View Full Version : SecureMe V1.0 - Secure Your Admin Panel

08 Aug 2008, 20:48
Hello guys,

It just came to my mind to make something to secure the ACP of my vBulletin. I'd like to share it with you guys too!

Basically what it does is just allow the IP's you provide to access the ACP. You can add as many IP's you need(For your staff)

Step 1) Create a file named .htaccess
Add this in the file..

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from YOUR HOME IP
# whitelist work IP address
allow from YOUR OFFICE IP
allow from YOUR OFFICE IP 2

Just replace the IP with YOUR HOME IP. Like wise you can add more

08 Aug 2008, 20:50
sounds good thanks

08 Aug 2008, 22:27
verry good idea! thanx

08 Aug 2008, 22:29
this is a great idea, but wht about the users who have aol or somtin where their ip changes whenever they sign on.

08 Aug 2008, 23:56
This is a good idea, but it's not for me or for those who often access their ACP from computers other than their own.

I had this implemented but I finally figured that the nuisance of not being able to access your ACP from anything but your own computer outweigh the extra protection this provides.

09 Aug 2008, 00:09
I wouldn't use this... There are easier ways to protect the admincp directory. I've known people to block their own IP's doing it this way.

1. Rename it, and change the variable in the config.php file.
2. Add user and password protection.
3. Add redirect if admincp is accessed directly (requires FTP to change - not recommended for users that access their admincp often.

Just a few ideas...

09 Aug 2008, 02:59
3. Add redirect if admincp is accessed directly (requires FTP to change - not recommended for users that access their admincp often.

Do you have instructions on how to do this?

09 Aug 2008, 13:10
Do you have instructions on how to do this?
That's fake security, and it's something you shouldn't rely on. A browser can easily fake a referer and thus it just becomes more of a nuisance. It can be faked so easily that if a hacker can get through whatever is next, said hacker will have no problem getting past this particular hurdle.

It'd be better to do it the other way around, if accessed through the main page (through a link that you should remove) show the 404 not found error page. Go with the Auth as shown above but add all known ranges for your provider if you have a changing IP, you'll still block a whole lot more and if it doesn't match, show the 404 error.

The 404 leads someone just probing to believe there's nothing there and thus move on.

If you really don't want to use the IP you can force an htaccess pop up on all sub-directories that don't exist, and then manually add an identical screen for the acp directory. Of course you don't want any broken referers on your site then since users would get a popup.

But in all seriousness, the regular vBulletin login with a user specific login, an htaccess with a singular login (and another username and password) and changing the directory to something with uppercase/lowercase/numbers/special characters will increase security to such a point where if they get passed it you really should be wondering if the server got compromised.

Most of this *should* make sense, but since I wrote it as I was thinking it it might be a bit messy :p

Sorry to hijack the thread :p

Marco van Herwaarden
09 Aug 2008, 14:07
Moved to Articles.

11 May 2009, 01:43
Someone should re-write for LightTPD

22 Jun 2009, 22:36
Oww Thanks