Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Change Joomla Administrator URL

Update:

Since this question was asked Joomla StackExchange has been setup and the same questions exists there please add any answers or comments to that question

Original:

I am using Joomla 3.0.3 for a fairly big new client, security is a must. I therefore decided to try change the Administrator URL, normally

example.com/administrator

changed to

  example.com/newadminurl

Reason being if the folders aren't where potential hackers expect that is the first hurdle before they can even try anything else.

However that has now meant whenever I go to the new URL it brings up a 403 error. I have tried searching if there is a global config setting I need to change but can't find anything on the web or Joomla site. Anyone know how to change this deep down in the source code?

like image 590
tim.baker Avatar asked Feb 22 '13 23:02

tim.baker


People also ask

What is the Joomla admin URL?

To login to Joomla! 3 and access your administrative panel, you need to open your browser and navigate to http://mydomain.com/administrator. On this page, you will find a login screen, where you need to enter the username and password you've chosen during the Joomla!

What is admin panel in Joomla?

The Administrator application, also known as the Backend, Admin Panel or Control Panel, is the interface where administrators and other site officials with appropriate privileges can manipulate the look of a Joomla-powered website. There are many tasks which can be done with the administrator interface.


2 Answers

While there are hacks around that do this, they introduce new security issues as the Joomla! core isn't built to work this way.

In fact the it is common practice both in the core and in 3rd Party extensions and templates to load models, controllers and other assets from /administrator.

The best practise is to secure your site is:

  1. Keep your Joomla! installation up-to-date (the most common cause is outdated installs)
  2. Don't hack core files, if you need extra functionality duplicate the core component and extend that, not the core.
  3. Add a realm password /administrator
  4. A secret word on the /administrator url e.g. /administrator/?s3cr3tpa55w0rd
  5. An ip whitelist that only allows on select IP addresses to access /administrator
  6. Use unique and strong passwords
  7. Don't share passwords even with your significant other...
  8. Enact a password policy on your site.
  9. Keep a tested and regular site backup in an off-server storage location.
  10. Run a file scanner to help you detect a hack so that you're aware of where your last good back was taken.

You can find extensions that do one or several of these things for you in the Access & Security section of the Joomla! Extension Directory (JED), and for integrated backup to cloud or other storage you can't go past Akeeba Backup (and personally for the tiny fee compared to the cost of my time we always go with the Pro versions).

In fact Akeeba's Admin Tools Pro (included in any of their subscriptions) also provides most of the features on that list through it's WAF (web application firewall). The only area not covered is Password Management of which there are several solutions available.

like image 137
Craig Avatar answered Oct 17 '22 10:10

Craig


Step 1. Create a new directory in your root directory (eg. "newadminurl")

Step 2. Create an index.php file in your "newadminurl " directory..

$admin_cookie_code="3429020892";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: /administrator/index.php");
?>

Step 3. Add this to .htaccess of your real Joomla administrator directory

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=3429020892
RewriteRule .* - [L,F]

Explanation:

Now, you need to open "http://yoursite.com/newadminurl/" before you open your “administrator” path. Here we have created a cookie that expires at the end of the session and redirect to actual administration page. Your actual “administrator”path is inaccessible until you don’t open on your secret link .

I hope this is what you were looking for.

like image 38
Sagar Awasthi Avatar answered Oct 17 '22 10:10

Sagar Awasthi