For the default admin panel link it should be different for every forum instead of one link. 90% of forums do not change their admin link. So on the majority of MyBB sites you are able to go to domain.com/admin and see the admin page. In my opinion, huge security risk. What if the system automatically generated numbers and letters for each individual install of the software. Then, no one would know which link the admin panel is actually located on for that specific install. Would increase security greatly.
Not knowing the URL of something is not security, sure it will delay them finding what the URL is but they will still find it. If your security depends on someone not finding the URL, then you're screwed.
IMHO it shouldn't matter if the link is the same on all forums, the system should be secure enough in other ways that it doesn't matter what the link is or even if it's published widely on the internet.
Granted. But we should not assume that everyone will secure their forums. I didn't imply that it would stop any hack happening to a website, simply be a barrier for them.
It's not up to administrators to secure that aspect of their forums, that's up to us as MyBB developers. An administrator should not be worrying about someone finding their admin login page as it should be secure in its own right.
Yes, but what if the hacker has another barrier to pass before he can even find the login page?
Going on that basis, why offer them the ability to change their link to the admin panel in the first place?
If an admin really wants to keep someone out, they could also use .htpassword on the admin directory.
(2015-05-26, 09:33 AM)dragonexpert Wrote: [ -> ]If an admin really wants to keep someone out, they could also use .htpassword on the admin directory.
Also use
They could use that in conjunction with having a completely random acp link.
I see a much bigger risk, when the ACP directory is writeable for the webserver user or even worse how it would probably end up in most cases... chmod 777
So what - a bruteforce attack on an admin account can be blocked by a firewall - no software solution required and blocking the attacker before the attack reaches MyBB increases the security a lot more than a random acp directory...