As a longtime x2 user, I recently installed the beta of X3.
My impressions are great - I like it.
What's about with further security settings?
Example: For WordPress and Joomla it's recommended, that the admin folder is provided with a directory protection.
What do you think about a directory protection for the panel directory?
Better proposals?
You can find my beta-page here:
http://zumtesten.peterrees.de.
X3Photo Gallery Forums
X3 Photo Gallery Support Forums
X3 Security Settings3 posts
Re: X3 Security Settings
In general you are quite safe with the X3 panel. It is simply not possible to execute any admin scripts without hacking the login.
The reason Wordpress and Joomla is so exposed, is because 1) All hackers know the login-endpoints to WP and Joomla. 2) They can send armies of dumb bots to "hammer" on the login page script, which is a "known" url. 3) One small flaw in a 3rd party plugin, and your admin can be exposed.
With X3, none of the above apply. In addition to this, we have added javascript-only login ... The interesting thing about this simple "fix", is that it actually deters 99% of hack attacks, because most bots simply can't handle javascript and just try computerized posts to login urls. I have personally dealt with hacked Wordpress websites, and it was very frustrating ... I installed some monitoring tools, and it turns the internet is volatile ocean of "bad robots" trying consistently to "hammer" on various wp-login Url's.
Although X3 is relatively well protected, you can never be paranoid enough when it comes to security.
.htaccess IP protect
My personal favorite is to simply block all access to your "panel" or "admin" by whitelisting a single IP, or a range. This is super-efficient, and will simply block all requests to anything inside /panel/ unless they come from a designated IP or IP range. This is only beneficial if there is a single admin user, editing from the same IP range and/or location ... which is often the case for a website like X3. By FTP, create a new file ".htaccess" in your /panel/ folder, and add the following:
Change the IP pattern to your IP range. For example, if your IP is 207.18.19.207, the code on line 2 should be:
In the above, all IP's 207.18.19.0 - 207.18.19.255 will be allowed access, while all other requests will get a "forbidden" page before even the login shows up. Normally, you will be on a range like that from your ISP internet provider, so it is sufficient. You could narrow it down to a single IP, but that seems unnecessary. It can of course be changed, but you will need to manage this file by FTP.
To find your IP, just go to google and search "my ip". *Keep in mind, if you are testing X3 on a server on your local network, the IP would be your network IP.
You can see this method used on our www.photo.gallery wordpress admin (which will soon be changed to X3). If you are not on the IP range defined by us, you will be redirected to the home page instead.
https://www.photo.gallery/wp-admin/
I think I will add this file as example to the next panel. Its a good idea to have rock solid security.
Other than the above ...
1) Always make sure your panel password is not easy to guess.
2) Never keep old junk floating around on your server. Make sure you know what everything is, and delete junk you are not using.
3) Make sure no unwanted users have access to your FTP. This is kinda obvious, but must be stated.
4) Personally, I like to use Cloudflare in front of our server. It deters a certain amount of bad users/bots even before the request reaches your server. Read my post here.
The reason Wordpress and Joomla is so exposed, is because 1) All hackers know the login-endpoints to WP and Joomla. 2) They can send armies of dumb bots to "hammer" on the login page script, which is a "known" url. 3) One small flaw in a 3rd party plugin, and your admin can be exposed.
With X3, none of the above apply. In addition to this, we have added javascript-only login ... The interesting thing about this simple "fix", is that it actually deters 99% of hack attacks, because most bots simply can't handle javascript and just try computerized posts to login urls. I have personally dealt with hacked Wordpress websites, and it was very frustrating ... I installed some monitoring tools, and it turns the internet is volatile ocean of "bad robots" trying consistently to "hammer" on various wp-login Url's.
Although X3 is relatively well protected, you can never be paranoid enough when it comes to security.
.htaccess IP protect
My personal favorite is to simply block all access to your "panel" or "admin" by whitelisting a single IP, or a range. This is super-efficient, and will simply block all requests to anything inside /panel/ unless they come from a designated IP or IP range. This is only beneficial if there is a single admin user, editing from the same IP range and/or location ... which is often the case for a website like X3. By FTP, create a new file ".htaccess" in your /panel/ folder, and add the following:
Code
# ADMIN PROTECT, IP only
RewriteCond %{REQUEST_URI} ^(.*)panel
RewriteCond %{REMOTE_ADDR} !^10\.0\.1\.[0-9]+
RewriteRule .* - [F,NS]Code
RewriteCond %{REMOTE_ADDR} !^207\.18\.19\.[0-9]+To find your IP, just go to google and search "my ip". *Keep in mind, if you are testing X3 on a server on your local network, the IP would be your network IP.
You can see this method used on our www.photo.gallery wordpress admin (which will soon be changed to X3). If you are not on the IP range defined by us, you will be redirected to the home page instead.
https://www.photo.gallery/wp-admin/
I think I will add this file as example to the next panel. Its a good idea to have rock solid security.
Other than the above ...
1) Always make sure your panel password is not easy to guess.
2) Never keep old junk floating around on your server. Make sure you know what everything is, and delete junk you are not using.
3) Make sure no unwanted users have access to your FTP. This is kinda obvious, but must be stated.
4) Personally, I like to use Cloudflare in front of our server. It deters a certain amount of bad users/bots even before the request reaches your server. Read my post here.
Re: X3 Security Settings
Thanks Karl,
I've done all possible kinds of safety-related points.
Yes, you're absolutely right.you can never be paranoid enough when it comes to security.
I've done all possible kinds of safety-related points.