I am working on a website which is having Admin panel along with the website.
Website Root Folder: /htdocs
Other public content of the website is in /htdocs
folder only.
Admin website folder: /htdocs/admin
My Question: What are the things I need to do to make sure that my admin panel (or website) is secure from attacks?
These are the things I am doing:
- Every file in
/htdocs/admin
folder is set as permission: 444 (r--r--r--
) of Linux. adminLogin.php
file in admin folder is using POST method to send the credentials to thevalidateCredentials.php
which will direct toadminHome.php
upon correct username and password. The following session variable is set (along with others) on a successful login:$_SESSION['usertype'] = "admin";
- All other files in admin folder have a check at the top of the file for a valid admin SESSION variable. If there is no session variable, then page will redirect to adminLogin.php
- Password of administrator is stored as a MD5 hash in
admin_login_details
table. This table is in the same database as the whole of the site. I got this question to make password storing even more secure. - While verifying the password from the
admin_login_details
table, the entered password is first passed to mysql_real_escape_string() and then used -- to prevent SQL Injection.
What else is needed? Are the above points correct? If there anything which is potential security concern?
Please add more points if required.
I am using PHP, MySQL, Apache on CentOS server.