Admin account restriction

5 posts by 3 authors in: Forums > CMS Builder
Last Post: November 5, 2014   (RSS)

By ht1080z - October 21, 2014

Hi,

I need to restrict the admin account use / change on one of my installation.

Can i delete or hide permanently the admin account from phpMyAdmin (backup the accounts table first) and restrict the admin account use like this?

My concern is, that if somebody change the email of the admin account from the phpMyAdmin, easily can request password reset for the new email and access admin level privileges for the cmsBuilder.

Any suggestion on this?

Thank you in advance,
Karls

Hi Karls, 

I really don't recommend deleting all of the admin accounts,  but I've done a quick test, and  it looks like you could theoretically do it, and it doesn't look like it has any affect on the behavior of the CMS (with the exception of not being able to login). However, there could be edge cases that my testing didn't cover that could cause issues. 

If someone gained access to phpMyAdmin, they could just add another record to the accounts section, even if the current one was deleted, then reset its password. 

I think a better option would be to ensure you make phpMyAdmin as secure as possible. For example:

  • minimize the number of accounts that can login to phpMyAdmin
  • Change the default phpMyAdmin url path (example.com/phpmyadmin) to something else.
  • Ensure that accounts that can log into phpmyadmin have long secure passwords. 

Also, if you're running the latest version of CMS Builder, if you go to the General Settings tab, it will list ways you can make your installation as secure as possible.

Let me know if you have any questions.

Thanks,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By ht1080z - November 4, 2014

Hi Greg,

The issue is not security but trust. Last year same month we completed a work for a client and gave editor access to manage the website and its data. The payment of our work only partly finished and now the client found another developer and hosting company to continue cooperation.

I want to assure that they cannot hack access to the admin account in any way and unlock cmsBuilder to future development until some differences are cleared out. In other way we agreed only for editor access at the first place.

Is there something else i can do to keep the admin account inaccessible?

Karls

By ht1080z - November 5, 2014

Hi Dave,

Thank you for your help on this! I make some tests with the script.

Karls