Display link to admin section or not?

Question

I have a question and answers site. I have an admin section. From that section I can delete users, threads, responses, and edit various other things. I have some simple code at the start of the admin page:

   if(($session->protected_page_security()) == FALSE || 
    ($session->is_administrator() == FALSE)){
     $session->logout;
     redirect_to('../index.php');
    }

A session class has the following methods....

 public function protected_page_security() {
    if(!$this->confirm_session_is_valid() && !$this->check_login()){
  return false;
    } else {
  return true;
   }
 }


 public function confirm_session_is_valid() {
  $check_ip = true;
  $check_user_agent = true;
  $check_last_login = true;

if($check_ip && !$this->request_ip_matches_session()) {
  return false;
}
if($check_user_agent && !$this->request_user_agent_matches_session()) {
  return false;
}
if($check_last_login && !$this->last_login_is_recent()) {
  return false;
}
return true;
}



public function request_ip_matches_session() {
   if(!isset($this->ip) || !isset($_SERVER['REMOTE_ADDR'])) {
    return false;
  }
  if($this->ip === $_SERVER['REMOTE_ADDR']) {
    return true;
  } else {
    return false;
  }
}


 public function request_user_agent_matches_session() {

  if(!isset($_SESSION['user_agent']) || !isset($_SERVER['HTTP_USER_AGENT'])) {
    return false;
  }
  if($_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) {
    return true;
  } else {
    return false;
  }
}


 public function last_login_is_recent() {
  $max_elapsed = 60 * 60 * 24; // 1 day
  // return false if value is not set
  if(!$this->last_login) {
  return false;
  }
   if(($this->last_login + $max_elapsed) >= time()) {
  return true;
  } else {
  return false;
  }
  }


public function is_administrator(){
            $administrator_ids = array("164");
            if(in_array($_SESSION['user_id'], $administrator_ids)){              
                return true;
              } else {       
                return false;
              }
            }

USER_ID = "164" is an administrator.

My question is this:

Do you think it is unwise to have a link to the admin section on the site (even if only shown for me, when I log in)? If someone can gain access to this page, they can bring down the entire database. Is it wiser to not have any link and just type the address in as a url?

I apologise for the simple question -

I am guessing it is possible for someone to find out (hack) the site file structure and "see" that there is an admin section regardless of whether there is any link to it right so maybe my question is moote.

Security by obscurity can be useful to an extent, but is never to be considered effective security. Act as if that link is public, because it is. — schroeder, Aug 06 '14 at 16:16
Thanks for the comment. But not sure it answers what I am asking (not being tricky). Would you display the link. If there is no link, and the admin simply types in the url, is that better, or is that a false sense of security? — GhostRider, Aug 06 '14 at 16:20
Keeping an asset obscured can reduce the visibility, and hence can reduce the number of hits, which can reduce the potential for compromise. That does NOT improve security, but reduces probability. Design it as though it is visible. Hide it to reduce the number of curious lookers. — schroeder, Aug 06 '14 at 16:24

score 2 · Accepted Answer · answered Aug 06 '14 at 20:37

2

While it may deter very amateur hackers, the concept of security by obscurity is very seldom effective at providing actual security.

A far better approach would be to restrict the admin page to an IP (yours).

Also, I assume you are using wordpress or some other content management system. My two best recommendations for improved security would be to keep the system updated and keep a secure master password.

answered Aug 06 '14 at 20:37

Matthew Peters

3,592
4
21
39

Not using Wordpress. Its my own site. Good point about the IP address though - although this does limit my own access to the site, to that PC (more or less). Would vote up but I appear to not be reputable enough.... – GhostRider Aug 06 '14 at 20:39
@GhostRider, If you do not know all the potential IPs then you could always use a VPN. A simple and free approach would be to use TeamViewer on your desktop at home (it even has a wakeOnLan function) and have your home IP set to trusted. As an aside, since this is your own site, I'd strongly recommend you lookup other procedures for improving security chief among them SSL (if you haven't already). – Matthew Peters Aug 06 '14 at 20:46

Display link to admin section or not?

1 Answers1