Sign in to follow this  
FireDaemon

Protecting /processwire administrative login

Recommended Posts

Hi all,

Apologies if this has been asked in the past. We have a test site setup and running on HTTPS with redirect from HTTP. The site is protected from DDoS and arbitrary malicious attack by CloudFlare. From what I can see the administrative login page is still vulnerable to dictionary attacks. Clearly disabling the admin account and the use of strong passwords are two methods to minimise the success of such attacks. Questions:

1. Is it possible to rename the /processwire URL?

2. Is there any two factor support out there? I've checked out Duo and Okta, however PW is not supported?

3. Is there anyway to add CAPTCHA or second factor security questions to the login process?

4. Is there any form of anti-hammer available? For example, repeated failed login attempts from the same source are blocked for a period of time after a finite number of failures?

Any other suggestions gratefully appreciated.

Share this post


Link to post
Share on other sites

Welcome to the forum @FireDaemon

Did you read this page? https://processwire.com/docs/security/admin/

  1. Yes. In fact, during install process you are asked if you want to rename it. But you can do it later also.
  2. You could try this module.
  3. Yes
  4. That's already in core: see https://processwire.com/docs/security/admin/#preventing-dictionary-attacks

In a test-environment, you can further add stuff like .htaccess allow/deny rules, i.e. only allow access from certain IPs.

  • Like 9

Share this post


Link to post
Share on other sites

Hey Dragan. I had missed reading the "Securing Your Admin" in the security section. Sorry for that. Otherwise - great and thanks for the links.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By fbg13
      The 2018 Guide to Building Secure PHP Software
       
    • By benbyf
      HELLO! Anyone ever used Authy.com or Google authenticator on they processwire projects?
    • By bkno
      Hi,
      I'm new to PW and like it a lot so far. With most WordPress and Drupal websites there are frequent updates to core & plugins, some of these are security released so I tend to install any updates ASAP. When supporting many websites this update fatigue is pretty tiresome.
      What is your update strategy when maintaining PW sites? Would be interested to hear if you think it is valid to perhaps do a quarterly update or perhaps only even update yearly if there are no security announcements?
      Also just to clarify, if there a security mailing list we should subscribe to just in case an urgent fix is ever released?
      Thanks!
    • By benbyf
      Hi,
      I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.
      So here goes:
      If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).
      Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...
      https://security.stackexchange.com/questions/155806/what-to-do-about-compremised-passwords-through-malicious-sites-or-site-hacks/155823#155823
       
      food for thought
    • By Can
      Hey guys,
      I'm building a module to keep a user logged in until manual logout. I know about Login Persist, but this one stopped working for me a while ago and it might not even be compatible with pw3 (haven't tested this) as it's not being updated for 3 years
      Anyways, the module works, and now I want to secure user edit screens namely ProcessPageEdit (any user template, as there might be multiple) and ProcessProfile
      by requiring the current password..  I know how to add the additional input (added by hooking into ProcessProfile::execute and ProcessPageEdit::buildForm or Page::render) but I don't know how to intercept the saving and canceling the save if password doesn't match
      I thought about emptying $input->post (don't even know if this works?) if not valid but would be nice not to loose the changed data but instead just notify user about a wrong password..
      would love to get some thoughts and input on this