Support

Pre-sales

#37713 Admit Tools Pro

Posted in ‘Pre-sales and Account Questions’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

mrcutoutdb

Hello,

 

We'd like to consider purchasing Admin Tools Pro for our website. However, we wanted to know what the software exactly provides, in particular:

- what kind of attacks on the website the plugin protects from?

- does it check whether and which files might have changed due to the attack?

- does it block and secure the website from files inclusion?

- what other security options it provides and how they are performed?

Also we wanted to ask you whether there is possible testing the plugin before purchasing it?

Thank you!

 

nicholas
Akeeba Staff
Manager

> - what kind of attacks on the website the plugin protects from?

You can find all security features in the documentation. A very brief overview of the same can be found in the product page.

> - does it check whether and which files might have changed due to the attack?

The idea is that the attack is blocked, therefore nothing has been changed.

If an attack did succeed (usually because of an exception added by the person configuration the software or because it came from outside of the CMS) you can of course check for changed files using the PHP File Change Scanner. In fact, we recommend running it automatically at least once a day so it can warn you whether something changed and give an estimate of the likelihood that it might not be a legitimate file.

> - does it block and secure the website from files inclusion?

Only to a certain extent. This is something you have to do at the PHP configuration level (set allow_url_include to no). Also remember that it is simply not possible to block local file inclusion, i.e. inclusion of files already on your server, since this is the building block of every non–trivial PHP software.

> - what other security options it provides and how they are performed?

You can look at the documentation and the product page. Reiterating what is already written there would be too long. You should take a look at least at the information regarding the PHP File Change Scanner and the .htaccess Maker as they are core to Admin Tools' concept of running a secure site.

The concept of Admin Tools is that you have three levels of protection:

  • At the web server (site configuration) level with the .htaccess Maker, NginX Configuration Maker or Web.config Maker depending on your server technology. The idea here is that nothing runs unless I explicitly allow it to run which also means that any malicious file (such as shell scripts) will be “defanged” (unable to execute, therefore inert).
  • At the application (CMS) level using the Web Application Firewall. The concept here is that it will prevent most of the issues coming from software that employs questionable security practices, as long as that software does run through the CMS (and not through arbitrary, web–accessible files).
  • At a precautionary or post–attack level using the PHP File Change Scanner. The concept here is that if there is an attack it will have been defanged by the web server–level protection but you still need to know that a malicious file did make it to your site so you can get rid of it.

These protections DO NOT and CAN NOT substitute securing your Operating System, and configuring your web server and PHP with security in mind. They also DO NOT and CAN NOT substitute security hygiene such as using a password manager to create and store complex passwords, not sharing passwords, removing temporary access used by third parties helping you troubleshoot your site, using Two Factor or Multi-factor Authentication, maintaining a secure computing environment for all machines interacting with the site using elevated privileges (e.g. Super Users), not allowing arbitrary files to accept web requests directly (bypassing the CMS, therefore Admin Tools) and so on.

Admin Tools is a part of your security regimen, now which applies strictly to what happens with your web application (CMS). It's not an end all, be all solution to all your security woes. This is the same with all web site security software. Unfortunately, most developers of this kind of software glorify their role and do not explain the reality, that there is no such thing as installable, bulletproof security which magically covers everything and makes your server invulnerable. If there was such a tool, its author would be making trillions of dollars; every single company and nation state would want a copy for every server they operate.

> Also we wanted to ask you whether there is possible testing the plugin before purchasing it?

No, there is no trial since this is Open Source Software licensed under the GNU GPLv3 or later. Once you have the software you have its full source code. We cannot revoke your ability to run it. This is antithetical to the concept of a trial.

Before you consider a purchase I want you to think where you stand on security. If you are looking for something you can install, not deal with it and forget about it — please don't make a purchase. No security software works like that and we are not going to lie to you claiming that our software can do that (others might; everyone is responsible for their own morality). If you are looking for software which needs a fair amount of configuration and will help you tighten the security of your site then, yes, this is the software for you. That's why we called it Admin Tools and not something glorified with the words Shield, Defender, Armour etc. It is a security tool.

I hope that helps you understand better the concept of the software and decide whether it fits your needs.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Summer vacations: Our support will be closed for replies and new tickets from August 6th to August 21st, 2022 due to summer vacations.