Technical Papers by Kevin Morrison
Best Way To Secure Your Joomla Admin
We are constantly trying to keep our Joomla sites out of the hands of the low life scum that would do us harm for no other reason than their personal kicks. There is one way to help in that endeavor that is easy to setup with a minimal side-effect.
I have found this is the single most effective method of securing your sites administrator area and I have watched it work many times, so I am confident that if you follow these simple steps you can rest a bit easier.
I will not kid you though, this is not the only thing you should be doing to ensure your site is as secure as it can be and I will elaborate on what else you can do in an upcoming article, but for a quick and immediate feature in that process here is what you can do.
Using Akeeba Admin Tools we can apply a keyword to our admin area that changes the link to your admin login from www.your-joomla-site.com/administrator to something obfuscated that they will then have to guess before they have access to the login. I am not sure if this feature is available in the free version of Admin Tools, but the reality is if you are reading this and don't have a paid version you are selling your sites security short anyway and should really consider this as one of the most valuable investments you can make. Not only that but the developer has made it available to install on all your Joomla sites, so if you have more than one site the value of this tool goes up.
To start, login to your administrator for the last time with the administrator address and navigate to "Components>Admin Tools"
Once inside Akeeba Admin Tools click the "Web Application Firewall" icon.
On this page click the "Configure WAF" icon.
Here is where the magic happens... you should already be in the right tab, but check to make sure you are in the "Basic Protection Features" tab and scroll down to find the field labeled "Change Administrator Login Directory To". In the field provided take your secret word that you want to use and type it in the empty field. In my example I have used "securelinkhere".
Once you have done that it is a simple matter of saving your work. To test this go ahead and log out of your administrator site and try it out. Now to get back into your admin area instead of typing "administrator" you will replace it with the secret word you put in Admin Tools. If you did everything right the browser will simply refresh and greet you with the standard admin login screen. If you do it wrong it will just default to your sites home page.
Be aware that if you are not careful and you have setup Admin Tools to block those lowlifes you may end up on the spammer list. If you do don't panic, all you need to do is go into your database and remove your IP address from the correct table. That I am afraid is a topic for another post, but Nic has great tutorials and instructions on the Akeeba site to help you get back into your site.
I had a site that was getting pounded with some moron that was relentlessly trying to guess my admin login. While I found it rather amusing reading the possible combinations they was using, at the same time it was as irritating as a pesky house fly that would not leave me alone. Once I set this up they tried a few times to guess the login link but quickly gave up and it was a real treat to login to Admin Tools and see the exceptions graph take a nose dive.
So I hope I have helped show you one way that you can secure your Joomla site, but let me reiterate that this is by no means the only thing you should be doing to secure your site. As soon as I get some time I will put together a more in depth post on some more robust methods.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.