Secure your oc-admin

[Pigeon]

guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip

Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some  IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.

Thanks

my friend, is it possible not to edit (.htaccess) for password, and instead in Cpanel, right-click on (oc-admin) Folder and set password for it???

you dont want to answer?

[serjuc11111]

hy!secure your oc-admin folder with additional password ,cpanel help u to do this!
i dont suggest you to modify oc-admin name folder.
instructions here:
http://www.youtube.com/watch?v=51FFX_TF5yQ

cheers!

[a_smith]

goto oc-includes/osclass/helpers/hDefines.php
change following code
line 61

Code: [Select]

        $path .= "oc-admin/";to

Code: [Select]

        $path .= "ANYTHING/";
And line 81

Code: [Select]

        return(osc_base_path() . "oc-admin/");to

Code: [Select]

        return(osc_base_path() . "ANYTHING/");
And change oc-admin folder name to ANYTHING

All three ANYTHING should be same.

then login to admin http://domain.tld/ANYTHING

nobody will know what is ANYTHING except you. and every url will be correct. Nothing more need to be changed.

yes I know its old thread but I didnt found any newer nor working ideas how to secure/change oc-admin slug and the folder name? anyone?

Method to change oc-admin name in helpers/hDefines.php works only for admin login page and then for browsing through the admin panel.
Then it causes a lot of issues with installing and setting up the plugins because most of newer or more complex plugins have 'oc-admin/ path hardcoded.

[fog]

Using directly a path to "oc-admin" in a plugin is bad practic, nobody do this, or that person don't have any notion what is doing, or with that bad pratic can be more easy do that, so it just can be lazy. So, using a helper to connect to current admin folder is the correct to exectute (variables do that, or no make any sense use them). You said the newer plugins or more complex plugins have 'oc-admin/ path hardcoded (so, seems you says these plugins have a directly path to oc-admin) what plugins you saw that with that direct path? it's easy said something genericall, but with no names to reference, can be complicated to guess what plugins you not refered yet for anyone with that issue. Indeed, if you know about that issue in some plugins you knowed, you cab change that "traditional" path to the correct helper on your current plugins. The oc-admin folder is fine, no need changed that, just because anyone can access the page. "They" not will access to anything without a currect admin name and password anyway. Do not wories about that is totally safe.

[a_smith]

@fog:
no my knowledge is not genericall
I uses several plugins from osclass_point and they does it to link various plugin setup sub-screens (like tabs)

Code: [Select]

$text .= '<li><a href="' . osc_base_url() . 'oc-admin/index.php?page=plugins&action=renderplugin&file=invoice/admin/configure.php"><i class="fa fa-wrench"></i><span>' . __('Configure', 'invoice') . '</span></a></li>';

"They" not will access to anything without a currect admin name and password anyway. Do not wories about that is totally safe.

Let me disagree. Exposing admin login page to ANYONE to do whatever they wants to do there is stupid idea. I.e. the brute-force is not 'totally safe'.

Also to show to all what script you are using gives the attacker a chance to use attacking method specific to your script.

But of course you may have other point of view on how to bulletproof your resources.

[dev101]

$text .= '<li><a href="' . osc_base_url() . 'oc-admin/index.php?page=plugins&action=renderplugin&file=invoice/admin/configure.php"><i class="fa fa-wrench"></i><span>' . __('Configure', 'invoice') . '</span></a></li>';

Is this a plugin settings page in the Admin menu? Then, no one except logged-in admin(s) can see it.
But, it is unusual to form a link this way (hard coding paths is bad practice)
Also, all plugin settings pages (should) have a direct access protection, even if someone finds out direct link, it will be useless anyway.

[fog]

@fog:
no my knowledge is not genericall
I uses several plugins from osclass_point and they does it to link various plugin setup sub-screens (like tabs)

Code: [Select]

$text .= '<li><a href="' . osc_base_url() . 'oc-admin/index.php?page=plugins&action=renderplugin&file=invoice/admin/configure.php"><i class="fa fa-wrench"></i><span>' . __('Configure', 'invoice') . '</span></a></li>';

"They" not will access to anything without a currect admin name and password anyway. Do not wories about that is totally safe.

Let me disagree. Exposing admin login page to ANYONE to do whatever they wants to do there is stupid idea. I.e. the brute-force is not 'totally safe'.

Also to show to all what script you are using gives the attacker a chance to use attacking method specific to your script.

But of course you may have other point of view on how to bulletproof your resources.

My point of view is like yours or anyone. And is not a stupid idea, or wordpress have the same stupid idea with the wp-admin folder?

This is the only method known to rename oc-admin folder: here

I tested before with a old osclass version and I not saw any issue at least during a year. But you decide what is better to you. With time you will see you don't need use it anymore. Currently, I think is no needed rename any folder. So I don't use it anymore since to 3 years or more.