There are more than a few ways to secure an AdminCP but here are just a few. First off, removing the AdminCP link in forum and renaming the /admin directory is a very good idea. This way if an intruder gets access to an admin account, they would still have to find the directory. To do so, first go to From here, scroll down to Brute-force Account Lock and click yes on Remove the ACP Link from the Community Now to rename your admin directory, do the following: Step 1: First, you'll need to physically rename the directory. Connect to your server via FTP and then browse to your IP.Board directory (this is the one that has your index.php file in it). Locate the 'admin' directory. Choose 'rename' from your FTP client menu and rename it. For the purposes of this tutorial, we'll rename it 'admin_secret'. Step 2: Locate the 'initdata.php' file. This is in your root IP.Board folder. Download it and open it in a text editor. Near the top of this file, you'll see: Code: //-------------------------------------------------------------------------- // USER CONFIGURABLE ELEMENTS: PATHS & FOLDER NAMES //-------------------------------------------------------------------------- /** * CP_DIRECTORY * * The name of the CP directory * @since 2.0.0.2005-01-01 */ define( 'CP_DIRECTORY', 'admin' ); Change the line: define( 'CP_DIRECTORY', 'admin' ); to define( 'CP_DIRECTORY', 'admin_secret' ); Your ACP directory has now been renamed. Another step you can take to securing your AdminCP is adding a .htaccess authentication user and pass that pops up when someone tries to go to the admin url. To do so, first go to: You will be at the Security Center. From here, find the IP.Board ACP .htaccess Protectione and click Learn More. From there, you will see a list of directions to do so. One more thing that is very helpful and effective, is making a user go through an IP check before allowing access to the admin panel. To do so, add this code before the rest of the code found in /admin/index.php Code: <!--?php $allow = array("Admin-IP", "Another-Admin-IP"); if(!in_array($_SERVER['REMOTE_ADDR'], $allow) && !in_array($_SERVER["HTTP_X_FORWARDED_FOR"], $allow)) { header("Location: http://domain.ext/"); exit(); } ?--> To make this code work, replace Admin-IP and Another-Admin-IP with your IP address and another admin's IP address. If you have more than 2 admins or use more than one IP, just add more as need followed with a comma. This is not recommended for people who's IP changes because it could cause some annoyance. Basically if someone without one of the IP addresses listed tries to access the admin directory, they will be redirected to the url entered in Code: header("Location: http://domain.ext/") To change the redirected page unauthorized users will see, just change domain.ext/ to whatever url you want them to see. These are just a few steps to securing your AdminCP, and if you have any questions please reply below :smile:
You might want to add the instructions for renaming the /admin directory, as those seem to be AWOL. Another means to protect a directory is via .htaccess in that directory. Code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Example Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from XXX.XXX.XXX.XXX </LIMIT> As mentioned above, if you end up with a different IP address, the address would have to be edited in the .htaccess file. But this method will save having to remember to edit a core file in your forum package, with each update.
