Most of the systems I develop have a CMS or Backoffice system to manage the frontend, until now, I have placed the system files in obvious directories such as www.site.com/admin or www.site.com/backoffice, which constitutes an obvious security risk.
Besides renaming the directory where the system files are deposited, is there a better approach?
What is this obvious security risk you are talking about? If your authentication to your administrative areas is so broken that you need security through obscurity to protect it. Then you are doing it all wrong. Fix the real problem, do not hide them.
There is no issue at all with the authentication system, but we have had plenty of “bots” trying to randomly login to the system. (without success)
Well as long as they don’t get in, then there is not much to worry about. I would, depending on what kind of firewall you have, set it up to block connections from the same IP if it makes a lot of connection within a short time frame. That stops most misbehaving bots from working properly.
on webserver make these directory readonly mode
Umm that will do what exactly?
yep, thats pretty much the way I decided to go.
cheers. 