Hi, I am in the middle of developing (using Codeigniter) a site at the moment and it requires a complex Admin section so that staff can manage various things on the site.
I am looking for some advice on how I can make the Admin as secure as possible because, like any other site, if someone gains access to the admin section then they could destroy the site in a matter of seconds.
I was thinking of doing the following:
01 - setting the admin section up on a sub directory such as adm1nistrat0r.website.com
02 - securing the admin section with a login section before the admin pages can be accessed
03 - securing the directory with htaccess
Can anyone recommend any other methods that I could use? Thanks in advance for your help...
This reply addresses how to protect your databases from sql injections, should the worst come to the worst and you have allowed such attacks to take place.
if someone gains access to the admin section then they could destroy the site in a matter of seconds.
If, by this you mean that they could empty your Mysql databases, then read up on using Mysql's permission system so that they cannot delete anything.
Mysql GRANT permissions.
Taken to its logical extreme, visitors to your website should old ever be able to "read" from your db and therefore have permission to change data only in those tables you permit them.
Your admin users will probably have more permissions on more tables, but think about how to deny them the ability to DROP and DELETE.
One way to do this is to flag old content as "not for display", there are pros and cons of course e.g. you now have a "restore" feature, but you also have to deal with a ballooning amount of content.
If you are going to read up on this and take some action such as having a play with it, then beware of the big fat gotcha concerning "FLUSH PRIVILEGES".
If you don't issue that command after every alteration, you will suffer temporary madness, or worse, skip over this important layer of security because it will not seem to work.