Forum Security / Admin account ?


Well-known member
in order to have more security from potential hackers, does it make sense to create 2 Admin-Accounts ?

I mean: does it make sense to hide the "Admin username" and not making any posts with the "Admin-username" ?

So there would be literally 2 Admin-accounts:
- one which you use to make Forum-posts and administer the Forums from the Frontend
- another Admin-account for administrating the ACP-backend

I am a bit unsure how this would work or if it makes sense at all ?
How are you guys doing it ?

Many thanks!


Formerly CyclingTribe
I don't think it's necessary. You might want to create a secondary, dormant admin account - for use in the unlikely event you do get "hacked" [or have your ACP compromised] - but providing you don't give your moderators too many high-level functions, and don't recruit too many people at 'admin' level, then you should be fine.

If your board is ever genuinely hacked (most "hacks" are down to people sharing or misusing account/password information) then it is unlikely a secondary account would be much help as it would be easy to identify - it would belong to the Admin group!!

Shaun :D


Well-known member

I was just wondering if it is an issue when the "Admin username" is shown publicly at the frontend of the Forum......
Since when a hacker sees and knows the "Admin username", then the only thing he needs to know is the Password to gain access to ACP.


Well-known member
Just rename the admin account that comes with XenForo and use that as your account.

For example, if I owned a XenForo forum, I would just rename admin to Amaury and use that as my account.


Well-known member
Have your web server force an HTTP AUTH login/password in addition to the normal username/password. For example the admin page here:
you mean HT-Access for the Admin-path ?
yeah, I am using this already.

I was just wondering if the Admin-username at the frontend should be different to the Admin-username with which you access the ACP.
And if yes, then how would you do this ?

Also, if you wanted to change your "Admin-path" from standard "" ..... towards a custom path like e.g.: ""
How would you do this ?

Last edited:


Well-known member
Personally, I don't bother having a different backend admin account. I force the HTTP AUTH login for my admin area, I block access by IP address, I only have one user with admin access (me) and my account also is set to use Two-Factor Authentication to log in. Long story short is you would need to know my password, have physical possession of my cell phone (and know my unlock code for cell phone) as well as be physically in my house.

If someone is in my house, has my cell phone and knows how to unlock it and knows both my account password and HTTP AUTH username/password, well... I have bigger problems... mainly because there's someone in my house and I'm probably dead.


Well-known member
is there an Addon or something for those 2 things:
- block access by IP address
- my account also is set to use Two-Factor Authentication to log in

Many thanks!