How to help protect the ACP (Admin. Control Panel)

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
Post Reply
User avatar
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

How to help protect the ACP (Admin. Control Panel)

Post by 2600 »

This may or may not be entirely needed, but I've been doing this for some five years now and it can't hurt so I'll share it here for what it's worth. I'm sure a bunch of users will post that it's not needed because of how phpBB is coded with dual logins and that the code has never been hacked and all that rot. I just do this anyway because I'm a firm believer in layers when it comes to security and backups as well. Both with my websites and computers. I'm a backup freak and use many forms of media for my backups. At any rate, here's what I do to help protect the ACP.

I learned a long time ago that the ACP emulated right from the ADM folder in your FTP directory for a phpBB install. When I found this out I was like, "ah ha!" I knew I could add an .htaccess file in that ADM folder and deny all entry to the ACP except for me with my home IP address. So what you do is create an .htaccess file in the ADM folder and in this .htaccess file add the following code replacing the with your home's external WAN IP address. There are many places to obtain your current external WAN home IP address, but I just use this site.

Code: Select all

Order Deny,Allow
Deny from all
Allow from

As you can see, everyone is blocked from even trying to gain access to the ACP except your IP address. This htaccess code will work in the Apache and Litespeed SAPIs (Server Application Programing Interface). NGINX and Windows IIS (Internet Information Services) would be different I suppose, but it probably could be done.

Tidbit: Any file placed in the public_html space in your FTP directory beginning with .ht will be loaded first. Just like .htaccess or the .htninja file for the free and paid for WAF (Web Application Firewall) script called NinjaFirewall. (No, NinjaFirewall does not prevent SPAM). Why this tidbit is important I don't know. :lol: I just thought it was interesting. Perhaps it has a use for something.

PS: If you find out one day that you get a 403 trying to reach your ACP, you'll know your external IP has changed and you'll need to update your .htaccess file in the ADM folder.

PPS: This method could be used in the root .htaccess file for the whole website in case you run a test domain of phpBB like I do. This way ALL stay out including Google, et al and only you can get access to your test domain. I use my test domain to test new extensions and new phpBB releases, etc. I don't bother with subdomains as I've read that a subdomain can rat out your origin IP if you hide behind a reverse proxy like CloudFlare. How this is done I'm not sure, but a quick read up on it is what I learned. I need to do more research on that.

Other stuff:

Little bit of interesting information. You can add an HTML password what ever they call it now, but that just opens the door for brute forcing. I read how to bypass it entirely without brute forcing, but through my experiments with this hack I was unsuccessful and I'm thinking that's do to SAPI patches over time to prevent this hack/exploit.

Long before this was patched (I'm assuming it was patched), you could bypass an HTML password mechanism simply by crafting a different POST method. So you may have heard of the popular POST, GET and HEAD, etc requests. To bypass an HTML password login box you'd just create a request like LOL or OKAY or FUN. What ever you wanted and that would be enough for you to bypass the password box. But again, in my testing this does not work anymore.

Now you could brute force it and I know of a program that probably could do it, but a good WAF or maybe even a layer 7 anti DDoS mechanism will stop it. This is because you'll have to send hundreds if not thousands of username and password combinations a second primarily with gigabytes worth of wordlists. It's just not feasible and the program that I know of that does this was very slow so it would be next to impossible unless the username and password combination were grossly very easy to guess. I'm talking about a username like admin and a password like 1234. I'm sure absent of the brute force method I know of there are other tricks that can bypass this type of password mechanism. That's why I'd rather roll the IP lockout approach. No complicated username or password to remember. And if it is complicated you don't have to pull out your password vault. You do use a password vault? No? Your browser?! Better check out Keepass, use ChaCha20, Argon2 and a good number of iterations for the database. I would never, ever trust a browser for my passwords. Years ago I was right and there were at least one or two CVEs (Common Vulnerabilities and Exposures) for this. It's been fixed, but wait till the new CVE hits the tech news websites. Even Keepass isn't safe unless you use it right and keep your computer malware free.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
User avatar
Registered User
Posts: 18303
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK

Re: How to help protect the ACP (Admin. Control Panel)

Post by david63 »

That's fine if you are on a static IP address but as most users have a dynamic IP address they would need to be changing the .htaccess file almost every day.

Another issue would be id you were away from your base then you would be constantly changing the file.

If it works for you then fine but the way I see it, it is more trouble than it is worth.
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
Post Reply

Return to “phpBB Discussion”