Prevent Access To admin.php

Description: This tutorial will help prevent hackers from gaining access to admin.php

Version: 1.0

Added on: 08 July 2007

Author: Anna

Difficulty Level: Easy

Views: 1175

Rating: 10.0 (1 Vote)

Detailed Profile •

Most hackers will go for the authors table and attempt to gain entry through the admin accounts.

Here is an interesting workaround (fix) to thwart this method of hack.

Create a file, call it whatever you like (authority.php for this example)
In that file place the following code:

Code:

<?php //This function returns True if visitor IP is allowed. //Otherwise it returns False function CheckAccess() {   //allowed IP. Change it to your static IP   $allowedip = '127.0.0.1';   $ip = $_SERVER['REMOTE_ADDR'];   return ($ip == $allowedip); } ?>

Change the ip address to your static ip address. Place the file in your root directory.

Now, open up admin.php

Find: (near the top)

Code:

require_once('mainfile.php');

Directly below that line add:

Code:

require_once('authority.php');

Using the name of the file you just created.
Now look below this where you will see:

Code:

if(isset($aid)) {   if($aid AND (!isset($admin) OR empty($admin)) AND $op!='login') {     unset($aid);     unset($admin);     die('Access Denied');   } }

Add below that:

Code:

//include file with CheckAccess implementation if (!CheckAccess()) {   //show the access denied message and exit script   echo 'Access denied!';   exit; } //access granted, normal flow echo 'OK';

This will block access to any admin function to a single ip address, no matter what password or login is used.

If you have multiple IP's then you will need to work with the code in your new file to reflect those also.

If the new function is working, you will notice the letters "OK" in the top left of your admin pages when you access them. If you do not like that, just remove the last echo'OK' line from your edits.