Skip to content

How to secure your website's admin system

5th September 2021

5-minutes read

Nearly all websites use a behind-the-scenes admin system that enables the website owner to update content. Find out how to protect your admin system from unauthorised access

Your website's admin system - or Content Management System (CMS) - is an online application that lets you make changes to your website's content.

Business owners and marketing teams use this type of facility to refresh website content, add news stories and update online blogs. But because the system is online and accessed via a browser, anyone - whether they're a genuine user or nefarious hacker - can get to the system's login screen.

This means that your system is vulnerable to unauthorised access and if this were to happen, the first you know about it might be when someone lets you know that your website's showing inappropriate content!

Here are some steps to follow to help secure your CMS, which will prevent unwanted access and keep your website's content protected.

What you can do to protect your website's CMS

Good passwords

A website CMS is an easy target for a hacker, particularly because the URL of the admin system (the web address you type in to get to the login page) is often predictable. You can access many systems simply by adding "admin" to the end of the web address, so that www.my-domain.co.uk is be the address of your website and www.my-domain.co.uk/admin is the address of its admin system.

For example, you get to the admin part of WordPress by adding wp-admin to the website's address.

If a hacker can reach easily the login screen, they need only enter a valid username and password to get access. For convenience, usernames often match a user's email address, so if a hacker knows the name of an employee, they can easily deduce that person's email address.

Consequently, of the three things the hacker needs to know to access your admin system - its URL, a valid username and valid password - the first two are often easy to work out, which means the password is critical.

Even though unauthorised access to online accounts is commonplace, some users still make poor choices when they set a password, usually because they use:

  • dictionary words
  • common password patterns, such as "qwerty" or "12345"
  • names or dates that are personal or relevant, such as pet's names, children's birthdays etc.

Therefore, you should instil in your CMS users the importance of using high-quality passwords.

Password policy

You can strengthen all users' passwords by setting up a password policy, which prevents a user from choosing a weak, easily-guessed password by applying rules. Typically, this might require the user to select a password that:

  • contains a minimum number of uppercase and lowercase characters and numeric digits
  • meets a minimum length, such as 8 or 10-characters
  • includes some non-standard characters found on the top row of your keyboard, such as ! $ % ^ * @ ~ #

Your password policy can be a written document that you circulate to users and ask them to abide by its rules. Or your admin system may allow you to configure those rules within the system itself, which makes it impossible for a user to enter a password that doesn't meet your minimum standards.

Housekeep old accounts

Don't forget to tidy up old user accounts that you no longer need. This might be because a user has changed role within the business and no longer needs access to the website's admin system. Or it could be that a user account belongs to someone who left the business to work elsewhere.

In either case - particularly, the latter - you should housekeep old accounts and ensure that the login details are removed altogether or, as a minimum, made inactive so that they no longer work.

No shared user details

Although it may be more convenient for the people involved, it's not a good idea to allow multiple people to share the same login details, so make sure each of your users is set up with an individual account and, therefore, an individual password.

What your web developer can do to protect your website's CMS

All points raised above improve the security of your system because they encourage, if not force, users to select high-quality, hard-to-guess passwords. Despite these changes, your system is still vulnerable though because:

  1. anyone can reach its login screen
  2. if a hacker can guess a user's password, they're in!

Your web developer should be able to put in place further measures that make the security of your system that much more robust, so suggest these points to your developer.

Two-factor authentication

When applied to a user's account, two-factor authentication improves its security considerably because it's like having a second password. Logging in with the correct username and password is no longer sufficient; to gain access to the system, the user must also pass the "two-factor" stage as well.

Typically, this second stage password involves entering a 6-digit number sent to you by SMS or provided to you by an authentication app on your phone. In both instances, the number remains valid for a short time only - often for as little as 30-seconds.

If you can pass the "two-factor" stage by supplying the correct 6-digit number, you've proven that not only do you know the login details but you have access to the mobile phoned listed against that user.

The upshot is that should someone learn your login details, they still can't use that information to login because they won't receive the two-factor SMS sent to your phone.

Lockdown by IP address

Your web developer may also be able to secure your CMS by limiting its access to recognised IP addresses only. Each access point on the Internet - whether that's your broadband router at home or the equivalent from your office at work - gets assigned a unique IP address and if your web developer can specify a list of valid addresses permitted to access the login screen, you can effectively control who can and can't access your CMS.

However, it's commonplace for home broadband connections to get allocated different IP addresses quite regularly, so the list of valid addresses quickly becomes out-of-date. With businesses having a high number of home-based workers these days, this might become inconvenient if the web developer has to update the list of valid addresses every week.

3 strikes and you're out

If you aren't able to introduce the more advanced recommendations of two-factor authentication and IP address lockdown, perhaps reduce the ease with which a hacker can try to access your system by limiting the number of permitted failed login attempts.

If, for example, you allow only three login attempts against a given username before you make that account inactive, you prevent a hacker having limitless goes at accessing your system. In reality, hacking often involves educated guessing so limiting the number of password attempts (guesses) to three significantly reduces the hacker's chances and, therefore, improves the security of your online system.

Jeremy Flight

Jeremy Flight

Technical Director

Jeremy Flight

About the author

This article was written in September 2021 by Jeremy Flight, Technical Director at Rubiqa.

He has worked in the web design industry since 1999 and has helped many private businesses and public sector organisations with complex website projects. As the technical lead at Rubiqa, he is the primary contributor to our software products and is involved with projects relating to website design, eCommerce, database systems and mobile apps.

Away from work, Jeremy is a qualified cricket coach and works with junior players at his local club. He is also interested in property investment, golf, photography, playing the piano and holidaying in France.

Connect with Jeremy Flight on LinkedIn

What we do

Send your enquiry

To prevent unwanted spam, we ask you to enter the answer to this simple sum: