3

I`ve been using joomla from past 2 years. As joomla is a very popular CMS for php lovers so hackers are always trying to deface the website in joomla. Anyone can easily detect the website is using on joomla or any other programming language by using wappanalyzer software. In joomla we can access the administrator panel by typing http://phalana.com/administrator.

So my question is how to change the /administrator to something else so that hackers will not get to the administrator panel. So far i've seen the number of extensions in official joomla directory But still something is lacking on it.Can anyone help me to change the administrator path.

Techie
  • 44,706
  • 42
  • 157
  • 243
Oh What A Noob
  • 507
  • 1
  • 10
  • 33
  • http://stackoverflow.com/questions/13138164/how-can-i-change-the-joomla-administrator-url-by-php-no-plugins – Irfan Jan 07 '13 at 11:25

2 Answers2

4

Changing /administrator is a very bad idea for a lot of reasons top amongst, ironically, is security. Apart from that it:

  • breaks lots of components
  • cuts you off from easy application of security updates
  • the effects of renaming are unknown from a security point of view

The best way to secure Joomla's /administrator area is to follow some simple steps...

  1. Add realm authentication to the /administrator directory that way unless you hacker manages to figure out the username and password they're stumped.
  2. Use an extension like JSecure or Akeeba's Admin tools (both allow your to set a "secret word" on the administrator URL) or check the extensions already available in the Login Protection section of the Joomla! Extension directory (called JED for short). N.B. I personally like Admin tools the most, with the /administrator?secreword, their application firewall and the .htaccess maker.
  3. Follow the advice on the Joomla Doc's website Security Checklist

Personally we do all of these things and a bit more... as we keep telling people.

Craig
  • 9,335
  • 2
  • 34
  • 38
  • Well, i'm using a plugin named "admin alexim", Which is really a good plugin. It mainly prevents the /administrator path by redirecting it to the home page whenever anyone try to open administrator..:) – Oh What A Noob Jan 07 '13 at 12:46
  • Never heard of it... where did you find it? – Craig Jan 07 '13 at 13:14
  • http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection There are numerous kinds of joomla extenions are there and also the name of that plug in is:-AdminExile. What it really does is it changes your site administrator link like this www.google.com/administrator?lol=lol123 . Note: You should have to change the suffix value according to you needs on the plugins – Oh What A Noob Jan 07 '13 at 13:24
  • Ah ok, I know that one (I was looking for "admin alexim" per your comment). AdminExile is like a basic copy of the JSecure with only the plugin aspect and not the backed component features. – Craig Jan 07 '13 at 13:49
  • 1
    AdminExile is my extension - it ranks higher than JSecure for a reason. – Michael Jun 01 '13 at 20:24
1

You can protect or hide your /administrator directory by creating an alternative directory wich sets a cookie that is sent to the http header in the request. That cookie will be validated from the index.php file at the /administator directory, if is not validated (when an unauthorized user wants to detect if your site is Joomla based by the known /administrator directory), then it will be redirected to the root directory for your site.

These are the steps.

*create an alternative /administrator directory ie: /admins_place

*inside /admins_place, create an index.php with the following code snippet

<?php
$admin_cookie_code = "_hashed_secret_code_here_";
setcookie("JoomlaAdminSession", $admin_cookie_code, 0, "/");
header("Location: ../administrator/index.php");
?>

*In administrator directory add this code snippet at the beginning of the index.php file.

<?php
if($_COOKIE['JoomlaAdminSession'] != "_hashed_secret_code_here") {
header("Location: ../index.php");
}

I hope this helps

snaphuman
  • 311
  • 4
  • 7
  • 1
    instead of you're last adjustment. u can use an .htaccess file: `RewriteCond %{REQUEST_URI} ^/administrator RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=_hashed_secret_code_here_ RewriteRule .* - [L,F]` – Nijboer IT Aug 24 '15 at 11:22