Security and obscurity
Permalink
Before I got the route of adding block by ip to my .htaccess file is there a way to block access to the login page? I have tried setting the permissions on the login page and removed guest view access. I have also setup a "secret" page for logging in using a login block. even though I removed guest view to the login page, everyone can still get there while guest. Also if I hit any dashboard link (which is not hard to do once you know its concrete5) it redirects me to /login. I'd like to obscure how the site is edited. I'd much rather have someone hit the 404 page than the login page. Is there a way to do this? Is there a way to specify where the login page is in the PHP code? If so I'll just point the login to the 404 and call it a day knowing I can still login with my hidden page.
Thanks
Thanks
I'm going out on a limb here and saying that the reason you can't block access to the page itself by guests is because before you log in, you are a guest. If the page is not accessible by guests and you log out you couldn't get back in. I am not 100% on this though.
If you go to the sitemap and move your login page to under the registration page, navigating to the /login will give a page not found, while still allowing you to login at /register/login ;)
just tested on 5.6.1.2
EDIT: So making an obscurly named page and placing the login under it should suffice. Just dont forget the path to /login !!
just tested on 5.6.1.2
EDIT: So making an obscurly named page and placing the login under it should suffice. Just dont forget the path to /login !!
One side affect I have found is that you can't log out. Since the sign out button tries to dowww.www.yoursite.com/index.php/login/logout/... Do you know where this link is located so I can update it?
Found another issue. Even though I have moved the page (probably due to ID #) if someone types in yoursite.com/dashboard/users/search/ it still redirects them to the login page instead of 404. It doesn't show the obscured path, but it still takes them there. We actually had someone ask us over social media if we expected the login page to be hard to find. We'd like to say yes to that question, but so far we can't. :-)
Another thing I have discovered is that the login doesn't work now either. It tries to dohttp://www.yoursite.com/index.php/login/do_login/... which of course also doesn't exist since its been moved. So the page move does hide the site, but I think there are more changes that need to happen. just now sure what yet.
