Just a general enquiry on how the collected brains herein handle 'admin areas' on their sites. I've a few sites that give the site owners access to administration areas which vary in their features but I've never decided on the very best way to do this - particularly when the site itself has no 'normal' login process (i.e. the only login of any kind is the admin one). What I tend to do most often is put the admin login and pages in a separate sub-folder with a very plain login page then use normal security on username password to protect access, but is there a better way? How about an admin area on a totally separate domain name that cannot directly be associated with the site itself? Any ideas or comments welcomed...
It's something you can do. Though, how many people do you know that would want to go onto another URL just to change their admin settings, usually sites that offer an admin area, are sites that people will be on before anyway. I can see the appeal of your idea though, but it is easy to handle admin area's and make them secure enough, but at the end of the day, it's the user that can make security useless, if the user decides to use an easy password and username then there's nothing you can really do. It's always going to be securing the directory with the .htaccess, max login attempts before a lockout to prevent brute force, etc etc etc. Have you considered generating the admin folder name for each install, so it's not the generic "admin", and couple this with a randomly generated admin username and password, but there will always be someone who makes attempts to hack into the site.
Hi Grit, yeah, I'm pretty happy with how I'm doing it now - I have, I think, a pretty good login process honed over the years including login attempts, times, etc and I always apply rules to passwords to prevent silly ones - it's just that it's easy to think you're doing it the right way without actually knowing and since I'm about to build a new site I thought I'd ask around... Jon