Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 2 of 2
Why hide admin url if everyone can find out what it is? 
 
Alicia Keys
Jr. Member
 
Total Posts:  7
Joined:  2010-03-07
 

I’s doing research on this and found if proper encryption security provided to the admin panel than an admin really don’t have to bother about it. Secure connection won’t let any one to direct attack on website. Correct me if I’m wrong.
Thank you,
Alicia

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

This is another reason why I have my installation on a domain which isn’t publicly accessible.

Magento on www.asecretandaccessrestricteddomain.tld - for admin - no shop here

Shop on www.shop.tld

www.shop.tld/downloader yields a 404 CMS page.

Most people don’t plan ahead and just have the admin and store on the same domain.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Gui
Guru
 
Avatar
Total Posts:  588
Joined:  2008-03-09
 

wouldn’t the images or other files in the skin directory give the secret domain away?

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Not on my installation. All shops have their own interface and skin folders.

Only way for my installation URL to be revealed is if Varien messes up the code for example how they used to link to the default shop for unsubscribe links etc. If silly bugs like that pop up again (against which I test when upgrading) things can go pear-shaped.

But so far, I’ve found my installation URL != a shop strategy to only have benefits.

 
Magento Community Magento Community
Magento Community
Magento Community
 
imwy2cool
Sr. Member
 
Total Posts:  164
Joined:  2009-05-07
 

I have a shop that I’m developing now and is a week or so away from going live. I’d like to implement what you are talking about. Can you explain in more detail? Is this something that I could contract from you? I’m running out of time to meet my deadline so messing with what is almost complete doesn’t excite me, but having a secure shop is more important than that. How does this work with keeping a development site for testing/changes?

 
Magento Community Magento Community
Magento Community
Magento Community
 
yaozer
Jr. Member
 
Avatar
Total Posts:  27
Joined:  2009-10-12
Shanghai
 

This surprises me too,

1401 already removed this link.

Jakub@WebCatch - 23 November 2009 07:16 AM

Hi everyone,

I just found out something about magento that scared me…

It is a common practice to define a unique url to the admin site and use it to replace the default magento_url/admin/ path. It is understandable that such an approach improves the security of a magento site not allowing the attackers to simply guess the entry point to the backend.

Today I discovered that it is pointless to hide the admin url, because everyone can find out what it is. All you have to do is to go to magento_url/downloader and click the link “Return to Magento Administration”. No matter how complicated your admin url, the attacker is right at your doorstep.

Is there any way to deal with this issue? I have two ideas:

1. Hide the downloader url as well. I am not sure if that is possible and how it will affect the downloader itself.
2. Remove the “Return to Magento Administration” link from the downloader login page. I am going to have a look at it now and will post any findings.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 2 of 2