Admin section security

On the 'security' theme i am not sure if it was mentioned in the instrauctions, but i would also suggest removing setup.php and and database.sql from the root folder after setup is done

also can someone confirm if we should passwd protect the 'scripts' folder??

Thanks for the tips and pointer to the online tool, Chris. I am planning to create a section on password protection of the admin area within the additional setup steps; however Apache htpasswd protection is notoriously difficult to setup because of file permissions; paths etc. (AFAIK you cannot use a relative path to your password file which makes things more complicated for novice users).

searley;

At present; there is no mechanism to invoke any action by the automation scripts via HTTP so there is no security risk by having the scripts directory public. The script will simply display the command line help message.

I normally use:

AuthUserFile .htpasswd

and have the passwd file within the protected directory then paths are not a problem

Great stuff - i'll test that out; then I can update the distribution to contain htaccess.txt and htpasswd.txt within the admin directory, with instructions to rename them to .htaccess and .htpasswd which will give a default username / password for the admin area.

Hmmm, can't seem to get AuthUserFile to work without an absolute path. The docs imply that if the filename does not begin with / then it taken as relative to the server root; which on my configuration is /etc/httpd.

I did try using admin/.htpasswd incase virtual server config would override ServerRoot for this purpose, but it doesn't seem to. Are you using any other directives that may override this?

have you tried

AuthUserFile /.htpasswd

the next thing failing that is just to have a simple php login that sets a session variable to say user/pass is correct, then a simple if statement.. on top of that what i would like to see is the ability to rename the admin directory to something other than 'admin'

I must agree that having a script without proper admin security is very bad.

The easiest way of getting around this though I have found is simply renaming the admin folder to something different.

So e.g folder admin rename 3839393033983

Use robots.txt to stop any bots going into the admin folder and sorted, or hopefully anyway.

A proper admin security, really should be the first update to be done.

****

Just incase someone doesn't know what a robots.txt file should be

User-agent: *
Disallow: /YOURADMINFOLDER/

Replace YOURADMINFOLDER for the directory you have decided to call your admin folder.

Put the robots.txt file in your root directory for most this is HOST/YOURFOLDER/robots.txt

****

Sorry for the idiot's guide but always frustrating when someone post's as if everyone knows everything.

I usually use server password protection though on one instalation, I've made a hack to password protect via php / mysql.

Just a note for new users who may have discovered this thread - on many hosting systems you can password protect a specified directory quickly and easily through your control panel - for example Plesk or cPanel (whichever your host offers)...

I can password protect the admin directory but other files on my site calls file in the admin directory. When this happens it ask for a password. You can click cancel and the page would load. How do I make this stop happening witth out having to move files to another directory?

Hi Adrian,

I would recommend removing the need for other files on your sites to call files in the admin directory. In this instance, copying them to another location would be the best option.

Cheers,
David.