Jump to content

Protecting /processwire administrative login


FireDaemon
 Share

Recommended Posts

Hi all,

Apologies if this has been asked in the past. We have a test site setup and running on HTTPS with redirect from HTTP. The site is protected from DDoS and arbitrary malicious attack by CloudFlare. From what I can see the administrative login page is still vulnerable to dictionary attacks. Clearly disabling the admin account and the use of strong passwords are two methods to minimise the success of such attacks. Questions:

1. Is it possible to rename the /processwire URL?

2. Is there any two factor support out there? I've checked out Duo and Okta, however PW is not supported?

3. Is there anyway to add CAPTCHA or second factor security questions to the login process?

4. Is there any form of anti-hammer available? For example, repeated failed login attempts from the same source are blocked for a period of time after a finite number of failures?

Any other suggestions gratefully appreciated.

Link to comment
Share on other sites

Welcome to the forum @FireDaemon

Did you read this page? https://processwire.com/docs/security/admin/

  1. Yes. In fact, during install process you are asked if you want to rename it. But you can do it later also.
  2. You could try this module.
  3. Yes
  4. That's already in core: see https://processwire.com/docs/security/admin/#preventing-dictionary-attacks

In a test-environment, you can further add stuff like .htaccess allow/deny rules, i.e. only allow access from certain IPs.

  • Like 11
Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...