XF 2.2 Securing Admin Login Page - General Security Tips

a1000

Member
So I have installed XenForo and I am wheezing through the installation, setup and configuration and it looks fantastically easy and enjoyable. It just gives you a feeling that you're gonna do great with it :)

I have and will have some questions.

How do I secure or let's say hide the admin login page of XF? For instance, I just tried the /community/install address and it pops up admin login page.

How do I secure that? and Generally, what are the steps to take in terms of keeping the XF secure?

I checked almost all permissions and access levels, the defaults look fine.
 
Understood, I will ask my other questions here instead of opening multiple topics.

I have noticed user registration confirmation and other system mails going into the spam folder. What are the best practices to avoid this? I know I need a reputable IP to assign to my host.
 
You can configure your domain on Cloudflare and use this addons : https://xenforo.com/community/resources/digitalpoint-app-for-cloudflare®.8750/

Key point
  • Cloudflare Access support : You can automatically create Access policies to allow only admins the ability to access the /install and admin.php URLs.
  • Cloudflare Firewall support : You can automatically create firewall filters to block access to XenForo internal directories that are not intended to be accessed via web browser (internal_data and src).
 
Do all the things. Require 2FA for admin (and if you want to go full nerd/overkill, require them to use hardware security keys are their 2FA method). And ya, as @S4m' pointed out, you can configure Cloudflare to give additional security (if you use Cloudflare for your domain).

Completely block HTTP access to src and internal_data and you can use Zero Trust Access to put an extra layer of protection on admin.php and install. Then it doesn't matter if your web server, PHP daemon or MySQL or anything on your server (or even XenForo for that matter) has some 0-day exploit because you are controlling access upstream of your server at the network traffic level (don't even let the network packets get to your server if they are not authorized).
 
I think one of the biggest things is to make sure to enable 2FA on your account. And make sure to put a checkmark in:

Require two-step verification to access the admin control panel
Ok lemme do this one by one,

When I go to Setup > Two-step verification I dont see a section to enable this. Where do I enable TFA?
 
Do all the things. Require 2FA for admin (and if you want to go full nerd/overkill, require them to use hardware security keys are their 2FA method). And ya, as @S4m' pointed out, you can configure Cloudflare to give additional security (if you use Cloudflare for your domain).

Completely block HTTP access to src and internal_data and you can use Zero Trust Access to put an extra layer of protection on admin.php and install. Then it doesn't matter if your web server, PHP daemon or MySQL or anything on your server (or even XenForo for that matter) has some 0-day exploit because you are controlling access upstream of your server at the network traffic level (don't even let the network packets get to your server if they are not authorized).
I have checked that Add-on, if I am right, I just install this and I dont need to tweak any of the settings? cuz pictures are mostly showing all the features not steps to be taken.
 
Ok lemme do this one by one,

When I go to Setup > Two-step verification I dont see a section to enable this. Where do I enable TFA?
Just go into you admin control panel and click the search in the top right corner and start to type Two form… and it should bring it up.
 
Found and activated it, it should have been enabled from Admin own client settings. All done and working now.

About the Digitalpoint app, is it enough to just install it? how are the specific configs are applied?
 
Do all the things. Require 2FA for admin (and if you want to go full nerd/overkill, require them to use hardware security keys are their 2FA method). And ya, as @S4m' pointed out, you can configure Cloudflare to give additional security (if you use Cloudflare for your domain).

Completely block HTTP access to src and internal_data and you can use Zero Trust Access to put an extra layer of protection on admin.php and install. Then it doesn't matter if your web server, PHP daemon or MySQL or anything on your server (or even XenForo for that matter) has some 0-day exploit because you are controlling access upstream of your server at the network traffic level (don't even let the network packets get to your server if they are not authorized).
I have installed your Add-on and then went to Cloudflare > Firewall tab and activated "Block Internal Directories".

Is that it?
 
Top Bottom