Secure admin system with hiding admin URLs

Question

Is it actually a good idea to hide admin URLs in order to prevent from being damaged by hackers? How can a hacker enters to the admin area without knowing the URL even if the hacker have the username and password?

Answer 1

No I don't believe it is a good idea, mainly because it's likely pointless as any tiny amount of security you could possibly gain would be terrible compared to tried and tested security methods and practices which are implemented, updated and used by professionals.

Also, it's all more likely a head ache to code and maintain, especially when it comes to asking advice about your homebrew security.

Even you hid some "admin-area.php" URL(s), if 'they' have access to admin area by redirect, a frame (urgh), htaccess re-write, or some other bad means you invented to not show them some URL, then they still have access to the admin area where they can cause havoc, so it exists for them and so it does for hackers/etc. (the URL is meaningless, it's the actual scripts with DB queries etc which need to be secure).

Brute force and hacking can be taken care of (by that I mean best you can) with the usual tried and tested security approaches, using a proper login system with bcrypt/blowfish/random salt per user or similar standard for passwords (not MD5 or SHA) and with users made to choose at least X chars, one uppercase and a number, using PDO/MYSQLI correctly, and before doing anything at all with any user input, validate it all with with strlen, is_numeric, some regex to get rid of bad chars (etc).

Answer 2

What you mean is Security through obscurity and it is a very very very bad idea...