I have just updatet my store to the latest Magento CE 1.9.2.2 software version (not the Patch SUPEE-6788, I did the full core update using the Magento Downloader).
After the update I went to
System > Configuration > Advanced > Admin > Security
and found the Admin routing compatibility mode for extensions option to be set to Enable.
However, just below the "Enable/Disable" selector there is a short description which says
Enabling this setting increases risk of automated attacks against
admin functionality.
I wasn't sure if I should change this setting or not so I went to the Magento website and there it says
To protect non-default admin URLs against automated attacks, the patch
must be enabled by changing the routing compatibility mode in
configuration. Use "Enable Admin routing compatibility mode" under
System > Configuration > Admin > Security.
The people over at Byte say
Finally, to increase security, disable the “compatibility mode”
here:System > Config > Admin > Security > Admin routing compatibility mode for extensions
And then they display a screen shot showing the option in Enable mode.
I find all of this very confusing so my question is what mode of this option offers most security?
Should the selector display "Enable" or "Disable" after saving the config?
Best Answer
I think it's pretty easy to lull yourself into a false sense of security whith this.
Admin routing compatibility mode for extensions: Enabled (=Default)
This is the default setting after applying the patch. Your extensions won't break with this setting. Security is limited though.
Admin routing compatibility mode for extensions: Disabled
Only with a disabled compatibility mode you are on the secure side. If all your extensions are updated to work with the new way of admin routing, don't forget to change this setting to "disabled".