Testing the Security of Your Website – Part 1
Location of the Control Panel
Contents
Most websites have a control panel where you can manage their contents. The major problem is that most website owners leave the control panel installed on its default location, for instance, https://www.yourwebsite.com/admin. The exact location may change, depending on the software you use. For example, WordPress uses /wp-admin, while vBulletin uses /admincp. If your website advertises the software it runs (a potential security risk we are going to cover in this tutorial), it is very easy for a hacker to research which is the default location of the control panel of the particular software you run on your website.
One of the first things a hacker will do is to check if your website’s control panel is placed on an obvious location. In Figure 1, we give you a real-life example of a famous website with this problem.
Figure 1: Website’s control panel installed on its default location
On the Internet, there are several websites with this problem, and it is very easy for a hacker to run a program that tries hundreds of passwords per hour to try to gain access to your control panel. Luckily, most website management programs have counter-measures to this kind of attack, but it is better not to count on that.
Therefore, it is mandatory for you to change the place where your website’s control panel is located. Keep in mind that, besides renaming the directory (folder) of the control panel, you most likely will also need to update the configuration file (config.php or similar) with the new location.
After changing the location of the control panel, just do not tell anyone about it, and do not list it anywhere, especially in the robots.txt file.
