Announcement

Collapse
No announcement yet.

Is password protection of admincp root folder still the way to go?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is password protection of admincp root folder still the way to go?

    I recall reading that vbulletin will have less and less files in the root admincp folder (currently in mine, I see img and js folders, my .htaccess that password protects it, and an index.html ) --- so, is it worthwhile to password protect this folder still? because that is what I did for my vb5 and vb4 forums after they were breached some time back. Now whenever I click to login to admin cp I must first enter a username and password simply to enter the admincp folder before I may login to the admin cp itself.

    I even notice that in the vb5.3.2 upload folder this admincp is flat out empty now.

    Is this still the way to go or is there a better vbulletin folder to PW protect for vb5 these days?

    What about for vb4?

  • #2
    There's new AdminCP protection built into vB5 through the config file:

    https://www.vbulletin.com/forum/foru...-now-available

    There's no harm in continuing to protect the core/admincp directory via .htaccess if you wish to
    Vote for:

    - *Admin Settable Paid Subscription Reminder Timeframe*
    -
    *PM - Add ability to reply to originator only*
    - Add Admin ability to auto-subscribe users to specific channel(s)
    - Highlight the correct navigation tab when you are on a custom page
    - "Quick Route" Interface...
    - Allow to use custom icons for individual forums

    Comment


    • #3
      I see. Yes the admincp directory I have been PW protecting is the one outside the core, the (previously, I suppose), "main" one.

      Comment


      • #4
        When I password protect the forums/core/admincp folder, I see no effect as far as login to the vbulletin 5 ACP.

        Only password protecting the forums/admincp folder affects login to the vbulletin 5 ACP (this is what I had PW protected before).

        Comment


        • #5
          What I am getting at is: is it worthwhile to password protect the forums/core/admincp when doing so does not guard logins to the vbulletin ACP?

          Comment


          • #6
            You can also try using 2-factor authentication for accessing AdminCP and ModCP. You can enable it in /core/includes/config.php.

            GIPHY for vB5 AutoLinker Social Icons in Postbit Like Counts on Postbit Clear Cache Cron DragDrop Upload Topic AJAX AutoUpdate Custom Avatars Selector Stop Links in Posts ...and more!

            Comment


            • #7
              As stated, we've built IP and Two-Factor Authorization into the system. The reason is that using a .htaccess (or Windows Authorization) for password protection doesn't work on all servers these days. Plus we may remove the /admincp directory completely in the future.

              If this is working for you currently and you're comfortable with it, then you shouldn't have any problems in the immediate future.

              Password Protection would be the preferred method in vBulletin 4.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud customization and demonstration site.
              vBulletin 5 Documentation - Updated every Friday. Report issues here.
              vBulletin 5 API - Full / Mobile
              I am not currently available for vB Messenger Chats.

              Comment


              • #8
                When I PW protect the vb5 forums/admincp folder with .htaccess, on my Apache linux server, then anyone trying to login to the vbulletin ACP must first enter a password just to get into that folder before they may even login to the vbulletin ACP.

                When I PW protect the vb5 forums/core/admincp folder, with .htaccess I see no effect whatsoever as far as vbulletin ACP login.

                Comment


                • #9
                  I would only password protect test sites using htaccess. But for production sites, I would use 2-Factor authentication and/or IP address restriction.

                  GIPHY for vB5 AutoLinker Social Icons in Postbit Like Counts on Postbit Clear Cache Cron DragDrop Upload Topic AJAX AutoUpdate Custom Avatars Selector Stop Links in Posts ...and more!

                  Comment


                  • #10
                    Originally posted by MDawg View Post
                    When I PW protect the vb5 forums/core/admincp folder, with .htaccess I see no effect whatsoever as far as vbulletin ACP login.
                    We don't access any URLS via /core/admincp. So the .htaccess won't trigger. To use .htaccess for the ModCP, you have to make a /modcp directory and update the rewrite rules in the default .htaccess file to account for it. I can't guarantee that the /admincp or /core/modcp directories will exist in future versions.

                    As stated above, the best ways today are to use Two-Factor Authentication (you can make it required) and/or IP Address restriction. Both are configured in the /core/includes/config.php file.

                    Two-Factor Authentication is available on Cloud Sites as well.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                    vBulletin 5 Documentation - Updated every Friday. Report issues here.
                    vBulletin 5 API - Full / Mobile
                    I am not currently available for vB Messenger Chats.

                    Comment


                    • #11
                      I feel redundant but...is there an upside then to .htaccess PW protecting the /core/admincp

                      is there a downside? Will it slow anything down? Close any of the forum to the google search engine bots?

                      Comment


                      • #12
                        If you use the recommended methods, there is no benefit to protecting /core/admincp with .htaccess. However, doing so shouldn't slow down the forum and Google should never see a link to /core/admincp unless you make the AdminCP accessible to guest users and then why bother with security?

                        We've provided .htaccess (and web.config) files to lock down all directories that we feel should be locked down in the system. Including the necessary subdirectories of /core.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                        vBulletin 5 Documentation - Updated every Friday. Report issues here.
                        vBulletin 5 API - Full / Mobile
                        I am not currently available for vB Messenger Chats.

                        Comment


                        • #13
                          Well what if I'm not using any recommended methods...in that I'm still not clear on what these are. I don't use the Ip Restriction because I travel a lot. I haven't looked into two step authentication because I don't want to deal with having to get a code on my phone every time I need to login to the ACP.
                          Last edited by MDawg; Wed 30th Aug '17, 9:03am.

                          Comment


                          • #14
                            Originally posted by MDawg View Post
                            Well what I'm I'm not using any recommended methods...in that I'm still not clear on what these are. I don't use the Ip Restriction because I travel a lot. I haven't looked into two step authentication because I don't want to deal with having to get a code on my phone every time I need to login to the ACP.
                            You will have to use password protection via .htaccess and strong passwords. The reason we added the other methods is because it is almost impossible to get complete password protection with .htaccess working with the current folder structure and use of rewrites. I've spent weeks in the past working with customers and network administrators in trying to get it to work completely on both Linux and Windows machines. Some scenario always broke through. This is why new protection methods were added.

                            I guess the question is the trade off between security and convenience. You've chosen convenience.

                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                            vBulletin 5 Documentation - Updated every Friday. Report issues here.
                            vBulletin 5 API - Full / Mobile
                            I am not currently available for vB Messenger Chats.

                            Comment


                            • #15
                              Okay! So given that I won't use the other methods, right now, is there any point to password protecting the /core/admincp or should I stick to PW protecting only the forums/admincp (at least until you eliminate that folder).

                              At least when I PW protect the forums/admincp then no one may access the admincp without a password just to get into the directory.

                              I see no benefit to PW protecting the /core/admincp then, am I correct?

                              This is all I have been asking. Thanks!

                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X