How to hide the admin (backend) login from bots and most people

[alan]

Has anyone implemented a simple method of hiding the login to PW from Google bot and the average person clicking about a site?

I want to allow clients to login but I assume from a security POV it's better to not have a link to, say, /processwire/ in the footer as doing so publishes to anyone what is underneath.

I know I can (and do) change the URL from /processwire/ to /something-else/ which helps, but I just wondered if anyone had implemented something better or if in almost all cases this [change of URL] is probably perfectly adequate?

[Soma]

Who said you have to include the admin link in your footer? *confused*

[arjen]

You could apply a NOINDEX and NOARCHIVE to the page to tell search engines not to spider or store the page. If you definately (good advice above) want a link you could only show them if a user has a certain IP adress, but this won't work with dynamic IP's.

[SiNNuT]

The PW admin pages all have

<meta name="robots" content="noindex, nofollow" />

in the head section. Though no guaranties most search engines respect this.

Changing the admin url is basically security through obscurity, but it's fine to do.

Of course, if you then link to it on the public facing website you are making it 'public' So maybe just tell clients to login at mysite/mysecretadmin

[alan]

Who said you have to include the admin link in your footer? *confused*

Yes true I certainly don't need to do that, I'd just assumed the best way to let my editors edit their sites was to give them a link on the site itself. But of course I don't need to (stupid me) I can just give them alone the URL by email. Thanks Soma for pointing out

to me

Thanks arjen and SiNNuT for the points and info, good to know that as usual PW has great sense and care and so uses these search engine bot rejections in the head.

I will get rid of the login link

[thistimj]

I don't know if this helps out with the part of your question regarding bots, but I learned about robots.txt files via this post: http://perishablepress.com/wordpress-robots-rules/ . That link pertains specifically to WP, but the basics are there. http://www.robotstxt.org/ offers more info. That may keep Google, etc. from crawling your admin area.

[alan]

Thanks @thistimj I'll check that out, 'tho I think with the other stuff it looks like my fears are dealt with.

[Pete]

In the PW admin you can simply change the URL of the admin page itself to be something completely different. Just remember you'll need to remember what you changed it to in order to type that URL in the address bar and log in again afterwards!

[ryan]

I'm not really a fan of robots.txt for keeping bots out of URLs I'd like to keep confidential. Why? Because if someone wants to know where they can find the "interesting" URLs, they just have to take a look at your robots.txt. The meta noindex,nofollow at least doesn't broadcast the location of the page. So far my experience is that search engines that honor robots.txt also honor the noindex,nofollow meta tag.

[alan]

Thanks Pete and Ryan, I agree with both, I routinely re-name my Admin login and that point Ryan plus just not linking to my Admin leaves me feeling 100% happy.

[thistimj]

@ryan, thanks for that info. That makes a lot of sense.