Okay, so we all love Kirby… and some of us use the “panel” to populate a Kirby-site in stead of plain (s)FTP.
Sounds good! But the problem is… everyone can access the panel-login of a Kirby site, just by entering /panel/login after the site root-url.
I mean, let’s assume Google is using Kirby (hell, why not!) - one can try to enter the login-panel by simply navigating to http:// google.com/panel/login
That’s why I’m protecting ALL my panel-URI’s with an extra protection-layer; simply a .htpasswd, triggered by a custom-set .htaccess
This is working nice, but I want more… more protection!
So I decided “why not change the panel-slug” … I mean… it’s always http:// site.tld/panel no matter what… very easy to use and abuse.
Simply renaming the directory “panel” to something like “backdoor” didn’t quite work out, so I had to try something different; adding a pass-phrase to the URI.
I ended up with the code, below… In the “index.php” of “/panel” I simply included an external credentials.php file (located in “/controllers” - so it wouldn’t be overwritten by an update of the Kirby-core).
The “credentials.php” file contains both an unique security key- and value for the “/panel” directory.
So if one navigates to this URL;
http://site.tld/panel/ he or she is redirected to the sites homepage (well, actually he / she has to enter the .htpasswd first, LOL).
And one is only given access to the login-form, with this URL;
It’s a simple, extra security layer… but it prevends brute-force attacks from the default login-form.
Is this a good, or bad implementation (it works for me, so I guess it’s good )