I just found out something about magento that scared me…
It is a common practice to define a unique url to the admin site and use it to replace the default magento_url/admin/ path. It is understandable that such an approach improves the security of a magento site not allowing the attackers to simply guess the entry point to the backend.
Today I discovered that it is pointless to hide the admin url, because everyone can find out what it is. All you have to do is to go to magento_url/downloader and click the link “Return to Magento Administration”. No matter how complicated your admin url, the attacker is right at your doorstep.
Is there any way to deal with this issue? I have two ideas:
1. Hide the downloader url as well. I am not sure if that is possible and how it will affect the downloader itself.
2. Remove the “Return to Magento Administration” link from the downloader login page. I am going to have a look at it now and will post any findings.
Although I have changed my admin path, I never rely on security through obscurity, which is exactly what that is. But it still surprises me that the link is displayed even when not logged in. So one solution is to check for a logged in user and only then display the link. But to me that’s not enough, and I went with a completely different approach. If you don’t mind logging in twice, you can set up basic/digest authentication, so an attacker won’t even see that page at all. I went a step beyond that even. I am using digest authentication for both admin and the downloader, but it only displays the password dialog if I am connecting from an unknown IP address. So I just list all the IP’s I normally connect from, like home and work. If I am somewhere else like in a hotel room, I will get the password prompt and have to enter my credentials before I even see the Magento login screens. This provides an additional layer of security, and helps hide the fact that I am even using Magento at all.
Here is an example of how I set up digest authentication with an IP address check.
<Location ~ "/(mysecretadmin|downloader)(/|$)"> <IfModule mod_authn_file.c> Order deny,allow Deny from all AuthName "Restricted" AuthType Digest AuthUserFile /path/to/.htpasswd Require valid-user Allow from 1.1.1.1 2.2.2.2 Satisfy Any </IfModule> </Location>
Just change “mysecretadmin” to your custom admin URL, change the path to the location of your .htpasswd file, and then list any IP addresses you might connect from in place of 1.1.1.1 and 2.2.2.2. This needs to be a space separated list.
Also, I believe this can only go in your Apache config file, not in a .htaccess file. If you don’t have a dedicated server or your host doesn’t give you access to your Apache config file, then you won’t be able to use the method I show. In that case, you can just set up basic authentication for the downloader directory inside your .htaccess file.
In magento 1.4 the downloader will be removed from my understanding. This means it will not be a separate section of the site.
That’s really interesting. Where did you hear that? It’s still there in alpha3. I was hoping alpha4 would be released last week but that didn’t happen. Hoping it comes this week…
In magento 1.4 the downloader will be removed from my understanding. This means it will not be a separate section of the site.
That’s really interesting. Where did you hear that? It’s still there in alpha3. I was hoping alpha4 would be released last week but that didn’t happen. Hoping it comes this week...
That’s not true. Magento Connect Manager will work in 1.4 RC and stable releases. Currently in 1.4-alpha(s) it might not work correctly and it is not recommended to use it in alpha-beta releases.
That’s not true. Magento Connect Manager will work in 1.4 RC and stable releases. Currently in 1.4-alpha(s) it might not work correctly and it is not recommended to use it in alpha-beta releases.
Hi Michael, if this is still going to last in the new version, do you have any other suggestions on how to hide the admin url? Do you think it will be possible to display it only if the user is logged in to the backend?
Yes, we will remove the “Return to admin” link from the login page, it will be visible only after user successfully logged in into the Magento Connect Manager.
Yes, we will remove the “Return to admin” link from the login page, it will be visible only after user successfully logged in into the Magento Connect Manager.
The best and most reliable way to deal with this issue is to use web server authentication like i960 mentioned. Almost all hosting providers that use Apache allow you to enable this feature via .htaccess. This will protect you from current and future issues. I would also still rename the folder.
