Recently I have been contemplating the most secure way to setup an admin area on a website. The two options that I was toying with are,
- Create the admin area as part of the main site, require them to register first using their email address as their username, and set them up with an admin level.
- Create a completely separate admin area from the website in which users would not have to register with, but instead would be setup by another admin.
I realize that if I setup the admin area separate from the site, this would require the user to discover that the admin panel is there before they could even try getting into it. How much security does that add?
However, forcing them to register with an email address on the main site ties their account to an email address which I would think helps security a little bit? But putting the admin area on the main site makes it easier to hack, because all the user would need to do is find one bug in the system right?
I guess I could see positives and negatives for both.