Enhance Joomla website security by hiding admin login URL - JoomShaper

Enhance Joomla website security by hiding admin login URL

09 December 2015
Hits 45,780
2 min read
Enhance Joomla website security by hiding admin login URL

Security has no boundary. It’s much more than a complex password. What if we could prevent attackers from getting into the login page entirely? This would give your site a better state of security. The default admin login URL of a Joomla site looks like “www.yoursite.com/administrator”. This address brings the admin login area by default. Now we will see how to change this URL to hide the backend login door.

We can do this in a few moments. It’s that much easy. But don’t dare to treat this trick as a silly thing. It can save your site from destructive cyber attacks. Okay, we will use a free extension “jSecure Lite” in this purpose. Download the extension from the its developer’s site. You will need to register and login to their site for downloading the extension.

After completing the download, you will get a zipped folder which accommodates separate ‘jSecure Lite’ builds for different Joomla versions. Now go to your Joomla admin panel. Navigate Extensions > Manage. There you will get an option to upload extension package file.

 

Upload and install the appropriate jSecure Lite build matching with your Joomla version.

ExtensionsInstall

 

Once you’ve installed and activated the title, go to the admin control panel again. Navigate Components > jSecure Lite > Basic Configuration.

jSecureOK

 

Ensure that the functionality is enabled and the Pass Key option is set for URL (see the screenshot above). Now set a Pass Key and save. You must remember this key because it will be required to put inside the login URL, otherwise you would not get the login form. After successfully saving the key, your login URL structure will be like this “www.yoursite.com/administrator/?key”. The default “http://localhost/joomla/administrator” will not work.

jSecure is a premium extension which has many other security features. In jSecure Lite version, you can get just a flavor of the original title. You may find the full feature list of this extension here.

Hopefully I’ll be back with more tips and tricks in near future. Stay tuned!

Arafat Bin Sultan

Arafat Bin Sultan

Arafat is a tech-enthusiast with a keen interest in space, photography, and video making.

Comments (9)

P
Phil
This comment was minimized by the moderator on the site

I don't recommend this at all. Brute force attacks on the administrator url will still happen even with jSecure, but they will just be redirected - this puts increased load on the Servers CPU as apache has to load mysql and php layers just to redirect the request away from /administrator/. The "correct" way to stop brute force admin attacks is to protect your /administrator/ url with a .htaccess/.htpasswd popup - this stops the request at the apache layer and DRASTICALLY reduces the CPU load on the server during a brute force attack. This has been proven in real world attacks on many...

I don't recommend this at all. Brute force attacks on the administrator url will still happen even with jSecure, but they will just be redirected - this puts increased load on the Servers CPU as apache has to load mysql and php layers just to redirect the request away from /administrator/. The "correct" way to stop brute force admin attacks is to protect your /administrator/ url with a .htaccess/.htpasswd popup - this stops the request at the apache layer and DRASTICALLY reduces the CPU load on the server during a brute force attack. This has been proven in real world attacks on many servers/sites.

Read More
pepperstreet
pepperstreet    Phil
This comment was minimized by the moderator on the site

Thanks for your advice and technical explanation!

Arun Sasi
Arun Sasi    Phil
This comment was minimized by the moderator on the site

Hi,Write a post about block url via .htacces with some example.

Arun Sasi
Arun Sasi
This comment was minimized by the moderator on the site

Adminexile is also available for secure URL.

P
Phil    Arun Sasi
This comment was minimized by the moderator on the site

So is Akeeba Admin Tools - they all do the same thing - its not a bad thing, but its not the best thing that can be done ;-)

P
Phil
This comment was minimized by the moderator on the site

Its not too technical to have to use two logins!!! Even my 9 year old does that! EDUCATION on security is what has been missing for 10 years - this is why people still enter their bank details in phishing scams.ANY Joomla plugin that attempts to block login like this will cause CPU Spikes when brute force attacks happen.htaccess is the best solution as the CPU is drastically reduced - I know, Im a server admin for loads of mass attacked servers!The best solution is that Joomla can implement a htaccess pass through - so that the .htaccess user and password provided is actually passed...

Its not too technical to have to use two logins!!! Even my 9 year old does that! EDUCATION on security is what has been missing for 10 years - this is why people still enter their bank details in phishing scams.ANY Joomla plugin that attempts to block login like this will cause CPU Spikes when brute force attacks happen.htaccess is the best solution as the CPU is drastically reduced - I know, Im a server admin for loads of mass attacked servers!The best solution is that Joomla can implement a htaccess pass through - so that the .htaccess user and password provided is actually passed through to Joomla for auto login - meaning only one set of credentials needed - but I have not yet had time to contribute that to Joomla as I'm still working through security issues with the current versions of Joomla that you know nothing about Yet :-)Can you spot when I placed the .htaccess on this servers 2 sites admin url? The first was being attacked and had jSecure enabled, the second was then attacked with no protection, and then with .htaccess passwords set on both admin console the load is much lower - http://screenshot.myjoomla.io/...

Read More
Kawshar Ahmed
Kawshar Ahmed    Phil
This comment was minimized by the moderator on the site

Hey Phil, you are welcome to write details about Joomla security. We'll be very happy to publish a nicely described post from you.

Alex Smirnov
Alex Smirnov    Phil
This comment was minimized by the moderator on the site

I agree with Phil, simplicity rules and nothing can beat the ol' good KISS approach! For those who don't fancy to fiddle with your hosting control panel to create .htaccess for the /administrator/, the already mentioned Admin Tools from Akeeba can do this job for you right under Joomla admin interface in five seconds, see my screen below. It can not be simpler than that!

Arafat Bin Sultan
Arafat Bin Sultan
This comment was minimized by the moderator on the site

Thank you everyone for your thoughts and ideas! I wholeheartedly appreciate your participation in this discussion

There are no comments posted here yet

Sign up for our newsletter

Don’t miss any updates of our new templates and extensions and all the astonishing offers we bring for you.