For Security Reasons, I want to edit /admin URL


(Oka bRionZ) #1

Hello,

I just installed newest Discourse BETA version on my new server. I want to know how to edit admin URL to a custom prefix (discsourse.example.com/admin > discourse.example.com/custom).
I cannot edit because I don’t know how to implement on Ruby.

Thanks before.


(Mittineague) #2

Hi bRionZ welcome to the forum

Leaving aside the monumental task that changing the routing in Ruby would be, are you expert in how Ember does routing?


(Oka bRionZ) #3

I’m not a Ruby expert Sir @Mittineague , and I just want to try it. Thanks for the advice.


(Mittineague) #4

No offense, but if you don’t know that Ember is not Ruby (it’s more a JavaScript and Handlebars framework http://emberjs.com ) than I fear you are thinking of doing something without fully appreciating just how muck work would be involved.

Not that it couldn’t be done, but it sure wouldn’t be easy.

Just how much security is gained from obscurity is arguable at best, but if security is an interest perhaps you could help in other ways?


(Eoin Ryan) #5

What is the security advantage of changing the admin URL?


(Mittineague) #6

It’s what I classify as Security through Obscurity

For example, if you changed “admin” to “xyz-admin”, “green-pumpernickel” or whatever, someone trying to crack into your site would fail when they tried to access the ACP at “admin”.

IMHO at best it’s a relatively weak layer of security, but then I suppose every layer of security can help to some extent. The theory being that the more difficult something is the better the chance that a would be attack will give up and try somewhere that’s easier.


(Oka bRionZ) #7

Thanks @Mittineague, now I know what it EmberJS although not understand how to use them. I want it for my facebook friends claimed could be relied upon in the burglary of a security website. He told me to replace with custom admin URL. I had several times to install a forum application, such as vanilla forums, Xenforo, phpBB, vBulletin, etc. And he said that these software are vulnerable and easily taken over only by the weakness of a plugin. But when I install Discourse he just told me to make custom URL only. I would ask him to give it a try as I understand the use emberJS and replace admin URL on my site. May take some time to realize that for me. I’ll let you know if there’s something here that should be updated.

Sorry if I have a bad language, I just translate it on Google Translate Source


(Felix Freiberger) #8

If you care about the security of your site, here are some things that are way more important:

  • Use HTTPS!
  • Have strong passwords on all staff accounts.
  • Use public key authentication for SSH and either disable login by password, or set a long, randomized password that you write down for emergency use.
  • Set up unattended upgrades for your OS, including automated reboots for updates that need them.
  • Keep Discourse up-to-date. Check the upgrade page (/admin/upgrade) to see whether (security) upgrades are available, which can happen even when no new full version is released.

If customizations to Discourse ever keep you from installing an update quickly, that will present a much greater risk than the potential security benefits can offset!