safest way to have an admin page on my site?

[MediocreMetastasis]

I want an admin page on my site to do stuff like post,edit,and delete blogs.I currently have it setup where the page requires you to input a password and then you get admin permission throughout the site during the session

Code

    
$ADMIN_PASS = password_hash("Password123", PASSWORD_DEFAULT); // hashed
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $pass = $_POST['password'];

    if (password_verify($pass, $ADMIN_PASS)) {
        $_SESSION['is_admin'] = true;
        header("Location: home.php");
        exit;
    } else {
        $error = "Invalid password hacker.";
    }
    }

Is this a safe method or am I asking to be hacked?

[Melooon]

If your site is running over HTTPS then this is perfectly safe; its the same method that's used by most sites with passwords.

That said! You can improve this a little; instead of rehashing your password with the first line; just hash it once using some other script/online harsher then store the hashed version instead of the plain text version on your site (just make sure your verifier is using the same hash type that you saved).
That way even if by some sort of bug the source code leaks or is shown to a visitor they still cant get your password easily ^^

You can also improve the hash by looking into hash salts - those are basically extra bits of text that are included in the hashing algorithm so someone cant brute force unhash your hash using a huge library of pre-calculated hashes of common passwords ^^ (this is a very good idea for a public site like a forum with many passwords stored, but frankly for your case its not super important if you use a good password)

[MediocreMetastasis]

Cool. I'll make sure not to have my password in plaintext in my code. Thanks.

[Dan Q]

Seconding everything Melooon said, including "don't both with salting" - a salt only exists to make it harder to reverse-engineer a password if you've got the hashed version: so long as the (one) password on this site isn't one that you use anywhere else, that's probably not a concern for you anyway! (And by the time somebody's gotten onto your server to see the hash, you've got bigger problems than them being able to log in to your admin area!)

Just don't forget to check for $_SESSION['is_admin'] on every single page that needs it. I see lots of people do things like make a login page (which checks a password and sets a session), then create a page that handles creating posts (which checks the session and then does things), and then create a page that handles deleting posts (which just deletes things without checking that the $_SESSION['is_admin'] is set and... uh-oh, that's a problem!).

Don't forget to add a logout link that goes to a page that unsets the session variable and then redirects back home, or whatever! You never know when you're going to need a logout link!

And finally - and for a small personal site you definitely don't need to think about this rightaway - down the line, consider the possibility of cross-site request forgery attacks. E.g. if you have a page that (a) checks you're logged in as an admin and then (b) deletes a post... is it possible for an attacker to put a malicious link in an email or on their own website that, (if you're logged-in when you're tricked into clicking it) goes to that page, resulting in a post deletion? The risk is infinitesimally small for a small personal site unless you've made a lot of enemies!

Love the direction you're going in, anyway. PHP empowers the world of the "mildly dynamic website", a particularly magical and special category that's close to my heart.

[Rubbereon]

I only have a static website, but have been interested in starting a forum myself and my expert's opinion is that adminstration is usually done through something like phpmyadmin or directly through the server if you have a physical access to it.

Some forum softwares like xenforo let you make an admin account that can do those things, but if somebody comes in and try to do a dictionary attack it leaves your forum open to get raided.

At least with phpmyadmin they'd need a direct link to the panel, and you can install it anywhere you want (lets' say mywebsite.com/foo/bar/phpmyadmin.php) and so only you will know where to go to administrate your website.

[Melooon]

phpmyadmin

phpmyadmin is not a website admin interface Its a frontend for editing MySQL databases that is made in PHP. MySQL databases are a particular technology that can be used alongside PHP and other programing languages to store and manage large amounts of data; they are definitely very useful to know about, but generally you don't manage a website by editing SQL data directly. An admin interface is usually a nice UI that will have scripts that safely edit the SQL database for you. Most people use phpmyadmin (or other SQL frontends) only when they are setting up databases or bug fixing issues Though I agree its a slightly confusing name!

(I also don't actually approve of using phpmyadmin since you should never have SQL access exposed on the web, but I do understand why people use it since its more complex to setup more secure systems!)