Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    May 2009
    Location
    Pennsylvania, United States
    Posts
    54
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Exclamation Best admin panel security for CMS?

    I'm currently making a check list of ALL possible security checks I can use for writing my own custom CMS. As far as the control panel/admin panel goes, I've been speculating the following to provide the best security I can (bear in mind, a 100% secure system is a virtual impossibility.)

    Here's what I thought of thus far:
    1. .htpasswd (outside of /public_html)
    2. Block access to any files starting with .ht via htaccess
    3. Database based login
    4. Password protect the admin directory
    5. "Sanitize" any user input, run checks, etc.
    6. General consideration, place any config files outside of /public_html/, no sensitive data in .inc.php files
    7. Record errors/warnings


    What do you think?
    Last edited by johnnnn; 08-09-2010 at 02:31 PM.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Looks pretty good to me.
    The two on there that most people 'forget' about are the recording of errors (specifically auditing ones like failing to login), and the moving of anything unpublished outside of the public_html (or whatever your published directory is).
    One thing to note, I don't think .htaccess would have any affect outside of a published directory though. This shouldn't really be a problem, Apache itself has a directive to deny reading on .ht* files, and I believe it is configured by default.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • Users who have thanked Fou-Lu for this post:

    johnnnn (08-09-2010)

  • #3
    New Coder
    Join Date
    May 2009
    Location
    Pennsylvania, United States
    Posts
    54
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Smile

    Quote Originally Posted by Fou-Lu View Post
    Looks pretty good to me.
    The two on there that most people 'forget' about are the recording of errors (specifically auditing ones like failing to login), and the moving of anything unpublished outside of the public_html (or whatever your published directory is).
    One thing to note, I don't think .htaccess would have any affect outside of a published directory though. This shouldn't really be a problem, Apache itself has a directive to deny reading on .ht* files, and I believe it is configured by default.
    Yeah, that just came to mind about the .htaccess not working outside of the root directory. I could simply just place the .htaccess in the /admin folder since Apache can deny reading files that begin with .ht. Thanks for the advice! Much appreciated.

  • #4
    Regular Coder sitNsmile's Avatar
    Join Date
    Dec 2009
    Location
    Charlotte, NC
    Posts
    358
    Thanks
    19
    Thanked 2 Times in 2 Posts
    I have built 2 types of CMS admins before, my first one, was

    a user/pass which you would have 3 tries until it blocks your ip
    and the 2nd is what I currently use. where you have to enter a passcode (of course using teh random md5) after that, it also needs to be accepted by the main ip (ip address acts as your user, new ip.. have to relog) so it wont allow anyone to actually try to attempt a login, because it has to be approved by an existing ip. I build that on my iphone as well, so if my boss is out of town, he can txt me to approve his new ip..etc works out pretty well so far.

    (before the cms, we would just lock the directory to only our office ip, but that restricts too much)


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •