? Would be interested to hear if you think it is valid to perhaps do a quarterly update or perhaps only even update yearly if there are no security announcements?
      Also just to clarify, if there a security mailing list we should subscribe to just in case an urgent fix is ever released?
      Thanks!