Protecting your Joomla Administrator Section

What?
This is a quick article to remind me how to move a Joomla administration section and to lock it down to a specific IP address. The below does not involve installing any third-party extensions and will remain in place even if you update your Joomla CMS.

Why?
When checking audit logs, I sometimes see that my administrator url is accessed more than my front-end. The below has worked for me on Joomla websites in general and prevents the administrator URL showing up at all in the stats (unless you were using it).

Leaving this unchecked means that the crackers/hackers will get through ultimately whether it be by brute-force, DoS, Injection, etc. I'm not saying these are silver bullets, but they will slow down some people.

How?
The below will a) change the /administrator location and b) limit access to a single IP address. Note that you will need to ensure you have a static IP (most ISPs now assign static IPs to home broadband users as well as larger corporations). But just in case you don't have one, let me do this in two stages.

Move the /administrator URL
  1. Create a folder in the root of your joomla website with a name that is difficult to guess but easy to memorise.
  2. Create a file called index.php in the folder you just made with the following contents:
    <?php
    	$admin_cookie_code="1234567890";  // change this to a code value that is difficult to guess
    	setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
    	header("Location: ../administrator/index.php");
    ?>
    
  3. Append the following code to the .htaccess file in the root of your joomla website:
    # Admin Redirect
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^../administrator    # note the .. to indicate parent directory for admin images (joomla 3.x)
    RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=1234567890     # change this to the code to match the above PHP script
    RewriteRule .* - [L,F]
    
How-to-use: Browse to the folder you created in step 1 and this will be your new administrator URL.
Caveat: If you login to the administrator section on a shared computer, ensure you close the browser (and all tabs) once done or this cookie will remain on the computer and will be readable by other users who access the same computer (this is irrespective of whether you have logged out of the CMS).

Add an IP filter

To include this method, ensure you have a static IP address (most home broadband users are now assigned these by ISPs so that they can identify their service users). The below also only allows 1 IP address (ie. one location from where an admin user can log in).

  1. Create a .htaccess file in your /administrator folder with the following content:
    # ALLOW USER BY IP
    <Limit GET POST>
     order deny,allow
     deny from all
     allow from 123.123.123.123   # change 123.123.123.123 to your static IP address
    </Limit>
    
    # PREVENT VIEWING OF .HTACCESS
    <Files .htaccess>
     order allow,deny
     deny from all
    </Files>
    
    ErrorDocument 403 http://www.joellipman.com/error/403.html   # change this to your 403 - forbidden page.
    


These are two methods I like and will work in tandem. They will not affect the standard visitors to your Joomla website (specifically those not interested in logging into the administrator section). Updated for Joomla 3.x but pretty much the same system as used for previous versions of Joomla. I hope this helps you tune down those pesky visitors.


Related Articles

Joes Revolver Map

Accreditation

Badge - Certified Zoho Creator Associate
Badge - Certified Zoho Creator Associate

Donate & Support

If you like my content, and would like to support this sharing site, feel free to donate using a method below:

Paypal:
Donate to Joel Lipman via PayPal

Bitcoin:
Donate to Joel Lipman with Bitcoin - Valid till 8 May 2022 3QnhmaBX7LQSRsC9hh6Je9rGQKEGNQNfPb
© 2021 Joel Lipman .com. All Rights Reserved.