Protecting your Joomla Administrator Section

What?
This is a quick article to remind me how to move a Joomla administration section and to lock it down to a specific IP address. The below does not involve installing any third-party extensions and will remain in place even if you update your Joomla CMS.

Why?
When checking audit logs, I sometimes see that my administrator url is accessed more than my front-end. The below has worked for me on Joomla websites in general and prevents the administrator URL showing up at all in the stats (unless you were using it).

Leaving this unchecked means that the crackers/hackers will get through ultimately whether it be by brute-force, DoS, Injection, etc. I'm not saying these are silver bullets, but they will slow down some people.

How?
The below will a) change the /administrator location and b) limit access to a single IP address. Note that you will need to ensure you have a static IP (most ISPs now assign static IPs to home broadband users as well as larger corporations). But just in case you don't have one, let me do this in two stages.

Move the /administrator URL
  1. Create a folder in the root of your joomla website with a name that is difficult to guess but easy to memorise.
  2. Create a file called index.php in the folder you just made with the following contents:
    copyraw
    <?php
    	$admin_cookie_code="1234567890";  // change this to a code value that is difficult to guess
    	setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
    	header("Location: ../administrator/index.php");
    ?>
    1.  <?php 
    2.      $admin_cookie_code="1234567890";  // change this to a code value that is difficult to guess 
    3.      setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/")
    4.      header("Location: ../administrator/index.php")
    5.  ?> 
  3. Append the following code to the .htaccess file in the root of your joomla website:
    copyraw
    # Admin Redirect
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^../administrator    # note the .. to indicate parent directory for admin images (joomla 3.x)
    RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=1234567890     # change this to the code to match the above PHP script
    RewriteRule .* - [L,F]
    1.  # Admin Redirect 
    2.  RewriteEngine On 
    3.  RewriteCond %{REQUEST_URI} ^../administrator    # note the .. to indicate parent directory for admin images (joomla 3.x) 
    4.  RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=1234567890     # change this to the code to match the above PHP script 
    5.  RewriteRule .* - [L,F] 
How-to-use: Browse to the folder you created in step 1 and this will be your new administrator URL.
Caveat: If you login to the administrator section on a shared computer, ensure you close the browser (and all tabs) once done or this cookie will remain on the computer and will be readable by other users who access the same computer (this is irrespective of whether you have logged out of the CMS).

Add an IP filter

To include this method, ensure you have a static IP address (most home broadband users are now assigned these by ISPs so that they can identify their service users). The below also only allows 1 IP address (ie. one location from where an admin user can log in).

  1. Create a .htaccess file in your /administrator folder with the following content:
    copyraw
    # ALLOW USER BY IP
    <Limit GET POST>
     order deny,allow
     deny from all
     allow from 123.123.123.123   # change 123.123.123.123 to your static IP address
    </Limit>
    
    # PREVENT VIEWING OF .HTACCESS
    <Files .htaccess>
     order allow,deny
     deny from all
    </Files>
    
    ErrorDocument 403 http://www.joellipman.com/error/403.html   # change this to your 403 - forbidden page.
    1.  # ALLOW USER BY IP 
    2.  <Limit GET POST> 
    3.   order deny,allow 
    4.   deny from all 
    5.   allow from 123.123.123.123   # change 123.123.123.123 to your static IP address 
    6.  </Limit> 
    7.   
    8.  # PREVENT VIEWING OF .HTACCESS 
    9.  <Files .htaccess> 
    10.   order allow,deny 
    11.   deny from all 
    12.  </Files> 
    13.   
    14.  ErrorDocument 403 http://www.joellipman.com/error/403.html   # change this to your 403 - forbidden page. 


These are two methods I like and will work in tandem. They will not affect the standard visitors to your Joomla website (specifically those not interested in logging into the administrator section). Updated for Joomla 3.x but pretty much the same system as used for previous versions of Joomla. I hope this helps you tune down those pesky visitors.

Category: Joomla :: Article: 636

Credit where Credit is Due:


Feel free to copy, redistribute and share this information. All that we ask is that you attribute credit and possibly even a link back to this website as it really helps in our search engine rankings.

Disclaimer: Please note that the information provided on this website is intended for informational purposes only and does not represent a warranty. The opinions expressed are those of the author only. We recommend testing any solutions in a development environment before implementing them in production. The articles are based on our good faith efforts and were current at the time of writing, reflecting our practical experience in a commercial setting.

Thank you for visiting and, as always, we hope this website was of some use to you!

Kind Regards,

Joel Lipman
www.joellipman.com

Related Articles

Joes Revolver Map

Accreditation

Badge - Certified Zoho Creator Associate
Badge - Certified Zoho Creator Associate

Donate & Support

If you like my content, and would like to support this sharing site, feel free to donate using a method below:

Paypal:
Donate to Joel Lipman via PayPal

Bitcoin:
Donate to Joel Lipman with Bitcoin bc1qf6elrdxc968h0k673l2djc9wrpazhqtxw8qqp4

Ethereum:
Donate to Joel Lipman with Ethereum 0xb038962F3809b425D661EF5D22294Cf45E02FebF
© 2024 Joel Lipman .com. All Rights Reserved.