Secure AdminCP

by Oxygen - 23-12-2015, 12:24 PM
<div class="postbit-usertitle">
Feb 2015
3 Years of Service
Posted: 23-12-2015, 12:24 PM
Both rogue members, guest, and cyber bots want to desperately gain access and take over your site. While nothing is 100% hack or crack proof, it's always a good idea to make things just a little harder.

1)Mask / Hide your Super Administrator

The idea is the less people who know what your user name is, the less chance anyone can log in as you.

TIP: It is important not to use common name for your Super Administrator.

For example, such names as
  • Super Administrator
  • Super Admin
  • Administrator
  • Admin
  • Owner
  • Founder
  • God
  • Devil
  • Evil Admin
  • 666
  • 999
  • Moderator
  • Mod
  • Super Moderator
  • Super Mod
  • The title name of your site
  • Your real name
Or generally anything else which maybe common.

You also do not want to keep with user ID 1

PHP Code:
$config['superAdmins'] = '1'
  • Change this USER ID to whatever user you plan to use as your Super Administrator.
  • CHMOD config.php to 640 (if possible) to prevent anyone from remotely reading your config.php file.
  • Change your Super Administrator's title to Member or to whatever common title is used on your site

Do NOT use your Super Administrator account to address anyone, make any announcements, or do anything that could associate it as you or anything officially associated with your site. The point is so that no one knows what your Super Administrator account is. Make a hello thread, post a few simple replies, so it's not just an account with 0 post, then leave it alone.

2) Super Administrator Password - Strong

You want this to be long and as complex as possible, but easy for yourself to remember. You don't want others guessing your password.


Do NOT use the same user name or password that you use anywhere else. This is a common mistake and not advised.
Do NOT use the same user name and password for your database anywhere.
Your user name and password for your Super Administrator should also NOT match your database user name and password

3) Password Protect AdminCP ( admin.php )

You will need to make a password protected .htpasswd file. This file will include a user name and password. You can do this using Cpanel,Direct Admin, Web Admin, and many other control panels. There are also some generator tools that you can user (do your homework).
Open .htaccess from within your XenForo root directory and add this on top.
AuthName "By Invitation Only"
AuthType Basic
AuthUserFile /.htpasswd
<Files "admin.php">
require valid-user

CHMOD .htacess to 644 to prevent anyone from directly reading it.

  • Do NOT use the same user name or password as your Super Administrator.
  • Do NOT use the same user name or password as your database
  • The user name and password should be unique and NOT used anywhere else.


Do NOT use the path example above. Place your .htpasswd file some place above public access . You do not want anyone being able to directly access it.


Good = /some-place-else/.htpasswd
Bad = /public_html/some-place-else/.htpasswd


If your host supports it or if you can configure it correctly. Do not use the standard name .htpasswd


If your host support it or if you can configure it correctly. Do not use AuthType Basic, but rather use AuthType Digest. This will add encryption for better security.


If you ever do give someone else access to your AdminCP (developer / hired help); Do NOT give them your user name and password to either your Super Administrator or.htaccess Rather give them their own temporary user name and password.

  • If you ever give someone FTP access (developer / hired help), be sure to restrict their access to public directory and do not give them access to anything above it.
  • Remember to remove access once completed
  • You should also backup your database before & after.
  • Remember to change your database user name & password after completed (don't forget about your config.php file).
  • It may also be a good idea to change the name of your Super Administrator after as well (if they accessed this file, they know now who you are).
This guide was made to support most Apache / Apache2 setups including on basic shared web hosting. More advance methods can be used, but typically require more server access.

4) Password Protect your install directory ( /install/ )
YOUR forum url followed by /install/

While your install folder allows you to install, update, reinstall (start over), and even refresh. This is something you may (should) want to protect. Password protecting it also gives an extra layer of security.


You should not use the same username and password as your super admin account, your admin.php file, and any user name and password you use anywhere else. They should be different.

5) YOU
  • The error between user and keyboard
Even with all the security in the world, all the most powerful security programs, hardware, tweaks, tips, and even following all the above steps...

The biggest known security threat and security flaw in every computer in the world is... You.
  • Only YOU can learn how to better secure yourself (although my steps will surely get you started)
  • Only YOU can control your own user habits
  • Only YOU can remember NOT to ignore important messages (something way to many people seem to do)
  • Only YOU can learn what is safe or not safe
  • Only YOU can decided who can assess your site & accounts.
YOU are your best friend and your worse enemy. This is the most important advise ANY except or computer wizard could ever give you. Please remember it and apply it

Tutorial was originally made by adam howard.
[Image: UeTXrZ5.png]
The last reply on this thread is older than a month. Please do not unnecessarily bump it.
Register an account or login to reply
Create an account
Create a free account today and start posting right away. It only takes a few seconds.
Log into an existing account.
1 Guest(s)