extra security to admin

noname8

like in wordpress, most exploits come from the admin files
so i would like to protect the whole /admin-folder so that nothing gets run from there if it's not first authenticated.
Even the files that forever what reason do not iclude the normal config and login -methodfiles.

I had an idea that this could be done with .htpasswd
or with .htaccess prepend file

crnogorac081

Can you explain me from who and what are you protecting administration ?
Login script/page is pretty much protected.
And when you login there are other types of protection.
There is a saying in coding- never trust user input..
Web developer

noname8

That's true, it's a pain
renaming would be good also, thanks. But i've should done this years ago, now changing the admin url would cause too much pain if not make some kind of link to new folder.
link would still prevent automated /admin targeting scripts

dbs

An alternative is to rename the admin folder (also in config.php).
In many cases is a htaccess also a pain for other users of the website.
[url="https://onkel-franky.de"]https://onkel-franky.de[/url]

noname8

Just for extra layer of security, do you recommend adding .htaccess / apache user file to make /admin folder only accesible if you firsf enter password

Of course this would be bad if the server cookie time is 15 minutes or less, it will kick you out

so alternative, is there a .php file that gets included in every /admin/* get and post that i could add to include cookie based extra login or exit() -type layer of security ??