I'm currently making a check list of ALL possible security checks I can use for writing my own custom CMS. As far as the control panel/admin panel goes, I've been speculating the following to provide the best security I can (bear in mind, a 100% secure system is a virtual impossibility.)
Here's what I thought of thus far:
- .htpasswd (outside of /public_html)
- Block access to any files starting with .ht via htaccess
- Database based login
- Password protect the admin directory
- "Sanitize" any user input, run checks, etc.
- General consideration, place any config files outside of /public_html/, no sensitive data in .inc.php files
- Record errors/warnings
What do you think?