Improving PHP Admin Login Protection & Login Security in 5 steps

PHP is the backbone of almost every popular CMS nowadays. Its simplicity and license-free nature make PHP the preferred choice in website development. However, not following secure coding standards while building a PHP website can give rise to security risks in PHP sites.

This Blog Includes show

In particular, securing the PHP admin panel is one of the biggest security concerns for developers and websites nowadays. A vulnerable PHP admin panel can lead to PHP admin panel hack, which can, in turn, bring serious ramifications to your business such as – data breach/theft, website defacement, redirection, spam, and what not!

Symptoms of a PHP admin panel hack

Common symptoms of a PHP admin panel hack include:

unable to access the backend
admin URL throwing an error
credentials not working

Other symptoms associated with PHP login security risks are:

website defacement
appearance of phishing pages on your PHP site
appearance of ambiguous file managers
unknown admins and users added to your website backend
PHPMyAdmin is depicting new as well as unknown database administrators

Besides these, other general hacking symptoms include:

warning messages from host, security providers, google search console, email providers, etc.
account suspended by popular search engines
malicious ads pop-up on your website
emails sent from your domain marked as spam

Related Blog – Comprehensive Guide on PHP Security

A majority of vulnerabilities in a PHP website is an outcome of bad coding habits. Further, a lack of security awareness related to PHP applications among developers is also a key reason.

If you have been careless yourself in the past, start following these security practices today. And in no time, you will have a solid and secure admin login area and user login area on your PHP website.

Change URL – Default anything is a security risk. And the default URL for your admin area is no exception. Change your admin path to something unique and in no time your PHP website’s backend will hide for the general public. To change your default admin path, add the following lines to your config.php file:

define( 'ADMIN_DIR', 'private-area' );  
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . ADMIN_DIR );

Then, add the following code to your function.php file:

add_filter( 'site_url', 'change_admin_url', 10, 3 );  
function change_admin_url( $url, $path, $orig_scheme ) {  
    $old  = array( "/(admin)/" );  
    $admin_dir = ADMIN_DIR;  
    $new  = array($admin_dir);  
    return preg_replace( $old, $new, $url, 1 );  
}

And finally add this code to htaccess file

RewriteRule ^private-area/(.*) admin/$1?%{QUERY_STRING} [L]

Restrict IPs – Whitelisting only your IPs for the backend page will automatically block out everyone else. If you have a team that manages the website, you can whitelist their IPs as well. This would give only a few selected persons access to your website’s admin panel.

You can restrict IPs on your website by adding the following lines in your index.php files or if you are using a custom framework then it can be placed in the file which is responsible for page routing.

<?php
$deny = array('10.','192.168.10.');
$current_ip = $_SERVER['REMOTE_ADDR'];
foreach($allow AS $value)
{
   $count = strlen($value);
   $block = substr($current_ip,0,$count);
   if($block != $value)
   {
       //allow user in
   }else
   {
       //deny
       header("location: https://example.com/blockedAccess");
       exit();
   }
}
?>

Another strategy that doesn’t rely on PHP scripts rather than on Server configuration is to block/allow IP addresses using the .htaccess file (Assuming you are using Apache). To do this, simply place the following lines in .htaccess files:

Order Allow, Deny
Allow from all
Deny from 123.123.123.123  //Blocks a single IP address
Deny from 123.123 //Blocks every Ip that starts with 123.123

Note – The .htaccess file should be present in the root of your website directory for the above snippet to work.

CAPTCHAs are essential to check brute-force and other bot-related attacks on your PHP admin and login area. They also protect you from spam and fake registrations. Further, there are different kinds of CAPTCHAs out there. Some use an Arithmetic question, some a picture test, some jumbled words, some invisible fields, and so on.

Remember that CAPTCHAs can be cracked but the hacker has to be extremely sophisticated for that. For the time being, CAPTCHA’s have been working as a greater blocker for most hackers and can definitely be utilized for your PHP website too.

Some popular CAPTCHA modules available online are: Google ReCaptcha, Securimage, BotDetect PHP CAPTCHA Generator, etc.

Another secure PHP admin protection you can undertake is – Timeouts and Failovers. OWASP defines session timeouts as – …an event occurring when a user does not perform any action on a web site during an interval (defined by the webserver)…”

That is, if a user does not take action for a prolonged period of time on your PHP website, the server expires his data and asks for a re-authentication.

You can do this by defining web API resources and related permissions in the webapi.xml file.

Limiting the number of login attempts is another effective login protection method for a website. Since bot-behaviour identifies with an insanely high number of login attempts as we have seen in Brute-force & Dictionary attacks, it is important to put a restriction through the number of attempts attribute.

For websites built on CMS, there are score plugins and extensions that do the job for you. However, for a custom-built PHP website, there are hardly any trust-worthy modules available. All you can do here is to add a script like the one given below to freeze logging for any user (after he has crossed a set number of failed logins):

if($login_incorrect){
     if(isset($_COOKIE['login'])){
          if($_COOKIE['login'] < 3){
               $attempts = $_COOKIE['login'] + 1;
               setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
          } else{
               echo 'You are banned for 10 minutes. Try again later';
          }
     } else{
          setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
     }
}

Source: https://stackoverflow.com/

5. Keep error messages vague

Error messages that specify the error are risky. Keeping these messages vague ensures that hackers don’t benefit from the rule of elimination when brute-forcing your login page.

Consider this example, a hacker tries a combination of email and password. Your benign system, not recognizing the intention, throws him an error – ‘ The password is incorrect.‘ Even though the hacker started with no solid confirmation about the credentials, the hacker now knows that a user with that email exists. Which is a 50% win for the hacker. You don’t want that, right? So at all times keep your messaging as generalized as possible.

Now, to do this, add your error message in your check.php script as given below:

$_SESSION['message'] = 'Your message';

and then in the login.php file, add this piece of code where you want the message to be displayed:

if (isset($_SESSION['message']))
{
    echo $_SESSION['message'];
    unset($_SESSION['message']);
}

Source: https://stackoverflow.com/

Astra web protection is equipped with the latest security solutions to safeguard you from malicious attacks. Interestingly, Astra has its own PHP web application firewall that greatly safeguards your PHP site from malicious attacks. Here are some features of the PHP web application firewall by Astra.

Community-powered security engine
Brute force protection
Protection from directory traversal
Automatic blocks on unknown hackers
7 layer DDoS protection
Protection from content stealing and scrapping

Well, many people usually say that PHP is quite old and that is the reason security risks are always higher. However, note that despite of being old, PHP is the most popular coding language in the world. So it makes sense to secure your PHP-powered website with PHP hack removal plug-in Astra Security Suite.