Possible Duplicate:
What are best practices for securing the admin section of a website?
I'm wondering if the only way to do admin chores on your website, like banning users, deleting posts and invoking other admin functions, is to make a admin section. Where the only thing that prevents users from logging in here is a password. Isn't there some other alternative, like a page which isn't visible to the users?
If the website requires a login for both regular activities and admins, e.g. a forum, I'd use separate logins which use the same user database. This ensures that XSRF and session-stealing won't allow the attacker to access administrative areas.
Additionally, if the admin section is in a separate subdirectory, securing that one with the webserver's authentication (.htaccess in Apache for example) might be a good idea - then someone needs both that password and the user password.
Obscuring the admin path yields almost no security gain - if someone knows valid login data he's most likely also able to find out the path of the admin tool since he either phished it or keylogged you or got it via social engineering (which would probably reveal the path, too). But even without an obscured path you do not need a link to it; simply enter it manually to access the admin areas.
A brute-force protection like blocking the user's IP after 3 failed logins or requiring a CAPTCHA after a failed login (not for the first login as that's just extremely annoying for legit users) might also be useful.
But all in all, unless your website contains sensitive information etc., a secure password and no security holes should be sufficient in most cases.
