Is password protection of admincp root folder still the way to go?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Maltair
    Senior Member
    • Feb 2009
    • 575
    • 5.7.5

    Is password protection of admincp root folder still the way to go?

    I recall reading that vbulletin will have less and less files in the root admincp folder (currently in mine, I see img and js folders, my .htaccess that password protects it, and an index.html ) --- so, is it worthwhile to password protect this folder still? because that is what I did for my vb5 and vb4 forums after they were breached some time back. Now whenever I click to login to admin cp I must first enter a username and password simply to enter the admincp folder before I may login to the admin cp itself.

    I even notice that in the vb5.3.2 upload folder this admincp is flat out empty now.

    Is this still the way to go or is there a better vbulletin folder to PW protect for vb5 these days?

    What about for vb4?
  • Trevor Hannant
    vBulletin Support
    • Aug 2002
    • 24325
    • 5.7.X

    #2
    There's new AdminCP protection built into vB5 through the config file:

    vBulletin 5.3.1 is now available. Support for Large Forums In the past, there have been some performance issues with sites that have a very large number of Forum


    There's no harm in continuing to protect the core/admincp directory via .htaccess if you wish to
    Vote for:

    - Admin Settable Paid Subscription Reminder Timeframe (vB6)
    - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

    Comment

    • Maltair
      Senior Member
      • Feb 2009
      • 575
      • 5.7.5

      #3
      I see. Yes the admincp directory I have been PW protecting is the one outside the core, the (previously, I suppose), "main" one.

      Comment

      • Maltair
        Senior Member
        • Feb 2009
        • 575
        • 5.7.5

        #4
        When I password protect the forums/core/admincp folder, I see no effect as far as login to the vbulletin 5 ACP.

        Only password protecting the forums/admincp folder affects login to the vbulletin 5 ACP (this is what I had PW protected before).

        Comment

        • Maltair
          Senior Member
          • Feb 2009
          • 575
          • 5.7.5

          #5
          What I am getting at is: is it worthwhile to password protect the forums/core/admincp when doing so does not guard logins to the vbulletin ACP?

          Comment

          • glennrocksvb
            Former vBulletin Developer
            • Mar 2011
            • 4011
            • 5.7.X

            #6
            You can also try using 2-factor authentication for accessing AdminCP and ModCP. You can enable it in /core/includes/config.php.

            Flag Icon Postbit Insert GIPHY Impersonate User BETTER INITIALS AVATAR Better Name Card Quote Selected Text Bookmark Posts Post Footer Translate Stop Links in Posts +MORE!

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73981

              #7
              As stated, we've built IP and Two-Factor Authorization into the system. The reason is that using a .htaccess (or Windows Authorization) for password protection doesn't work on all servers these days. Plus we may remove the /admincp directory completely in the future.

              If this is working for you currently and you're comfortable with it, then you shouldn't have any problems in the immediate future.

              Password Protection would be the preferred method in vBulletin 4.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • Maltair
                Senior Member
                • Feb 2009
                • 575
                • 5.7.5

                #8
                When I PW protect the vb5 forums/admincp folder with .htaccess, on my Apache linux server, then anyone trying to login to the vbulletin ACP must first enter a password just to get into that folder before they may even login to the vbulletin ACP.

                When I PW protect the vb5 forums/core/admincp folder, with .htaccess I see no effect whatsoever as far as vbulletin ACP login.

                Comment

                • glennrocksvb
                  Former vBulletin Developer
                  • Mar 2011
                  • 4011
                  • 5.7.X

                  #9
                  I would only password protect test sites using htaccess. But for production sites, I would use 2-Factor authentication and/or IP address restriction.

                  Flag Icon Postbit Insert GIPHY Impersonate User BETTER INITIALS AVATAR Better Name Card Quote Selected Text Bookmark Posts Post Footer Translate Stop Links in Posts +MORE!

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73981

                    #10
                    Originally posted by MDawg
                    When I PW protect the vb5 forums/core/admincp folder, with .htaccess I see no effect whatsoever as far as vbulletin ACP login.
                    We don't access any URLS via /core/admincp. So the .htaccess won't trigger. To use .htaccess for the ModCP, you have to make a /modcp directory and update the rewrite rules in the default .htaccess file to account for it. I can't guarantee that the /admincp or /core/modcp directories will exist in future versions.

                    As stated above, the best ways today are to use Two-Factor Authentication (you can make it required) and/or IP Address restriction. Both are configured in the /core/includes/config.php file.

                    Two-Factor Authentication is available on Cloud Sites as well.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • Maltair
                      Senior Member
                      • Feb 2009
                      • 575
                      • 5.7.5

                      #11
                      I feel redundant but...is there an upside then to .htaccess PW protecting the /core/admincp

                      is there a downside? Will it slow anything down? Close any of the forum to the google search engine bots?

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73981

                        #12
                        If you use the recommended methods, there is no benefit to protecting /core/admincp with .htaccess. However, doing so shouldn't slow down the forum and Google should never see a link to /core/admincp unless you make the AdminCP accessible to guest users and then why bother with security?

                        We've provided .htaccess (and web.config) files to lock down all directories that we feel should be locked down in the system. Including the necessary subdirectories of /core.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        • Maltair
                          Senior Member
                          • Feb 2009
                          • 575
                          • 5.7.5

                          #13
                          Well what if I'm not using any recommended methods...in that I'm still not clear on what these are. I don't use the Ip Restriction because I travel a lot. I haven't looked into two step authentication because I don't want to deal with having to get a code on my phone every time I need to login to the ACP.
                          Last edited by Maltair; Wed 30 Aug '17, 9:03am.

                          Comment

                          • Wayne Luke
                            vBulletin Technical Support Lead
                            • Aug 2000
                            • 73981

                            #14
                            Originally posted by MDawg
                            Well what I'm I'm not using any recommended methods...in that I'm still not clear on what these are. I don't use the Ip Restriction because I travel a lot. I haven't looked into two step authentication because I don't want to deal with having to get a code on my phone every time I need to login to the ACP.
                            You will have to use password protection via .htaccess and strong passwords. The reason we added the other methods is because it is almost impossible to get complete password protection with .htaccess working with the current folder structure and use of rewrites. I've spent weeks in the past working with customers and network administrators in trying to get it to work completely on both Linux and Windows machines. Some scenario always broke through. This is why new protection methods were added.

                            I guess the question is the trade off between security and convenience. You've chosen convenience.

                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment

                            • Maltair
                              Senior Member
                              • Feb 2009
                              • 575
                              • 5.7.5

                              #15
                              Okay! So given that I won't use the other methods, right now, is there any point to password protecting the /core/admincp or should I stick to PW protecting only the forums/admincp (at least until you eliminate that folder).

                              At least when I PW protect the forums/admincp then no one may access the admincp without a password just to get into the directory.

                              I see no benefit to PW protecting the /core/admincp then, am I correct?

                              This is all I have been asking. Thanks!

                              Comment

                              Related Topics

                              Collapse

                              Working...