Custom CMS/admin panel - which directory to have it in?


I have finally finished a PHP/MySQL website I have worked on for a long time, and am now working on adding a CMS/admin section for myself only.

It is to allow me to update/edit blog posts on the front page, and also to edit certain items around the site easier than by hand through mysql, and potentially in the future to edit other users information etc.

I currently (for testing, the site isn’t public at the moment) have it in

I know that is likely not smart.

What is the standard practice for where to ‘store’ a custom CMS/admin panel? I’m assuming it is not a good idea for anyone to even see WHERE it is, whether it is secure or not?

Thank you for any tips in this area.

Well assuming there is authentication in-front of the admin pages it doesn’t really matter the path to get there. If you don’t have any type of authentication system in-front of pages that should be restricted you’re leaving open a huge security hole either way. Speaking of security you should also only allow X number of login attempts per an hour or so via ip. That will nearly eliminate any possible threats unless you’re using a none-standard method of authenticating users.

Sounds good, thanks for the input.

I do have a solid auth system to access the admin pages. Helps me a lot to know that as long as it is secure it doesn’t matter what directory you store it in. I will definitely come up with something a little more hidden than /admin/ though :slight_smile:

Thanks very much for the advice!

One follow up question if I may.

If I plan on having users able to register for my site, should I have separate member tables in my database for admin and regular users?

For example…

one table: users - for the public to sign up

one table: admin_group - which would only have me in it currently.

or should I just insert my admin username in the regular users table, and include that as part of my auth system: (if username != admin, deny access)

One idea is to obfusticate the /admin folder name and make it something hard to guess such as /wi33le - then access the admin part via a php page in your document root, again naming this so it’s hard to guess.

Good idea for sure. I will do that. I could even change the directory name periodically.

Last I knew you can put some folders (wp-admin, wp-content) in other than the default locations.
Takes some config tweaking but something to consider.