Securing ExpressionEngine Control Panel: The Peekaboo Way!
ExpressionEngine control panel files, by default are located in a folder called "system". I very much like this naming. It's short and easy to remember, specially for clients.
Since we deploy CMS's it makes sense to refer it as system. However in every install, we rename the system folder to something like "system_bD3WpiOD2HD9" for obvious reasons! Imagine telling your client that they have to remember all that mambo jambo.
So how do we go about renaming the control panel folder while having it easily accessible?
Masking Access to Control Panel
In the user guide there is a section called "Masking Access to the Control Panel" which talks about moving and editing admin.php and path.php files in order to access control panel through a different URL e.g. http://www.example.com/admin.php
What if I want to access control panel via http://www.example.com/system while having it renamed?
Peekaboo! I see you system folder!
Actually you don't! and here is how;
During installation rename the system folder to something else e.g. "system_bD3WpiOD2HD9"
After the installation, create an empty folder called system
Make sure in System Preferences/General Configuration you empty out "Name of your site's index page" box
Move path.php and admin.php into this folder.
Edit path.php to look like this.
$system_path = "../system_bD3WpiOD2HD9/";
Refer to official guide for editing path.php in terms of changing $system_path variable.
Rename admin.php to index.php
Add below URL fix to ".htaccess" file located in the root folder
### ExpressionEngine URL Fix ###
RewriteCond $1 !^(system_bD3WpiOD2HD9|system|images|themes|index\.php) [NC]
RewriteRule ^(.*)$ /index.php/$1 [L]
Load the control panel via http://www.example.com/system and enyoj the masked URL.
I'm sure there are other ways to achieve this outcome or you might have an entirely different approach.
I'd be very much like to hear your thoughts and suggestion on this to improve ExpressionEngine development process.