This is a quick article to remind me how to move a Joomla administration section and to lock it down to a specific IP address. The below does not involve installing any third-party extensions and will remain in place even if you update your Joomla CMS.
Why?
When checking audit logs, I sometimes see that my administrator url is accessed more than my front-end. The below has worked for me on Joomla websites in general and prevents the administrator URL showing up at all in the stats (unless you were using it).
Leaving this unchecked means that the crackers/hackers will get through ultimately whether it be by brute-force, DoS, Injection, etc. I'm not saying these are silver bullets, but they will slow down some people.
How?
The below will a) change the /administrator location and b) limit access to a single IP address. Note that you will need to ensure you have a static IP (most ISPs now assign static IPs to home broadband users as well as larger corporations). But just in case you don't have one, let me do this in two stages.
Move the /administrator URL
- Create a folder in the root of your joomla website with a name that is difficult to guess but easy to memorise.
- Create a file called index.php in the folder you just made with the following contents:copyraw
<?php $admin_cookie_code="1234567890"; // change this to a code value that is difficult to guess setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/"); header("Location: ../administrator/index.php"); ?>
- <?php
- $admin_cookie_code="1234567890";  // change this to a code value that is difficult to guess
- setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
- header("Location: ../administrator/index.php");
- ?>
- Append the following code to the .htaccess file in the root of your joomla website:copyraw
# Admin Redirect RewriteEngine On RewriteCond %{REQUEST_URI} ^../administrator # note the .. to indicate parent directory for admin images (joomla 3.x) RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=1234567890 # change this to the code to match the above PHP script RewriteRule .* - [L,F]
- # Admin Redirect
- RewriteEngine On
- RewriteCond %{REQUEST_URI} ^../administrator # note the .. to indicate parent directory for admin images (joomla 3.x)
- RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=1234567890 # change this to the code to match the above PHP script
- RewriteRule .* - [L,F]
Caveat: If you login to the administrator section on a shared computer, ensure you close the browser (and all tabs) once done or this cookie will remain on the computer and will be readable by other users who access the same computer (this is irrespective of whether you have logged out of the CMS).
Add an IP filter
To include this method, ensure you have a static IP address (most home broadband users are now assigned these by ISPs so that they can identify their service users). The below also only allows 1 IP address (ie. one location from where an admin user can log in).
- Create a .htaccess file in your /administrator folder with the following content:copyraw
# ALLOW USER BY IP <Limit GET POST> order deny,allow deny from all allow from 123.123.123.123 # change 123.123.123.123 to your static IP address </Limit> # PREVENT VIEWING OF .HTACCESS <Files .htaccess> order allow,deny deny from all </Files> ErrorDocument 403 http://www.joellipman.com/error/403.html # change this to your 403 - forbidden page.
- # ALLOW USER BY IP
- <Limit GET POST>
- order deny,allow
- deny from all
- allow from 123.123.123.123 # change 123.123.123.123 to your static IP address
- </Limit>
- # PREVENT VIEWING OF .HTACCESS
- <Files .htaccess>
- order allow,deny
- deny from all
- </Files>
- ErrorDocument 403 http://www.joellipman.com/error/403.html # change this to your 403 - forbidden page.
These are two methods I like and will work in tandem. They will not affect the standard visitors to your Joomla website (specifically those not interested in logging into the administrator section). Updated for Joomla 3.x but pretty much the same system as used for previous versions of Joomla. I hope this helps you tune down those pesky visitors.