Why should you protect your admin panel from hackers?
The admin panel can be a land of opportunities for a hacker. If a thief reaches your admin panel, he can then access your website’s database, backup files… Shortly speaking a hacker can do with your website as he pleases – insert malicious codes, steal confidential information or delete the website all together.
That’s why accessing the admin panel is a hacker’s holy grail.
Most website owners don’t realise how vulnerable admin panel can be.They can be hacked easily by:
- password crack
- password theft
- changing a user account to an admin account
- adding a new administrator directly into the website’s database
Password crack
The process of guessing\ breaking a password is called -” brute-force attack”. This is an automated process when in a matter of seconds thousands and thousands of various combinations are processed till the right one is found. There is a directory that contains an endless amount of passwords variations, and if, for example, the password to your admin panel is something along the line of “qweasdzxc” – the system will guess it in a few seconds. Brute-force attack is used to hack websites based on any of the popular CMS: WordPress, Joomla, Drupal and so on.
But there are ways to protect your website from a bruteforce attack. You can:
- limit access to the admin panel by IP addresses
- change the admin panel’s URL
- install a plugin that will limit the amount of attempts you can enter a wrong password
- create a really strong and complicated password that will consist of set of random letters and numbers.
Password theft
The second way to gain access to the admin panel is to steal the the password. There are a lot of variations of how to accomplish that:
- get the administrator’s login data through a vulnerability on the website
- infect the personal computer of the administrator with a trojan that will steal the password from the browser’s database.
- infect administrator’s personal computer with a keylogger trojan that will send every password back to the hacker.
You can protect your website from a password theft by:
- Installing an antivirus system and scanning the operational system for viruses frequently
- Avoid saving your passwords in your browser FTP client. Always think of the consequences of your actions
- update your CMS regularly and repair all of the vulnerabilities
Every administrator must know how to work safely with the website .
Knowledge is power, so don’t underestimate information about website protection.
User account to admin account promotion
Most modern content management systems allow you to create users with different levels of access: administrator, editor, moderator, guest etc. Some of those systems have vulnerabilities, especially in the outdated versions. Those vulnerabilities give an opportunity to gain an administrator’s access level and from there – the sky’s the limit .
Good news is that you can protect yourself from such situation:
- Keep an eye for updates and install them regularly
- Turn off a registration functions if it is not needed
- Don’t give excess rights to users who don’t need them
Adding a new administrator directly into the website database
This is another fairly simple way to hack, where a hacker gains access to the database of the website and adds a new user with administrator’s rights.
A hacker can get access to a database by:
- Using vulnerabilities in the website (SQL injection)
- Connecting to the database from the neighbouring website that is hosted on the same hosting
Ways you can protect your website from this type of hack:
- Forbidding reading rights of the data file that access the database for everyone except the owner of the website
- Change the default names of the spreadsheets in the database
- Install updates that will eliminate vulnerabilities in the CMS
As you can see, there are a lot of ways one can get access to the administrator’s panel, but there are ways you can protect it:
Limit access by an IP address to the admin panel and creating a code word or setting a web server authorization. This way only a user with the right IP address (the right range of IP) and knowing the code word or with a specific browser setup will be able to access the admin panel. In this case a hacker can’t use any of the tools mentioned because a web server will not allow access to the admin panel scripts.
Still, you shouldn’t neglect other means of protection. Only a multi layered protection can be effective.