Another random idea.
So, when you go into the admin panel, moderation panel or editing other users' profiles, you're required to revalidate your password for one hour.
Not so much the moderation panel or profiles, but for the admin panel, what if instead of re-entering your password, it sent you an email with a one-time use code, on provision of which you would get access to the admin panel?
Same deal otherwise - revalidate an hour later. But that it is something a bit stronger than just your password. Reason that I suggest this, is if you have someone trying to force their way into the admin panel, they would have to do more than just brute force your password. (Quite a bit more, really)
Of course, it would be disabled by default, mostly for those of us on WampServer or whatever who don't have email servers set up ;) - if you already have access to the database anyway to be able to change this you're already powerful enough.
So, when you go into the admin panel, moderation panel or editing other users' profiles, you're required to revalidate your password for one hour.
Not so much the moderation panel or profiles, but for the admin panel, what if instead of re-entering your password, it sent you an email with a one-time use code, on provision of which you would get access to the admin panel?
Same deal otherwise - revalidate an hour later. But that it is something a bit stronger than just your password. Reason that I suggest this, is if you have someone trying to force their way into the admin panel, they would have to do more than just brute force your password. (Quite a bit more, really)
Of course, it would be disabled by default, mostly for those of us on WampServer or whatever who don't have email servers set up ;) - if you already have access to the database anyway to be able to change this you're already powerful enough.