Hi
Looking around the script and having a file hosting website for a long time I learnt that having more security measures never hurt! So here is some of the things that I could think of that can help the system be more secure
- For Admin
1- Let the user change the admin area url (I didn't see the option but it might work by changing the directory name but I haven't tested)
2- Add Google Authenticator, admin don't have to have it, but maybe some of the admins prefer having it
3- Force the admin to change their password every x days
4- brute force attack detection, simple log if the password has been entered incorrectly from an IP address and block the IP for a set period of time (let's say 15 minutes) after X number of unsuccessful attempt
5- add a captcha to admin login form
- For Users
1- Add Google Authenticator, users don't have to have it, but maybe some of the user prefer having it
2- Add security lock, I didn't see this but maybe you already have it, something like XFS that won't let the user change the email or password before verification (using a simple email) and turning security off
3- Force the user to change their password every x days
4- block the account automatically if more then x IP addresses accessed the account in a fix period of time (let's say one hour, this would help with stopping users to share their account)
5- brute force attack detection, simple log if the password has been entered incorrectly from an IP address and block the IP for a set period of time (let's say 15 minutes) after X number of unsuccessful attempt
Sorry if I'm making to much threats, I'm just sitting here today thinking about the stuff I think all the website admins would love to have
Looking around the script and having a file hosting website for a long time I learnt that having more security measures never hurt! So here is some of the things that I could think of that can help the system be more secure
- For Admin
1- Let the user change the admin area url (I didn't see the option but it might work by changing the directory name but I haven't tested)
2- Add Google Authenticator, admin don't have to have it, but maybe some of the admins prefer having it
3- Force the admin to change their password every x days
4- brute force attack detection, simple log if the password has been entered incorrectly from an IP address and block the IP for a set period of time (let's say 15 minutes) after X number of unsuccessful attempt
5- add a captcha to admin login form
- For Users
1- Add Google Authenticator, users don't have to have it, but maybe some of the user prefer having it
2- Add security lock, I didn't see this but maybe you already have it, something like XFS that won't let the user change the email or password before verification (using a simple email) and turning security off
3- Force the user to change their password every x days
4- block the account automatically if more then x IP addresses accessed the account in a fix period of time (let's say one hour, this would help with stopping users to share their account)
5- brute force attack detection, simple log if the password has been entered incorrectly from an IP address and block the IP for a set period of time (let's say 15 minutes) after X number of unsuccessful attempt
Sorry if I'm making to much threats, I'm just sitting here today thinking about the stuff I think all the website admins would love to have