Hiding URL to your Administrator Panel (Joomla)
A useful tutorial describing an easy and effective way to protect access to Joomla's Administrator Panel without any hacks or 3rd party extensions. This is something that should be implemented on every Joomla-driven site.
First, let's examine why this is necessary.
Joomla is a popular CMS that is often installed by various users, including non-professionals. Most users tend to only install WordPress, and as a result, the easy setup often leads to serious consequences.
For some reason, even beginners tend to name the Super User account as "admin". This is a typical behavior. Moreover, passwords are often chosen to be simple enough for beginners to remember. It's not difficult to imagine the results that might occur./p>
Choose any username except "admin"!
When installing Joomla, it's not necessary to use "admin" as the admin account. In fact, this is a bad practice, as it makes it easier for attackers to guess the login. Choose anything but "admin"!
Can we do that?
Yes, we can! And it's even necessary!
What can be done with the administrator folder?
Of course, it is not surprising that such sites fall victim to attacks by robot attackers, who are looking for easy ways to standard hacking. The target of such robots is often the Administrator Panel.
So, the first thought of those who have heard about hacking Joomla and want to protect themselves is, "Is it possible to change the folder Joomla administrator to something else?" According to such logic, robots will go to the wrong place and there will be no hacking.
So, is it possible to change the administrator folder?
The answer is both yes and no. Until recently, my answer would have been no.
The standard answer to these types of questions has always been to install a plugin, extension, or module. However, in my personal opinion, the more plugins, extensions, and modules you add, the more problems you will encounter in the future.
Not all extensions are equally well-supported, and not all support groups will solve private incompatibility issues with other extensions. Often, the argument from support will be that "on a clean Joomla, our extension works fine, and what doesn't work is the problem of the extensions you've installed."
I've heard this many times, and it seems like you've paid for the extension, bought it, and no one wants to solve your problems. The key phrase here is "your problems."
What to do?
You can actually do just fine without third-party extensions.
The solution is simple: when you visit a secret address, your browser sets a special secret cookie that acts as a pass to the administrator folder. All other requests are denied. This provides the same behavior as renaming the Joomla folder, so any attempts to access the administrator folder will result in a 403 (access denied) or 404 (page not found) error.
How can you do this?
You'll need to modify the .htaccess file and find the following lines:
## No directory listings
IndexIgnore *
## Can be commented out if causes errors, see notes above.
Options +FollowSymlinks
Options -Indexes
## Mod_rewrite in use.
RewriteEngine On
Let's insert the following lines after RewriteEngine On:
RewriteCond %{HTTP_COOKIE} !joomla2023
RewriteCond %{REQUEST_URI} ^/administrator [NC]
RewriteCond %{REQUEST_URI} !^/administrator/cache [NC]
RewriteRule .? - [F]
RewriteCond %{REQUEST_URI} ^/hiddenway$
RewriteRule .? /administrator/ [CO=joomla2023:1:%{HTTP_HOST},R=303,L]
What can be changed here and what does it mean?
- joomla2023 is the name of the installed cookie. Of course, it is better to change it to a custom name for security reasons. Note that you have to change it in two places.
- hiddenway - this is actually a new name of your folder. It definitely should be changed to your custom name.
Note: After making these changes, the URL to access the Administrator Panel would be
https://site.com/hiddenway
The URL should NOT have a trailing slash, otherwise, the user won't be able to access the panel. It means if you attempt opening with URL like:
https://site.com/hiddenway/
you will not access Administrator Panel!
Make sure to check that there is no / slash at the end of URL. Do not use trailing slash!
What are the pitfalls?
However, there may be some pitfalls when implementing this solution. Hosting companies often configure Nginx and Apache servers to work together, which could cause the system to malfunction due to incorrect configuration. In such cases, it's recommended to contact your hosting provider and ask them to add a rule for the proxy server to skip cookies from Apache.
