What is the right way to prevent backend access on a live server?

This forum has moved to a new location and is in read-only mode. Please visit talk.octobercms.com to access the new location.

rotaercz19941

7 years ago

If I want to prevent access to the backend on a live server what is the right way to do this? What is the right way to push to a live server?

hanny13720240

7 years ago

Set the admin credentials to be something unique and hard to access - and you can change the backend URL to something less known.

By default the backend URL is: '/backend' By default the admin username is: 'admin'

So if you leave those as defaults - that means any hacker has that information by default. If a hacker has to figure out the username AND the password, it's much more difficult - so change the default admin username.

Change the default backend URL as well if you want to make things a little more secure.

As far as pushing to a live server, that varies from person to person dependent upon their workflow.

rotaercz19941

7 years ago

What I mean is on a live server I wouldn't want /backend to be accessible at all. I could remove the backend.php file on the live server but I feel this isn't an elegant solution so I was wondering if there was a right way to do it.

daftspunky

7 years ago

Moderator

Event::listen('backend.page.beforeDisplay', function() {
    return Redirect::to('/');
});

rotaercz19941

7 years ago

Ah, I see. Thank you!

JimmyBorofan

7 years ago

But what happens when you wish to edit a page? you will have to keep removing it,

I think another solution would be to add an entry in the .htaccess file that would limit the access to the /backend url by IP address, then use your own IP address to restrict, if you do not have a static IP address you can use DynDns to auto update it and use the IP/domain from DynDNS in place of the IP address in the .htaccess file.

14235

7 years ago

JimmyBorofan said:

But what happens when you wish to edit a page? you will have to keep removing it,

I think another solution would be to add an entry in the .htaccess file that would limit the access to the /backend url by IP address, then use your own IP address to restrict, if you do not have a static IP address you can use DynDns to auto update it and use the IP/domain from DynDNS in place of the IP address in the .htaccess file.

It's going to be a choice between security and accessibility, just like any CMS. I personally would have a local test site that's used to build up the changes, then upload those changes to the live site when ready. Remember, the important content data is flat file, so it's not like Wordpress where you basically have to be logged in to change stuff.

rotaercz19941

7 years ago

JimmyBorofan said:

But what happens when you wish to edit a page? you will have to keep removing it,

I think another solution would be to add an entry in the .htaccess file that would limit the access to the /backend url by IP address, then use your own IP address to restrict, if you do not have a static IP address you can use DynDns to auto update it and use the IP/domain from DynDNS in place of the IP address in the .htaccess file.

I was thinking there could be a global constants file that gets referenced and in that file it would indicate whether we're currently on a live or dev server and it would redirect accordingly using the following:

daftspunk said:

Event::listen('backend.page.beforeDisplay', function() {
   return Redirect::to('/');
});

Last updated 7 years ago

1-8 of 8

You cannot edit posts or make replies: the forum has moved to talk.octobercms.com.

Latest from the blog

Spletna Postaja Shares Their October CMS Journey [Interview]

We're excited to share a partner spotlight interview with Spletna Postaja, a talented digital agency based in Slovenia. With over 20 years of experience, they've become experts in crafting custom digital solutions, and October CMS plays a central role in their success.

Continue reading →