I learned a long time ago that the ACP emulated right from the ADM folder in your FTP directory for a phpBB install. When I found this out I was like, "ah ha!" I knew I could add an .htaccess file in that ADM folder and deny all entry to the ACP except for me with my home IP address. So what you do is create an .htaccess file in the ADM folder and in this .htaccess file add the following code replacing the xxx.xxx.xxx.xxx with your home's external WAN IP address. There are many places to obtain your current external WAN home IP address, but I just use this site.
Code: Select all
Order Deny,Allow Deny from all Allow from xxx.xxx.xxx.xxx
As you can see, everyone is blocked from even trying to gain access to the ACP except your IP address. This htaccess code will work in the Apache and Litespeed SAPIs (Server Application Programing Interface). NGINX and Windows IIS (Internet Information Services) would be different I suppose, but it probably could be done.
Tidbit: Any file placed in the public_html space in your FTP directory beginning with .ht will be loaded first. Just like .htaccess or the .htninja file for the free and paid for WAF (Web Application Firewall) script called NinjaFirewall. (No, NinjaFirewall does not prevent SPAM). Why this tidbit is important I don't know. I just thought it was interesting. Perhaps it has a use for something.
PS: If you find out one day that you get a 403 trying to reach your ACP, you'll know your external IP has changed and you'll need to update your .htaccess file in the ADM folder.
PPS: This method could be used in the root .htaccess file for the whole website in case you run a test domain of phpBB like I do. This way ALL stay out including Google, et al and only you can get access to your test domain. I use my test domain to test new extensions and new phpBB releases, etc. I don't bother with subdomains as I've read that a subdomain can rat out your origin IP if you hide behind a reverse proxy like CloudFlare. How this is done I'm not sure, but a quick read up on it is what I learned. I need to do more research on that.
Little bit of interesting information. You can add an HTML password what ever they call it now, but that just opens the door for brute forcing. I read how to bypass it entirely without brute forcing, but through my experiments with this hack I was unsuccessful and I'm thinking that's do to SAPI patches over time to prevent this hack/exploit.
Long before this was patched (I'm assuming it was patched), you could bypass an HTML password mechanism simply by crafting a different POST method. So you may have heard of the popular POST, GET and HEAD, etc requests. To bypass an HTML password login box you'd just create a request like LOL or OKAY or FUN. What ever you wanted and that would be enough for you to bypass the password box. But again, in my testing this does not work anymore.
Now you could brute force it and I know of a program that probably could do it, but a good WAF or maybe even a layer 7 anti DDoS mechanism will stop it. This is because you'll have to send hundreds if not thousands of username and password combinations a second primarily with gigabytes worth of wordlists. It's just not feasible and the program that I know of that does this was very slow so it would be next to impossible unless the username and password combination were grossly very easy to guess. I'm talking about a username like admin and a password like 1234. I'm sure absent of the brute force method I know of there are other tricks that can bypass this type of password mechanism. That's why I'd rather roll the IP lockout approach. No complicated username or password to remember. And if it is complicated you don't have to pull out your password vault. You do use a password vault? No? Your browser?! Better check out Keepass, use ChaCha20, Argon2 and a good number of iterations for the database. I would never, ever trust a browser for my passwords. Years ago I was right and there were at least one or two CVEs (Common Vulnerabilities and Exposures) for this. It's been fixed, but wait till the new CVE hits the tech news websites. Even Keepass isn't safe unless you use it right and keep your computer malware free.