Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Secure Admin Area.


Guest

Recommended Posts

Posted

Can anyone please give me a simple solution to secure the admin area in plain english? I have been trying for days now and cannot get any of the secure admin contributions to work. I have tried .htaccess and I have tried third party applications. Non of them are working. Surely people are not leaving their admin areas open for the public. There has got to be a simple way to do this. What are you doing to secure this area from the public?

 

Anyone know of a URL for a good tutorial to fix this problem?

 

Server Setup:

Linux

Apache

Mysql

Posted

how exactly do you want to secure your admin area..

 

as far as I know.. anyone can access my admin login page provided they can find which directory its located in.. but they would have to know an administrative password inorder to access it..

 

As far as I know.. there are three ways you can secure it ..

 

.htaccess .. you can setup some form of basic html authentication that will ask for a username and password before they can even see the login page itself..

admin directory location .. some cryptic directory name for your admin folder like /Xj2ZZ34L/ or whatever..

firewall setting .. where only someone from a specific IP (or DNS maybe using Reverse DNS Lookup?) can access the folder..

 

any other ways?

 

of course im sure you already have an admin password setup in your database and SSL setup to secure communications between your browser and the server..

Posted
how exactly do you want to secure your admin area..

 

as far as I know.. anyone can access my admin login page provided they can find which directory its located in.. but they would have to know an administrative password inorder to access it..

 

As far as I know.. there are three ways you can secure it ..

 

.htaccess .. you can setup some form of basic html authentication that will ask for a username and password before they can even see the login page itself..

admin directory location .. some cryptic directory name for your admin folder like /Xj2ZZ34L/ or whatever..

firewall setting .. where only someone from a specific IP (or DNS maybe using Reverse DNS Lookup?) can access the folder..

 

any other ways?

 

of course im sure you already have an admin password setup in your database and SSL setup to secure communications between your browser and the server..

 

I would like to use the .htacces. It is the easiest I think. But everytime I put 1 or 2 lines of code it screws everything up. Right now you could just browse to the admin/index page on my site and get in. Right now I am even thinking about just renaming the admin directory to something crazy like a83k393k49dk38. That would make it hard enough for someone to find the admin index page and would provide enough security I guess. But if I rename the directory it screws everything else. I have gone to the config file to rename the new path for the admin directory but it still doesn't work. It just seems so strange that there is not a simple fix.

Posted

I just found out my problem with renaming the directory. There are two lines of code that reference the /admin directory. I was only changing the one. I have now got the admin directory changed to some crazy number and letter combination.

 

But additionally I would like to add the .htaccess password protection.

 

This is my .htaccess file code

 

AuthUserFile /home/content/p/a/t/path/to/directory/hidden/.htpasswd

AuthGroupFile /dev/null

AuthName Restricted Access

AuthType Basic

 

<Limit GET>

require user myusernameishere

</Limit>

 

This is my htpasswd file

 

myusernameishere:myencryptedcodeishere

I placed it here /home/content/p/a/t/path/to/directory/hidden/.htpasswd

 

I have loaded the .htaccess into the protected directory.

Then I loaded a html file into that directory. When I browse to the directory I get this error message

 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

 

More information about this error may be available in the server error log.

 

//I have no access to the server logs

Posted
I just found out my problem with renaming the directory. There are two lines of code that reference the /admin directory. I was only changing the one. I have now got the admin directory changed to some crazy number and letter combination.

 

But additionally I would like to add the .htaccess password protection.

 

This is my .htaccess file code

 

AuthUserFile /home/content/p/a/t/path/to/directory/hidden/.htpasswd

AuthGroupFile /dev/null

AuthName Restricted Access

AuthType Basic

 

<Limit GET>

require user myusernameishere

</Limit>

 

This is my htpasswd file

 

myusernameishere:myencryptedcodeishere

I placed it here /home/content/p/a/t/path/to/directory/hidden/.htpasswd

 

I have loaded the .htaccess into the protected directory.

Then I loaded a html file into that directory. When I browse to the directory I get this error message

 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

 

More information about this error may be available in the server error log.

 

//I have no access to the server logs

 

Are you using a webhost provider like godaddy or something.. that provides you will tools.. i know my host provides a tool that will allow protecting directories.. you could rename your directory to whatever.. and if your host does provide a similar tool.. use that through their hosting interface to protect your admin area with a login/pass .. im sure that is the easiest method..

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...