Not yet a techie on this stuff. Basically, I was going by a discussion I read yesterday that said that this was a vector of mass malware distribution. As I remember, they specifically indicated index.html but we can also talk about any admin hacking of the site.
On index.html the idea was that, after a bad guy gains entrance as an admin, the visitors could be mauled, unknown to either the site itself (for awhile) and, unless well defended, the visitor. I didn't bookmark this well, although I will go back into Firefox history and see what I can find.
The first part of the discussion I was reading about was simply how easily Filezilla sending passwords can be hacked and the blase approach of the developer. The discussion of malware distribution might have been a separate topic and website. I was simply following the logical implications.
Notice how you say that the cumbersomeness of the extra certificate-signed approach ends up meaning that it is simply not done. And this would be true also for hardware keys, great ideas infrequently implemented (putting aside banks, etc.)
What I am suggesting is a hack-resistant method that is relatively strong yet informal and might be easy to implement, although it may need the control panel people allowing a hook. A second-factor entrance software implementation to stop an improper admin (whether or not they can get to index.html.) One that would be complementary to IP checking. If the admin signing in fails x times to hit the secret dot, then alarm bells ring to the web host and to the real admin's cell phone, tablet, etc.
If there is something that accomplishes this end already ... great! Tell me how it is done.
What damage can a false admin do? And how is it prevented? Is it not the equivalent of the root for your site?
We agree, I think, that no matter how strong the passwords and secretly guarded, that has a significant gap of safety below 100%.
As to why this came up, I am informally handling some aspects of security for a small business. We had changes of programmer comparnies and workers and changed admin passwords. (Nothing hacked.) I was thinking about the simple fact that I really, really don't want false admin signons, this was prodded by the reading I mention above.
To summarize my understanding, this is how I understand the basic scenario that is more sophisticated than simply hacking and taking data or changing things (forcing downtime and restore from backup). Remember, they could change things like pricing that could cause tremendous problems.
a) bad guys get hold of admin password for a site
b) bad guys get in there under the assumed name and make the site a vector of transmission for malware like a trojan
c) bad guys go home and wait
d) dozens of visitors get infected with a trojan (malware of some type) thinking they are visiting a safe site
Is this wrong? If so, where.
And also the scenario where they simply change the site or get access to the data. (Understanding that there are internal standard that should prevent any credit card type of availability of information, any data breach remains embarrassing and can be very difficult for a business in many ways. )
Note, IP checking is nice. Maybe, in many cases, sufficient. Not sure how that works in practice. There has to be flexibility when you are on the move. Also there is an issue of unauthoized access to a puter that is a registered ID. Thus, I mention this idea as complementary.