Enhance Joomla website security by hiding admin login URL - JoomShaper
Blog
Tutorials

Enhance Joomla website security by hiding admin login URL

09 December 2015
Hits 49,905
2 min read
Enhance Joomla website security by hiding admin login URL

Security has no boundary. It’s much more than a complex password. What if we could prevent attackers from getting into the login page entirely? This would give your site a better state of security. The default admin login URL of a Joomla site looks like “www.yoursite.com/administrator”. This address brings the admin login area by default. Now we will see how to change this URL to hide the backend login door.

We can do this in a few moments. It’s that much easy. But don’t dare to treat this trick as a silly thing. It can save your site from destructive cyber attacks. Okay, we will use a free extension “jSecure Lite” in this purpose. Download the extension from the its developer’s site. You will need to register and login to their site for downloading the extension.

After completing the download, you will get a zipped folder which accommodates separate ‘jSecure Lite’ builds for different Joomla versions. Now go to your Joomla admin panel. Navigate Extensions > Manage. There you will get an option to upload extension package file.

 

Upload and install the appropriate jSecure Lite build matching with your Joomla version.

ExtensionsInstall

 

Once you’ve installed and activated the title, go to the admin control panel again. Navigate Components > jSecure Lite > Basic Configuration.

jSecureOK

 

Ensure that the functionality is enabled and the Pass Key option is set for URL (see the screenshot above). Now set a Pass Key and save. You must remember this key because it will be required to put inside the login URL, otherwise you would not get the login form. After successfully saving the key, your login URL structure will be like this “www.yoursite.com/administrator/?key”. The default “http://localhost/joomla/administrator” will not work.

jSecure is a premium extension which has many other security features. In jSecure Lite version, you can get just a flavor of the original title. You may find the full feature list of this extension here.

Hopefully I’ll be back with more tips and tricks in near future. Stay tuned!

Arafat Bin Sultan

Arafat Bin Sultan

Arafat is a tech-enthusiast with a keen interest in space, photography, and video making.
P
Phil
8 years ago
I don't recommend this at all. Brute force attacks on the administrator url will still happen even with jSecure, but they will just be redirected - this puts increased load on the Servers CPU as apache has to load mysql and php layers just to redirect the request away from /administrator/. The "correct" way to stop brute force admin attacks is to protect your /administrator/ url with a .htaccess/.htpasswd popup - this stops the request at the apache layer and DRASTICALLY reduces the CPU load on the server during a brute force attack. This has been proven in real world attacks on many servers/sites.
#700
pepperstreet
pepperstreet
8 years ago
Thanks for your advice and technical explanation!
#702
Arun Sasi
Arun Sasi
8 years ago
Hi,Write a post about block url via .htacces with some example.
#707
Arun Sasi
Arun Sasi
8 years ago
Adminexile is also available for secure URL.
#701
P
Phil
8 years ago
So is Akeeba Admin Tools - they all do the same thing - its not a bad thing, but its not the best thing that can be done ;-)
#704
P
Phil
8 years ago
Its not too technical to have to use two logins!!! Even my 9 year old does that! EDUCATION on security is what has been missing for 10 years - this is why people still enter their bank details in phishing scams.ANY Joomla plugin that attempts to block login like this will cause CPU Spikes when brute force attacks happen.htaccess is the best solution as the CPU is drastically reduced - I know, Im a server admin for loads of mass attacked servers!The best solution is that Joomla can implement a htaccess pass through - so that the .htaccess user and password provided is actually passed through to Joomla for auto login - meaning only one set of credentials needed - but I have not yet had time to contribute that to Joomla as I'm still working through security issues with the current versions of Joomla that you know nothing about :) :) Yet :-)Can you spot when I placed the .htaccess on this servers 2 sites admin url? The first was being attacked and had jSecure enabled, the second was then attacked with no protection, and then with .htaccess passwords set on both admin console the load is much lower - http://screenshot.myjoomla.io/...
#703
Kawshar Ahmed
Kawshar Ahmed
8 years ago
Hey Phil, you are welcome to write details about Joomla security. We'll be very happy to publish a nicely described post from you.
#705
Alex Smirnov
Alex Smirnov
8 years ago
I agree with Phil, simplicity rules and nothing can beat the ol' good KISS approach! For those who don't fancy to fiddle with your hosting control panel to create .htaccess for the /administrator/, the already mentioned Admin Tools from Akeeba can do this job for you right under Joomla admin interface in five seconds, see my screen below. It can not be simpler than that! :)
#709
Arafat Bin Sultan
Arafat Bin Sultan
8 years ago
Thank you everyone for your thoughts and ideas! I wholeheartedly appreciate your participation in this discussion :)
#706
Create a new account
Forgot your password or username?

Sign up for our newsletter

Don’t miss any updates of our new templates and extensions and all the astonishing offers we bring for you.