Industry standard for admin backend

I don't think there is a standard. But most things I have seen, used, or written seem to use /admin.

That said I do have one project where the admin is so complex that I made it's own project and subdomain. Ie admin.myproject.com

In the series "Whatcha Working On: Coupon Generation With TDD" I saw that jeffrey seems to use /admin

There is no standard for the route name. Use what you want or what is appropriate for the application you are building.

Honestly, it depends upon programmers.

However, many of them use /admin or /dashboard. Even some of them use /admin/dashboard to make it more secure.

@tisuchi

/admin/dashboard is a good tip, thanks.

Even some of them use /admin/dashboard to make it more secure.

That's not secure enough. Only a beginner would think so.

The proper way is /adm1n/dashb0ard.

@MikeHopley what would be the most secure approach overall ? if you were to implement an admin area how would you do it ?

To reduce potential brute forcing I'd suggest making it something non obvious like /controller/.

If you have users logging in too, you could base it on a userlevel basis and then redirect any userlevel > 1. This way you and the users log in the same way but then the code will move you elsewhere if you have the correct settings to suit.

@option thanks for the suggestion.

what would be the most secure approach overall ? if you were to implement an admin area how would you do it ?

The simplest option is a very strong password -- like 20 random characters. This is what I do for myself. Use a password manager so you don't have to remember it.

To improve on this, you could add login throttling. If you're really serious about it, you could require two-factor authentication.

Occasionally you can restrict by IP address. For example, my admin panel for MySQL is locked to my IP. Yes, I have to update it, but I have a script for that; and I only occasionally use the admin panel.

I was a bit snide about security-by-obscurity, because generally it's weak. However, it's worth noting that ServerPilot recommends it for protecting PHPmyadmin. The important thing is that you don't rely on security-by-obscurity. It's okay to add it as an additional layer.

I probably don't have to say this (as others have), but there's little to no security benefits in modifying your backend URI to something obscure.

With regards to a standard, there aren't any really. Most that I have seen have been /admin. I've seen /backend and /app too but you can use whatever makes most sense to your app. Or not. It doesn't really matter because it's a private area of your page and it's not like Google is going to index it.

The standard is mysql, php pdo, html, and some css. So yes there is a standard. Of course that's if you are using mysql.

The most secure is to not have a public accessible admin URI at all.

Approach 1: Use a non published subdomain and add it to your host file.

Approach 2: Create a VPN environment and connect via VPN to the server. Same as Approach 1 make the web server only listen to the VPN IP and add it to your host file.

Maybe a bit overkill for most projects but if you want to be secure you will need to go through this setup.

Another simpler but fairly secure approach would be to add a parameter to your admin url something like https://domain.com/admin?letmeintoken=secureToken

Even if someone guesses the right url you just send back a 404 if the token is missing and/or wrong.

On top of that you could do a TwoStepAuth login for your admin url which is pretty straightforward to implement.

Alex