Thread

[Mod edit: split a related reply to a new thread: EE, Security, Protecting your Company and Client Personnel]

Okay, let’s get paranoid…

- Always log into the CP via HTTPS... use .htaccess to enforce this.

I always use the admin.php file in the root directory of the domain and NEVER log in via the system directory. Using the admin.php file hides the name of the system directory from prying eyes. Drop the admin.php in the root directory and make good use of it.

Then…

Force admin.php login via https with a rewrite in the htaccess file.

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^admin.php$ https://www.yourdomain.com/admin.php

before setting up this .htaccess rule I tried to login into my CP using https and got an error about an invalid certificate being registered to some other domain. I assume this is because I haven’t purchased a certificate and am on shared hosting.

My question is, is it still more secure to login via https if you don’t have a certificate? i.e. is it really necessary to buy one?

From what I have been explained. Once the connection is made with HTTPS it’s secure. The warning is just to simply state the domain and the SSL do not match.

Is this right? Or was I fed a line?

I was actually just discussing the issue that there is no website to get decent SSL information from. Like, if you need a SSL that can support sub-domains (like mail, admin and etc.) you need to purchase a Wildcard SSL.

A cert just provides verification from a trusted source… like GeoTrust or Thawte.  However… since you know who controls your domain… you don’t really need to purchase a cert to verify your own stuff. It’s really only needed when others who don’t know you or your website that a verified cert is needed.

So, yes, it is still a secure encrypted connection.

A cert just provides verification from a trusted source… like GeoTrust or Thawte.  However… since you know who controls your domain… you don’t really need to purchase a cert to verify your own stuff. It’s really only needed when others who don’t know you or your website that a verified cert is needed.

So, yes, it is still a secure encrypted connection.

Thank you.

When I try a simple substitution of https for http to reach my CP, I get this:

SSL received a record that exceeded the maximum permissible length.

Is this fixable on my part, or might it simply mean my (low-budget) hosting setup won’t support https?

are you using Firefox?

SSL_ERROR_RX_RECORD_TOO_LONG   -12263   “SSL received a record that exceeded the maximum permissible length.”

This generally indicates that the remote peer system has a flawed implementation of SSL, and is violating the SSL specification

Found Here

Todd, yeah, I can see the benefit. I’m just curious as to what it does more or different than simple renaming the /system directory and providing the same kind of restricted access.

Coming in super late on this one. Never noticed the question until now. 😊

I try to go by the rule…

“Tracks can be followed. Don’t leave any.”

It’s a small thing for sure and EE is probably secure with either approach. However, every little bit helps and I have no drawbacks by not logging in with the actual url. In addition, I use plugins that create links in the cp that click directly through (not the protected way) to outside sites… I don’t want their stat trackers learning my system directory either.

In addition, I use plugins that create links in the cp that click directly through (not the protected way) to outside sites… I don’t want their stat trackers learning my system directory either.

Sounds neat. How do you do that?

One add-on adds a Google Analytics panel to the CP. It creates direct links to Google.

Yes, I generally rename “system” to something impossible to guess, and use secure passwords. I also try to make sure my users do, disallowing the 500 (or so) worst passwords.

Here’s the list ready to go, hope it’s of use to someone..will save maybe 2 mins.