1. Change the backend access URL
By default /webasyst/
is used to access the backend, but you can easily change this. To do so, simply add the following line to configuration file wa-config/config.php
:
'backend_url' => 'admin', // this will make the backend accessible at /admin/
You can use any other string instead of 'admin'
.
It is also possible to have a dynamically generated backend URL; e.g.:
'backend_url' => 'admin'.date('d'),
date('d')
returns the day number of the current date; for example, on June 8 it will return 08. Thus, your backend would be accessible at /admin08/
on that specific day.
2. Change the user password hash generation function
The framework does not store user passwords. It does store their hashes instead. To ensure compatibility with other software systems and previous generations
of WebAsyst applications, the framework utilizes md5($password)
as the hash generation function by default.
Modern GPUs are capable of relatively fast password brute-forcing using md5-generated hashes which means that, if your users' password hashes get leaked, many passwords can be compromised.
As of framework version 1.0.8 there is a possibility to assign a custom password hash generation function by adding declaration of function
wa_password_hash()
at the end of file wa-config/SystemConfig.class.php
, for example:
function wa_password_hash($password) { return md5(sha1("S!aL:T1%(#".$password)."_s+A=lT,2?*"); }
Strings S!aL:T1%
and _s+A=lT,2?*
in the above example are called "salt". You can specify your own values
instead of the ones shown in the example. Adding a "salt" makes hashes more resistant to brute-force cracking.
Important note: After you change the hash-generation function, all backend users will have to perform the password-recovery procedure (click on "forgot password?" link).
Therefore, it is preferable to make this change, when you have very few backend users. It is recommended to store the source code of the
wa_password_hash()
function in a reliable place so that you can continue using the framework, if you accidentally lose access to the installed scripts and
if you need to copy the database to another server.