Admin secure but...

[virose_pt]

Hi.

 

I secured my Admin with .htacess and .htpasswd and everithing works great, but I read in this forum that everyone should rename the Admin folder, for security reasons.

 

1 - Do you think that that is really necessary? (If I see a osc site I know how to get to the Admin area, but I cant go further if it is password protected)

 

2 - If it is really necessary, what is the file(s) that I need to change to redirect the admin to is new location (I guess is catalog/config.php, but I?m not sure...)

 

Some words of advice will be much apreciated ;)

[Mighty Mike]

You would need to make the changes in the config files for both admin/catalog, and yes its just another security measure that helps.

 

You could rename it something like "hju67fj34" just makes it that bit harder to find

[Guest]

Hello there, I am wanting to change my admin folder as well to better protect my store. However, you mentioned above that you can do this in the config files for both catalog and admin. I see the config file in admin but not one in catalog. And on that same note, where exactly in the file am I making the changes? Sorry to be such a dunce.

 

Autumn

[Guest]

You would not need to edit the catalog config file. Just the admin config file as it is the only one that references the admin folder.

 

To change the admin folder name just change all references to "admin" to whatever you rename it to. If you move the folder as well, than you will need to update the file path as well.

 

For example, if you renamed the admin folder to xyza

  define('DIR_WS_ADMIN', '/admin/');

would become

  define('DIR_WS_ADMIN', '/xyza/');

 

And just so you know, the configure files are located in the includes folder:

 

catalog/includes/configure.php
catalog/admin/includes/configure.php

 

 

HTH

Mike

[♥Vger]

1 - Do you think that that is really necessary? (If I see a osc site I know how to get to the Admin area, but I cant go further if it is password protected)

 

I guess you've never been viewing log entries while a Password Cracker programme is running and trying to break into a website - otherwise you wouldn't need to ask that question. Trust me on this, even the most basic Password Cracker will runs tens of thousands of permutations in under a minute - so 'Yes' you do need to rename the admin folder to something unique (not admin2 or shopadmin - that would be making it all too easy!).

 

Vger

[FalseDawn]

There's no way on earth any password cracker would be able to guess a properly constructed password of 10 digits or more (i.e containing a mixture of upper/lowercase letters and numbers) by a brute force approach.

 

However, if you don't rename the folder and someone decides to start snooping around, and they find the "admin" folder, it might give them an incentive to have a go, and hammer your site, probably bringing it down in the process...

[virose_pt]

I guess you've never been viewing log entries while a Password Cracker programme is running and trying to break into a website - otherwise you wouldn't need to ask that question.  Trust me on this, even the most basic Password Cracker will runs tens of thousands of permutations in under a minute - so 'Yes' you do need to rename the admin folder to something unique (not admin2 or shopadmin - that would be making it all too easy!).

 

Vger

<{POST_SNAPBACK}>

 

 

Are you saying that a cracker only starts to act IF he knows the name of the admin folder? If he doesnt know the name of the admin folder theres no way he can do anything? Is that it?

 

Thanx for your reply

 

PS: My .htpasswd file is the root folder of the site (www.mysite.com/.htpasswd). Do you see any problems with this?

[♥Vger]

There's no way on earth any password cracker would be able to guess a properly constructed password of 10 digits or more (i.e containing a mixture of upper/lowercase letters and numbers) by a brute force approach.

 

Agreed that it would be very difficult indeed, but not that many people do construct a password of such length and complexity. Most users will choose something that they can themselves remember. How many posts have we seen here after people have forgotten their own (easy to remember) password? :D

 

Are you saying that a cracker only starts to act IF he knows the name of the admin folder?

 

You're personalising this. A password cracker is a programme. Admittedly the vast majority of people who use such programmes will be young, male, and teenagers - but the cracker programme needs a target to try and crack. If the 'would-be' hacker can find a target then he'll set the programme running, or else it will automatically start running if it manages to locate a password protected area. Why make it easy for them?

 

Vger

[virose_pt]

And what about PhpMyAdmin? I have it in mysite.com/phpmyadmin/ and I guess that I cant change his location or name, otherwise I coul mess everithyng. I protected it with .htaccess and .htpassword...

[♥Vger]

phpMyAdmin should have been protected anyway. On a shared server this would have been done automatically. No one, yourself included, should be abe to access that area without a User Name and Password.

 

Do you have your own dedicated server? There are some cheap dedicated server packages available these days - but you shouldn't be using one unless you have a wealth of experience and know how to lock it down securely.

 

Vger

[stevel]

I like renaming my admin folder - it helps me recognize when some bozo tries to find it and break into it. I see this several times a month. If they can't even find the password prompt, you make it significantly harder for them and they'll just go away.

 

Tip: be sure to password protect any "webstats" you have, as leaving those open makes it easy to find the location. I also get several attempts a month at finding where my stats are. (My logs are inaccessible through http.)