InfoTales

Like every other eCommerce solution CRE Loaded provides a password protected admin area to manage all aspects of the site. Any unauthorized access to admin area can cause damage to site’s important data, any leakage of customer’s payment details can cause more issues and damage to site.

CRE Loaded team has done good job to make this area secure by use of encrypted passwords, https access etc. Recent 6.4.1 release includes password hardening task to further enhance security. Still there is a lot, which you can do to protect admin area.

In this post I will list few guidelines to enhance admin area protection. The post also includes basic methods to apply these guidelines.

So here are the guidelines.

1. Don’t use default http://mycresite.com/admin/ structure
2. Use password protected directories
3. Restrict access to specific IPs only
4. Use secure user names and passwords

1. Don’t use default http://mycresite.com/admin/ structure

In default installation admin area is installed in /admin/ folder and accessible from http://mycresite.com/admin/ URL. As this default location is publicly known hackers can easy launch attempts to break in.

To avoid this issue it is strongly recommended that you don’t install and use admin are on default location. With little effort you can change this location by

• Rename admin folder: One simple way is to rename admin folder to some different name which is not easy to guess. For example 234admin80907. You will need to update this folder path in {new_admin_folder}/includes/configure.php. You will need to update following configurations
  1. DIR_WS_HTTP_ADMIN
  2. DIR_WS_HTTPS_ADMIN
  3. DIR_FS_ADMIN
• Install on different domain: Admin area is completely independent from rest of the site so it can be installed on completely different domain or sub domain. This way makes its location more sure and non guessable.
  To do this move /admin/ folder (or whatever you renamed it to) on separate location (e.g public_html/admin/), and point your separate domain or sub domain to this folder. Using a sub domain is easier than complete new domain as many sub domains are allowed under same hosting.
  Please use non guessable domain or sub domain to make is more secure.
  You will need to update these changes in includes/configure.php of this folder. You will need to change following configurations
  • HTTP_SERVER
  • HTTPS_ADMIN_SERVER
  • DIR_WS_HTTP_ADMIN
  • DIR_WS_HTTPS_ADMIN
  • DIR_FS_ADMIN

  Note: For sub domain you may need high level SSL certificate which can work on main and sub domain without error.

2. Use password protected directories

Always protect your admin folder with additional password. Most of the hosting packages include feature to make some directories password protected from there control panel. This user name and password will be asked by browser even before the login page is displayed so this can be a good weapon to protect your admin area.

3. Restrict access to specific IPs only

You can also restrict access to admin area from specific IPs only easily. By this admin area will only be accessible from specified IPs only. For this you will need to edit .htaccess file under admin/ folder.
To do this download admin/.htaccess file and open it with some text editor. Put following code in .htaccess file

Order Deny,Allow
Deny from all
Allow from 100.100.100.100, 100.100.100.101


and uploaded.

Here 100.100.100.100 is example ips put your list of comma separated IPs. The code tells server to block all requests unless they are from specified IPs.

4. Use secure user names and passwords

No matter if it is password of admin area or password protected directories, use user names and passwords which are not easily guessable. Do not very user names like admin, administrator etc. A good password should mix alphabets, numbers, special characters etc to avoid easy brute force attacks.