Ixonn Group

Applying Security Measures

You are here:
< All Topics

Use 2-factor Email Authentication For Admin Area

In version 1.9.0 we have added 2-factor authentication for staff members in order to increase the security while logging in to the admin area. Each staff member created in the system can have enabled 2-factor authentication.

The 2-factor authentication is provided via email, which means after staff enters his login credentials correctly the system will send unique authentication key via email in order the staff to log in successfully will need to enter the authentication key.

Staff members can enable 2-factor authentication by clicking on the top menu dropdown then Edit Profile link, meanwhile admins or staff with permissions for staff EDIT will be able to change this option for each staff member in Setup->Staff.

Disable 2-factor authentication

In case you got locked when 2-factor authentication is enabled and for some reason the system can’t send an email to provide you authentication code, you will need to disable 2-factor authentication via phpmyadmin.

Login to PHPMyAdmin, select Ixonn database, find table tblstaff and update the two_factor_auth_enabled column to 0

Enable CSRF Protection (from v1.9.4)

NOTE: If you performed a clean install of version 2.0 or above, this option will be by default enabled, don’t add again the code if it’s already in the config file.

Starting from version 1.9.4 we have implemented additional security feature in Ixonn, this feature by default will be disabled ATM because it’s still in beta mode and customers can enable the feature manually by just adding a simple constant in the app-config.php file.

After we confirm that everything works fine with this feature enabled we will by default enable CSRF protection in Ixonn, in case you are experiencing some issues while this feature is enabled, don’t hesitate to open support ticket by clicking here

In order to enable this feature via cPanel/Ftp navigate from your Ixonn installation to application/config/app-config.php and add the following code at the bottom of this file:

/**

 * Enables CSRF Protection

 */

define(‘APP_CSRF_PROTECTION’,true);

Enable Google reCaptcha

To prevent spam bots brute forcing your login areas it’s recommended to enable Google reCaptcha feature for clients register, clients log in, and admin/staff login.

Click here to see a detailed explanation how to configure Google reCaptcha

Use Stronger Passwords

Ixonn by default does not have any logic to detect if the passwords are strong enough but it’s recommended staff members to use/generate a stronger password.

When creating staff member or contact in the password field there is an generate icon which will generate for you strong enough password which will be harder spam bots to guess it.

Add Cron Job URL Key (from v1.9.4).

The cron  job URL which is different for each system based on the domain and installation folder/path is different for each Ixonn installation, however, this URL can be easily guessed because there is no keys protection or additional salts appended to the URL. In order to prevent direct access to this URL, it’s recommended to add cron job key.

Make sure you use a different salt key, in this example, we will use the following key: ty543dtry634as5

Let’s assume that your current cron job is http://yourdomain.com/crm/cron/index after you define the key you cron job URL will be changed to http://yourdomain.com/crm/cron/index/ty543dtry634as5

In order to enable this feature via cPanel/Ftp navigate from your Ixonn installation to application/config/app-config.php and add the following code at the bottom of this file:

/**

 * Add Additional Cron Job URL Key

 */

define(‘APP_CRON_KEY’,’ty543dtry634as5′);

If your cron job is already properly configured with the old URL, you will need to update your current cron job URL with the new one in order to work properly with the newly created key. Your new cron job URL can be found at Setup->Settings->Cron Job.

Bad user agents blocker (from v2.0.0)

From version 2.0.0 there are additional security features added in Ixonn that will help you to block known bad user agents, this feature will help you to fight with spam.

In order to enable this feature via cPanel/Ftp navigate from your Ixonn installation to application/config/app-config.php and add the following code at the bottom of this file:

// Enables bad user agents block

define(‘APP_BAD_USER_AGENT_BLOCK’, true);

Admin access only from specific IP address via .htaccess

If you have a dynamic IP address, please ignore this because in all cases this won’t work properly and you will be blocked from admin area each time your ISP changes the IP address.

If you access Ixonn admin area only from your home/office IP address, you can block any other requests to admin area by IP address. Keep in mind that if you apply this, you or your staff members won’t be able to access the Ixonn admin area from other IP addresses eq their home, from mobile data etc…

In order to achieve this, in your Ixonn installation directory find the main .htaccess file and on the top add:

# My office IP address

RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx

# You can add additional IP address eq. home IP

# RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx

RewriteCond %{REQUEST_URI} /admin [NC]

RewriteRule ^ – [F]

Replace the xxx with the actual IP address you want to allow access from.

In case you are blocked, just remove the code you added in the .htaccess file.

Disable Customers Area

Some customers don’t use the customers area at all, in case you are one of the users that don’t use the customers area and use Ixonn only for internal usage you can disable access to customers area.

Click here to read more how to disable customers area.

Use HTTPS Connection

The admin and customers area can be more secure when using HTTPS connection.

  • If you already have installed Ixonn on HTTP connection click here to read how to change to HTTPS
  • When performing fresh install you only need to make sure to enter the Base URL in the last step to start with HTTPS

Before using HTTPS connections make sure that you have valid SSL certificate installed on your server.


We will update this article when new security features are developed in Ixonn.

Related Articles

Table of Contents
Scroll Up