I see 13 hits against /+sitemanager today. I've never used it. I believe my passwords are reasonably secure. Should I be concerned? Is there some way to tell if they got in?

It's no less or more secure than Member Operations, though if someone gets in to sitemanager, they can do more damage more quickly. I don't know if there's a way to track successful accesses.

This is what I've learned, so far.

In your access_log;

GET /+sitemanager HTTP/1.1" 200
This indicates that someone has accessed LOGIN page for the sitemanager.

"POST /+sitemanager HTTP/1.1" 200
This indicates login attempt was made...Bad sign.

"POST /+sitemanager HTTP/1.1" 200 3671
Failed LOGIN attempt indicated by "3671" byte transfer (for my site).
This number may depend on your domain name length (and what else?).
Make failed login by yourself, and check the "failed login transfer length".

/powweb-images/sitemanager2.gif HTTP/1.1
Following the POST request, if you have many requests for images in /powweb-images,
then I guess LOGIN was successful.

"GET /+sitemanager?module=htaccess HTTP/1.1" 200 18680
If you see accesses to commands that show more than failed login transfer length,
that person has definitely accessed sitemanager.
You may want to change OPS password imediately.
(Better disable that OPS user if it's not promary user, I guess.)


EDIT:

You can download access_log, and run grep to find these lines.
grep sitemanager access_log

I'll check if I can redirect the requests for site manager to a CGI
so that I can get alarm when someone tries it and/or so that I can disable it.

EDIT again:

Quick test shows that RewriteRule can't be used for redirecting.
So, I guess we have no control over sitemanager, yet.

I would like to use it with HTTPS
and I would like to be able to disable.enable easily via OPS.

Also, using USERNAME:PASSWORD pair other than that of OPS
(FTP user : pass, for example) seems to offer a little more security.