admin folder's name in robots.txt

[cubitus]

Hello everyone.

I have a general question about security.

I've read somewhere on this forum that a good idea would be to rename the admin folder.

In order to be consistent with the indexer (google, yahoo, etc) the file robots.txt should contain the name of the  folder admin in order for them not to index its content.

This way of doing will reveal the name of the admin folder in the entire world. 

Does anyone of you have any suggestion in order not to revealing the name of the admin folder ?
Is it really mandatory to have the admin folder in the robots.txt ?

Thanks for you answer

[moorezilla]

Not sure if this is the best system, but I include /admin/ in robots.txt and then add .htaccess password protection to the admin folder, so that there's two layers of user/pass protection. For other folders that I don't want people in and I don't need to access directly, I just drop .htaccess deny from all in.

Again... your mileage may vary and I'm not sure if this is the best system, but it's what I do.

[nuno]

my advice is in robots.txt  put your new-admin-folder,
and we have set in all admin side

so it  helps a bit
Nuno Costa

[cubitus]

Just a 2 cents idea,

Would it be possible to have the following robots.txt ?

Code: Select all

User-Agent: *
Disallow: /

Allows: /index.php
Allows: /uploads/

What append is the robot want to index my site (i.e www.mysite.com) ? It will try to index the root of my site (without the index.php) but the root's folder is disllowed by my robots.txt.
It would work only if the robot start to index the following url www.mysite.com/index.php.

Well my idea is not good I think

[CWebguy]

I don't see why google would index your admin folder unless you specifically linked to it. Google only indexes what has been linked to, or submitted to them (e.g. sitemaps or url suggestion).  Otherwise it technically should not be able to find it I would think.  Just my thought.

CWebguy

[baresi]

robots exclusions are for links that you have links to throughout your site but don't want indexed. Major and legit search engines won't 'search' or sniff your folders

[CWebguy]

Yeah, I think google's got enough time trying to index the gazillion number of sites on the net to waste it's time in anybody's admin folder.  Just my thoughts 

[Dr.CSS]

Just curious why you care who or what knows you have a folder in your site called admin, what are the security reasons that make you think the name should be changed?...

[blast2007]

Just curious why you care who or what knows you have a folder in your site called admin, what are the security reasons that make you think the name should be changed?...

Hi Mark,
I think that hiding the admin folder name could be an added security measure, probably a low measure, but it helps a little bit.

Here the main reason:
- Some of your users have a weak password, so could be very easy to login and make some defacement or others bad things on CMS site.
- Side effects if you haven't still updated your release, with some bugged files in admin side

Try yourself to guess an admin dir name like 33a03d499m29i883n_is_h939i39d39e if this name is never linked on the site or indexed by google....

Anyway the best technique IMHO is hiding real admin dir name and using .htpassword with a strong password inside it and force login to admin side through a SSL connection.

Best regards
blast

[tsw]

- Some of your users have a weak password, so could be very easy to login and make some defacement or others bad things on CMS site.

Should we start enforcing proper passwords? minumum of N characters containing numbers and special characters?

Anyway the best technique IMHO is hiding real admin dir name and using .htpassword with a strong password inside it and force login to admin side through a SSL connection.

The key is SSL connection. with .htpasswd without SSL the password is sent over internet in plaintext EVERYtime you load a page. So it might even be less secure (more changes of sniffing the passwd) if you use .htpass without SSL.

[blast2007]

The key is SSL connection. with .htpasswd without SSL the password is sent over internet in plaintext EVERYtime you load a page. So it might even be less secure (more changes of sniffing the passwd) if you use .htpass without SSL.

Hi tsw, yes I wrote "force login through SSL" but I meant "force all admin connections through SSL"

And "force" is imperative because some of our users could forget to add an 's' after http.

Regards
blast

[Pierre M.]

Just curious why you care who or what knows you have a folder in your site called admin, what are the security reasons that make you think the name should be changed?...

I think obfuscating this action-sensitive folder name puts a light stop in the path of scripts kiddies trying not yet patched known vulnerabilities.

Reversely put : I don't see the advantage to let your ennemy know where the shutdown key is.

Pierre M.