XF 2.2 Change Admin URL

[thunderup]

Is there a way to change the Admin URL so as to hide it from the "obvious" URL that it has as a default from unwanted visitors?

 

[Paul B]

Yes, see this post:

There'll be a few templates to change, I think, for those places which link directly to admin.php, but the change to the routing formatter itself can be done without changing any core files in XF2.

Just add the following to your src/config.php file:

$c['router.admin.formatter'] = $c->wrap(function($route, $queryString)
{
   $suffix = $route . (strlen($queryString) ? '&' . $queryString : '');
   return strlen($suffix) ? 'not_admin.php?' . $suffix : 'not_admin.php';
});

Replace not_admin.php with whichever name you have renamed admin.php to.

You can also just add .htaccess auth.

Protecting admin.php, the /install directory, and test & development installations using .htaccess

If you want to provide an extra layer of protection to admin.php, the /install directory, and test & development installations, you can do so with .htaccess authentication. Protecting admin.php To protect admin.php, edit the .htaccess file...

xenforo.com

 

[Kirby]

Yes, see this post:

Almost, but this does not work 100% - there are quite a few hardcoded calls to adminphp in JavaScript files related to

• Uploading assets
• Searching users
• Editing code (templates)

Those would fail if the file is renamed, so to make them work further adjustments would be necessary so I don't think just changing templates and adjusting admin formatter like @Chris D suggested would fully work.

 

[Deleted member 241496]

Why would you want to do this?

 

[Paul B]

Some people think it adds a level of security by changing the file name to something other than the default.

 

[Deleted member 241496]

Some people think it adds a level of security by changing the file name to something other than the default.

I know thats a big issue with WordPress but do we need to be worried about it with Xenforo?

 

[Paul B]

No, it's not required.

 

[Chris D]

HTTP authentication, secure passwords and forcing 2FA should mitigate any concerns entirety.

 

[Deleted member 241496]

Yea, we limit access to the admin area by IP address, require 2FA for admin and moderators, and have SSL installed.

 

[alternadiv]

HTTP authentication, secure passwords and forcing 2FA should mitigate any concerns entirety.

I assume this probably isn't a simple answer, but is 2FA alone 100% bulletproof? I use the new 2FA built into iCloud's password manager (which works seamlessly). I would think that is enough to make the control panel literally impenetrable?

 

[Chris D]

It requires something you know (the password) and something you have (the short lived, one time token) so yeah it should be pretty bullet proof in most cases.

You just don’t want your authentication device to fall into the wrong hands but typically that would require your actual device to be stolen and accessed which seems very unlikely.