Custom PHP Admin Section

Hi, I am in the middle of developing (using Codeigniter) a site at the moment and it requires a complex Admin section so that staff can manage various things on the site.

I am looking for some advice on how I can make the Admin as secure as possible because, like any other site, if someone gains access to the admin section then they could destroy the site in a matter of seconds.

I was thinking of doing the following:

01 - setting the admin section up on a sub directory such as adm1nistrat0r.website.com
02 - securing the admin section with a login section before the admin pages can be accessed
03 - securing the directory with htaccess

Can anyone recommend any other methods that I could use? Thanks in advance for your help...

#1maybe place the files for the admin section outside of the webroot. In case something goes wrong on the server and your php is outputted as plaintext, I heared this could potentially happen
#2use a ssl certificate
#3 bind the admin to certain ip's (whitelist)

Hi,

yeah, you should definitely use TLS/SSL. In addition to that:

• use strong password hashes with salts, not something like MD5; you can use the PHPass library, for example
• tell the admins to use strong and unique passwords; they can generate and store them with KeePass
• for very critical admin actions, require the user to re-enter his password to prevent session stealing and CSRF
• use form tokens to prevent CSRF (see the link above)

If you don't make any "stupid" mistake, this should be a pretty solid authentication.