Recently I have been contemplating the most secure way to setup an admin area on a website. The two options that I was toying with are,
I realize that if I setup the admin area separate from the site, this would require the user to discover that the admin panel is there before they could even try getting into it. How much security does that add?
However, forcing them to register with an email address on the main site ties their account to an email address which I would think helps security a little bit? But putting the admin area on the main site makes it easier to hack, because all the user would need to do is find one bug in the system right?
I guess I could see positives and negatives for both.
I realize that if I setup the admin area separate from the site, this would require the user to discover that the admin panel is there before they could even try getting into it. How much security does that add?
This is what you would call "security through obscurity." Generally speaking its only going to stop the less persistent of hackers. For anybody who is that intent on hacking your site, this will only provide a momentary delay in their success.
Obscurity can still be useful when placed on top of an already otherwise-secure system, though. Use it to keep the average end user from seeing things they don't necessarily want or need to see.
You can also force them to use the separate admin website with an email adress existing on the main site. In fact, do both; add a flag on their main account that says "ok, this one is an admin". This way you can display an iframe on the mainsite that points to the admin site, and anyone connecting on the admin site would have to have this flag setup
Finally, don't forget single sign on; on connecting to any of the sites, create both cookies so they won't have to authenticate at both places (unless they have to by design)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With