The (generically titled) “system” directory of your website or web application should be the one containing all the scripts required for system administration, completely separated by all other files. To achieve maximum security in this regard, here are some important guideliness:
System directory name
- do not name the “system” directory “system”, or “admin”, or “root”, etc.. Instead, choose an unusual and cryptic name, and use a global variable in your code to hold this name. This way, the default “system” directory can me renamed and moved deeper into the file system, provided the global variable is hard-coded with the same value (eventually including the relative path). If you’re building a system that get’s deployed to others, teach the (future) admin to do this before going live.
- URL rewriting to access the “system” directory should only be used on top of the action described above.
- “system” directory name should not be made apparent to any visitor or registered user, except system administrators, who would get a link taking them to the admin interface located in this directory
- scripts running in the “system” directory (say, example.com/system_dir_name/some_settings.php) should display no direct outbound links (to other websites)! Reason being, the HTTP Referer header will contain the URL, compromising the secrecy of the “system” directory name.
System directory access
- although, of course, access will only be granted to authenticated users having system admin clearance, do put an Apache password on the “system” directory, with different credentials.
- forbid web access to all subdirectories and files that don’t need to be accessed from the web; make all directories and files read-only, and only readable by owner (CHMOD to 500) (see securing your web server), then, after the system has beed installed (the installation will require write access, in order to put database access credentials here), make the “system” director itself read-only.
- do not allow directory indexes
- plus or minus IP-based access as an extra security check. Maintain a list of accepted IP addresses, and only allow access from those addresses.
- directory indexes above this level must also be disallowed.
Let’s see: under normal conditions (i.e., a hacker hasn’t installed a script on your server, giving them full access to your file system) in order to access your website’s system administration interface, an attacker would need to:
- find out the name (location, actually, if you moved it deeper into the file system) of your system dir, that may or may not be in the root directory, on a system that does not display directories as indexes. He needs it in order to form the URL needed to access your admin interface.
- break the Apache directory password mechanism
- break your user authentication mechanism
- plus or minus find your IP white list, and spoof an accepted IP he/she finds in there.
Pretty secure, I’d say.