3 Joomla Admin URL Tweaks to Keep Your Site Secured

joomla admin urlJoomla is among the most popular content management systems around, being used by thousands of people as the foundation stone for their websites. However, despite its powerful core, ease of use and customization options – features that made Joomla as popular as it is, some people are reserved when it comes to choosing Joomla as their CMS because of one significant limitation Joomla comes with: it doesn’t allow you to change the admin URL.

Janice Gentles-Jones’ “Joomla for Beginners” online course will convince you of the benefits of using Joomla, so if you are ready to give it a try but you’re a bit skeptical because of the admin URL issue, you will be glad to find out that are some tweaks and tricks that will allow you to bypass this little drawback.  

Joomla Admin URL, Hacking and Website Security

If you’re wondering what hacking has to do with the Joomla admin URL, the answer is simple: everything. While you or your webmaster uses the admin URL to login and gain access to the administration area, pretty much everyone else trying to access it will most likely try to use it to gain unauthorized access to your site.

Let’s get one thing straight: the fact that the Joomla admin URL might be easily accessible does NOT automatically make your website insecure – a username and password is still required in order to get access to the website. However, getting to the login page is the first step hackers make when they want to infiltrate a website, so shutting this door will only make their job harder if they attempt to break into your site. Check out this online course on website hacking to learn more about commonly used hacking techniques in order to be able to determine and set up the proper counteractive measures.

Plugins

The easiest way to limit access to the admin page of your Joomla-powered site is to install a plugin that modifies the admin page URL. This sounds a bit confusing at first, as I mentioned earlier that the admin URL cannot be changed. Let me be a more specific: the admin URL, which is sitename.com/administrator, cannot be changed to something like sitename.com/admin-login; however, you can use a 3rd-party plugin (such as JLSecure My Site) to add an additional key to that URL. The result will be an admin URL that looks something like sitename.com/administrator?key=value, where “key” and “value” can be any values you want. This adds a solid layer of extra layer of security to your website, preventing unauthorized access to the login page. You can find a lot of security plugins with similar functionality by visiting the “login protection” section of the Joomla Extensions Directory.

If you are not a fan of plugins and have some PHP programming experience, you could even write the code yourself.  Just make sure the code you use to fix this issue doesn’t create any other security holes in your website. You can learn how to write secure PHP code from this online course.

Filters

Setting up IP-based filters for accessing the Joomla admin URL is also a good idea. The filters can be easily set from the .htaccess file, and only allow access to the specified URL if the request comes from an IP that has been previously whitelisted. If a person with an IP address that’s not in the whitelist is trying to access the admin URL, he will either see an error message or will be automatically redirected to the main page.

The downside of this method is that it requires you to have a static IP address, which can turn out to be a bit problematic if you move around a lot and need to be able to access your site from your laptop. A workaround this issue is using a VPN that has a static IP and whitelisting that IP; this way, every time you’re logged into you VPN, you are using your whitelisted IP regardless of the network you are on.

Cookies

This method uses a very interesting technique to access the admin URL link, but requires a bit of preparation and an extra step in the login process. You will need to create a new folder in your Joomla root directory and, in the index.php file of that folder, place the following code:

$admin_cookie_code="12345678";

setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");

header("Location: /administrator/index.php");

?>

You will then need to add the following piece of code to the .htaccess file in your administrator directory:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=12345678
RewriteRule .* - [L,F]

The first snippet of code will generate a cookie with a certain code (in this case “123456789”) every time you visit the index page in the directory you created, while the second piece makes the admin URL require that cookie to be present on your system in order for the login page to be displayed.  This means that, in order to login to the admin section, you will first need to go to the address of your secret folder first, so unless someone knows the exact address of the folder you created, they won’t be able to access the Joomla admin URL.

An aspect you should take into consideration when using cookies is to always make the modifications in the real administrator folder to the .htaccess file instead of the index.php file. While modifying the index.php file might also work, this file is usually updated every time you install a Joomla update, so the modifications you made might be overwritten without you even knowing it.

Conclusion

Despite the fact that gaining access to the Joomla admin URL is something like robbers getting to the backdoor of your house, there is still no real threat if that door is made of solid steel and requires a unique key to be opened. Be that as it may, if you just want to feel safer, these simple tweaks will allow you to prevent unauthorized access to the admin URL. With this area secured, all that’s left to do is to make sure all the other elements of your website are secured – learned how to test them by taking this thorough online course on  ethical hacking & application penetrating testing.