I want to change the admin login

serdo

I want to change the admin login. Is this possible for security reasons?

Forogramero

If you mean admin password (not talking about interface, right?):

Create a new user and give him admin and moderator permissions.

Log out.

serdo

Forogramero siteadres.com/admin this is what I'm talking about

I want to change the /admin path

clarkwinkelmann

Changing /admin path would bring no security benefit, because it's just hosting the single page app. Flarum has no separate authentication for the admin panel, so whatever obfuscation you put in place will be useless if regular login is also allowed, as all endpoints will always be discoverable.

What you'd need to change for security through obscurity are the API paths for settings edit, permissions and extension management, but even that would be useless without changing how the admin panel operates.

The attack vector you are trying to prevent here is using an admin account with already leaked credentials. If you customize the admin or API paths, after logging in this information would immediately be leaked to the user as part of the Flarum boot payload.

The best protections for this already exist: for credential leak/steal, require 2 factor authentication for admins. If you are concerned about cookie stealers, there's the Sudo extension to ask for password every time you enter the admin panel.

If you really wanted an additional level or protection on top of those, the best would not be to obfuscate the endpoints, but to create a separate admin password that needs to be entered when using the admin panel. The same code from the Sudo extension could be used to implement it. The code would be part of the URL, or asked in a popup each time.

EDIT: or, I suppose, the other attack vector one tries to prevent when renaming apps are CSRF or authorization bypass vulnerabilities. But all the core admin features rely on just about 3 API endpoints and they all use assertAdmin. Unless there's some sort of vulnerability in the router that lets an attacker skip middlewares, I don't see how this could be exploited. I think it's much more likely for the server to be hacked through other means.

KBExit

Security by obscurity is not best practice.
You can however, in addition to what @clarkwinkelmann mentioned, install 2FA into Flarum and mandate all Admins to use that.

clarkwinkelmann

Some more thoughts: to achieve kind of what you can do with Wordpress, what you would have to do is host 2 instances of Flarum on different URLs but connected to the same database and filesystem. On the main URL, you would then use custom extenders or a fork of Flarum core to remove every admin feature. Those feature would then only be used from the second instance. But again this seems overly complex for the attack vectors you're trying to protect against.

An easier solution to lock down the dangerous endpoints would be to go into your web application firewall (WAF) settings and IP-restrict the /api/settings, /api/permission, /api/extensions/*, /api/logo, /api/favicon endpoints.

You can see all the admin-related endpoints at the bottom of the routes.php file flarum/frameworkblob/v1.8.11/framework/core/src/Api/routes.php#L285

Note that extensions will add their own API endpoints. If you're worried about the security of those endpoints, and if they are only used from within the admin panel, you could restrict them as well.

If you are deploying Flarum as part of an automated process (continuous deployment), you could kill the admin panel entirely by removing/blacklisting all its endpoints and configure all settings through local extenders or by populating the database automatically.