Page 1 of 1
admin folder's name in robots.txt
Posted: Sat Aug 16, 2008 3:39 pm
by cubitus
Hello everyone.
I have a general question about security.
I've read somewhere on this forum that a good idea would be to rename the admin folder.
In order to be consistent with the indexer (google, yahoo, etc) the file robots.txt should contain the name of the folder admin in order for them not to index its content.
This way of doing will reveal the name of the admin folder in the entire world.
Does anyone of you have any suggestion in order not to revealing the name of the admin folder ?
Is it really mandatory to have the admin folder in the robots.txt ?
Thanks for you answer
Re: admin folder's name in robots.txt
Posted: Sat Aug 16, 2008 3:58 pm
by moorezilla
Not sure if this is the best system, but I include /admin/ in robots.txt and then add .htaccess password protection to the admin folder, so that there's two layers of user/pass protection. For other folders that I don't want people in and I don't need to access directly, I just drop .htaccess deny from all in.
Again... your mileage may vary and I'm not sure if this is the best system, but it's what I do.
Re: admin folder's name in robots.txt
Posted: Sat Aug 16, 2008 5:07 pm
by nuno
my advice is in robots.txt put your new-admin-folder,
and we have set in all admin side
so it helps a bit
Nuno Costa
Re: admin folder's name in robots.txt
Posted: Mon Aug 18, 2008 8:09 pm
by cubitus
Just a 2 cents idea,
Would it be possible to have the following robots.txt ?
Code: Select all
User-Agent: *
Disallow: /
Allows: /index.php
Allows: /uploads/
What append is the robot want to index my site (i.e
www.mysite.com) ? It will try to index the root of my site (without the index.php) but the root's folder is disllowed by my robots.txt.
It would work only if the robot start to index the following url
www.mysite.com/index.php.
Well my idea is not good I think
Re: admin folder's name in robots.txt
Posted: Mon Aug 18, 2008 8:29 pm
by CWebguy
I don't see why google would index your admin folder unless you specifically linked to it. Google only indexes what has been linked to, or submitted to them (e.g. sitemaps or url suggestion). Otherwise it technically should not be able to find it I would think. Just my thought.
CWebguy
Re: admin folder's name in robots.txt
Posted: Mon Aug 18, 2008 8:37 pm
by baresi
robots exclusions are for links that you have links to throughout your site but don't want indexed. Major and legit search engines won't 'search' or sniff your folders
Re: admin folder's name in robots.txt
Posted: Tue Aug 19, 2008 4:48 am
by CWebguy
Yeah, I think google's got enough time trying to index the gazillion number of sites on the net to waste it's time in anybody's admin folder. Just my thoughts
Re: admin folder's name in robots.txt
Posted: Tue Aug 19, 2008 5:02 am
by Dr.CSS
Just curious why you care who or what knows you have a folder in your site called admin, what are the security reasons that make you think the name should be changed?...
Re: admin folder's name in robots.txt
Posted: Tue Aug 19, 2008 8:08 am
by blast2007
mark wrote:
Just curious why you care who or what knows you have a folder in your site called admin, what are the security reasons that make you think the name should be changed?...
Hi Mark,
I think that hiding the admin folder name could be an added security measure, probably a low measure, but it helps a little bit.
Here the main reason:
- Some of your users have a weak password, so could be very easy to login and make some defacement or others bad things on CMS site.
- Side effects if you haven't still updated your release, with some bugged files in admin side
Try yourself to guess an admin dir name like
33a03d499m29i883n_is_h939i39d39e if this name is never linked on the site or indexed by google....
Anyway the best technique IMHO is hiding real admin dir name and using .htpassword with a strong password inside it and force login to admin side through a SSL connection.
Best regards
blast
Re: admin folder's name in robots.txt
Posted: Tue Aug 19, 2008 8:14 am
by tsw
blast2007 wrote:
- Some of your users have a weak password, so could be very easy to login and make some defacement or others bad things on CMS site.
Should we start enforcing proper passwords? minumum of N characters containing numbers and special characters?
blast2007 wrote:
Anyway the best technique IMHO is hiding real admin dir name and using .htpassword with a strong password inside it and force login to admin side through a SSL connection.
The key is SSL connection. with .htpasswd without SSL the password is sent over internet in plaintext EVERYtime you load a page. So it might even be less secure (more changes of sniffing the passwd) if you use .htpass without SSL.
Re: admin folder's name in robots.txt
Posted: Tue Aug 19, 2008 8:21 am
by blast2007
tsw wrote:
The key is SSL connection. with .htpasswd without SSL the password is sent over internet in plaintext EVERYtime you load a page. So it might even be less secure (more changes of sniffing the passwd) if you use .htpass without SSL.
Hi tsw, yes I wrote "force login through SSL" but I meant "force all admin connections through SSL"
And "force" is imperative because some of our users could forget to add an 's' after http.
Regards
blast
Re: admin folder's name in robots.txt
Posted: Mon Aug 25, 2008 4:16 pm
by Pierre M.
mark wrote:
Just curious why you care who or what knows you have a folder in your site called admin, what are the security reasons that make you think the name should be changed?...
I think obfuscating this action-sensitive folder name puts a light stop in the path of scripts kiddies trying not yet patched known vulnerabilities.
Reversely put : I don't see the advantage to let your ennemy know where the shutdown key is.
Pierre M.