howtothings.co.uk

Full Version: [MyBB] Help with securing your admin control panel - (how to)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.


Help secure your administrator control panel

I'm sure most of you know, the administrator control panel is where the administrators log in to change the settings and such for the forum. So if a "hacker" gets in to this panel, you're screwed to put it nicely.

You can go a lot more advanced that this, but this should do for the low end forums to just add a little extra security.

A. Rename your admin directory.

The default directory for your admin directory is "/admin". Renaming your admin directory to something else will reduce the chances of anybody finding it, therefore less chance of being attacked or hacked.

How to do it:

1. Connect to your forum using FTP, and find the "admin" directory inside of the "public_html" folder.
2. Once located, rename it (F2) to something difficult and cryptic such as "G7rZDa"
3. Now that it's renamed, you need to update your config file so that the forum knows where it is.
4. Navigate to the "inc" directory, and find "config.php", open it in a text editor such as notepad or gedit.
5. In the config file, find:

Code:
$config['admin_dir'] = '[b]admin[/b]';

Where it says 'admin' rename it, to whatever you called it, so ours would be:

Code:
$config['admin_dir'] = 'G7rZDa';

Save the file and re-upload if necessary.


B. Password protecting your directory

Password protecting your administrator directory is easy and adds an extra layer of protection. The easiest way is to log in to your cpanel, and do it through there. Adding this feature will mean people would now need an extra username as password to even get in to the log in screen of the admin directory.

Here's how to do it if you're using cPanel, log in and go to Security, then 'Password Protect Directories'. Once you're in click on the icons to open up directories until you find the admin directory. Then, click on it.

From here, set up individual usernames and passwords. Again, use something difficult, even for the users, eg:

Username: St3ve71
Password: P4Sw0rDD!Z


If you want to do it manually using .htaccess you can see my tutorial here:

http://mcompute.co.uk/showthread.php?tid=256

I don't believe you were one step ahead of me. I'd already read about this exploit and I was eager to "safely" try it out. Did you find this exploit too, or was it recommended by someone or something.
Exploit? 0.o

I just added this as a second layer of defence since I moved host and upgraded stuff. Might as well make it a little harder for you.
There apparently is an XSS exploit in 1.6.0, which means I can browse too
http://mcompute.co.uk/admin/index.php?mo...action=add
and it will let me add a forum, see what happens now you've protected the directory.

EDIT: More details here: http://inj3ct0r.com/exploits/13706
And this can be done using a normal account on the forum? As you still need to log in to the admin panel.

Like my new 404 page? I implemented at the same time. :yay
I'm not sure, But I found some people complaining about normal users signing up to somebody's forum and kicking them out.

Btw: http://www.google.co.uk/search?sourceid=....0+Exploit 3rd link down :tongue