Forums

Security and obscurity

Permalink
Before I got the route of adding block by ip to my .htaccess file is there a way to block access to the login page? I have tried setting the permissions on the login page and removed guest view access. I have also setup a "secret" page for logging in using a login block. even though I removed guest view to the login page, everyone can still get there while guest. Also if I hit any dashboard link (which is not hard to do once you know its concrete5) it redirects me to /login. I'd like to obscure how the site is edited. I'd much rather have someone hit the 404 page than the login page. Is there a way to do this? Is there a way to specify where the login page is in the PHP code? If so I'll just point the login to the 404 and call it a day knowing I can still login with my hidden page.

Thanks
 
justrj replied on at Permalink Reply
justrj
I'm going out on a limb here and saying that the reason you can't block access to the page itself by guests is because before you log in, you are a guest. If the page is not accessible by guests and you log out you couldn't get back in. I am not 100% on this though.
enlil replied on at Permalink Best Answer Reply
enlil
If you go to the sitemap and move your login page to under the registration page, navigating to the /login will give a page not found, while still allowing you to login at /register/login ;)

just tested on 5.6.1.2

EDIT: So making an obscurly named page and placing the login under it should suffice. Just dont forget the path to /login !!
ecoulter replied on at Permalink Reply
One side affect I have found is that you can't log out. Since the sign out button tries to dowww.www.yoursite.com/index.php/login/logout/... Do you know where this link is located so I can update it?
ecoulter replied on at Permalink Reply
Found another issue. Even though I have moved the page (probably due to ID #) if someone types in yoursite.com/dashboard/users/search/ it still redirects them to the login page instead of 404. It doesn't show the obscured path, but it still takes them there. We actually had someone ask us over social media if we expected the login page to be hard to find. We'd like to say yes to that question, but so far we can't. :-)
ecoulter replied on at Permalink Reply
Another thing I have discovered is that the login doesn't work now either. It tries to dohttp://www.yoursite.com/index.php/login/do_login/... which of course also doesn't exist since its been moved. So the page move does hide the site, but I think there are more changes that need to happen. just now sure what yet.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.