How To Prevent Access Of Admin Pages By Knowing The Admin Page Url?

April 21, 2024 Post a Comment

If someone knows my url of the admin page such as www.example.com/admin.php, then they will easily access the page by directly accesing that url. How to restrict this. Please help

Solution 1:

You should never make the admin section public. You can't rely on obscurity for this, authorisation is the way to go. You can do this by using .htacces, as described here, or by relying on PHP. A crude example follows below.

Below is a simple login implementation. If the password is correct it will allow the user to go to admin.php. You should read the PHP manual on sessions though, because the session header should be present on every page behind the login page. The password handling could be handled more secure as well.

<?php
  session_name('MyAdminSession');
  session_start();

  if (isset($_POST['userid']) && isset($_POST['password'])) {
    $userid = $_POST['userid'];
    $password = md5($_POST['password']);

    if ($userid == 'myusername' && $password == md5('mypassword')) {
      $_SESSION['logged_in'] = true;
      header('location: admin.php');
      exit;
    }
  }
?><!DOCTYPE htmlPUBLIC"-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"xml:lang="nl"><head><metahttp-equiv="content-type"content="text/html; charset=utf-8" /><title>My login page</title></head><body><formaction="index.php"method="post"><labelfor="userid">Username: </label><br /><inputname="userid"type="text"id="userid" /><br /><labelfor="password">Password: </label><br /><inputname="password"type="password"id="password" /><br /><p><inputtype="submit"name="submit"class="button"value="Log In" /></p></form></body></html>

Solution 2:

Require Authentication. (and Authorization - as commented below !)

10x @Just Somebody !

Solution 3:

if you use apache web server you can restrict access using .htaccess p.s. Take a look here: htaccess tutorial

Solution 4:

I will try to put a few of these answers together for you, depending on how your website is setup.

If it is a simpler website and you don't do any user handling or admin authentication, your main option is to do as igorp said and restrict based on the .htaccess file. You will get a popup asking for a predefined username and password, and only then will you have access to that particular page.

Again, this is good for a simpler website.

If it is more complex and you allow user logins to your site, you can setup access rights to various pages, based on the users access level.

For instance, in your administrative page(s), you would check the user's access level to see if he/she should be allowed to access the page. If he doesn't, redirect to an access denied type page. Otherwise, let them in.

With both of these methods, a user can browse directly to your administration pages and be required to go through some sort of validation. Either way, your admin pages will be protected.

Solution 5:

You can block all IP to go in admin panel except your admins IPs Write something like this:

order allow,deny
deny from all
allow from {your IP}
allow from {your other admin's IP}

This should be work

Html5 Learning