Change name of Administrator folder

[stuffdone]

I know this has been asked before, but there really needs to be a way to change the name of the administrator folder.

I know all the security tricks. I have .htaccess with IP restrictions etc.

But none of those does anything to prevent a DDOS attack on the server.

Today my server was almost unresponsive due to such an attack trying to access via one domain /administrator. The security might prevent access but cannot stop the load from the attack. Since every hacker in the world knows the admin folder it is open season.

The only way I could halt this was to rename the directory. All they got after that were 404 errors. It worked but of course killed that site. Better one than all of them.

Why is it upon install of a new Joomla we cannot chose what to name the administrator directory? Let the installation handle all the necessary alterations.

That way no one knows the location and DDOS and other attacks on that folder become far less of a possibility.

[AlexVega]

Hi there,

Unfortunately at this time it's not possible to change the name, so you can't.

Please check this post:
http://forum.joomla.org/viewtopic.php?f=714&t=922472

Cheers.

[deleted user]

In all honesty, there are more technical challenges to be addressed from making this directory possible to be renamed than there are gains IMO. Issues include, but aren't limited to:

- URL routing for the admin (the admin app codes the root URL as /administrator)
- Handling for extension install/update (and what you break by magically trying to convert /administrator in either URLs or file paths to another location)
- Handling for core updates (core unpacks the /administrator directory at /administrator, without rewriting the unzip routine to change file paths updates wouldn't apply correctly)

There are ways to lock down access to it at the PHP and web server layers, and those should be used over trying to rename the directory.

[stuffdone]

Thanks. Is there a specific link with all methods to secure /administrator ?

I have added .htaccess file to that directory but what other options exist?

Just thinking outloud about the future: I get the issues of renaming on current installations or new installs of current releases. ( Also an issue of upgrading in future )

But...

I am not a developer but would it be feasable for some future release of Joomla to provide the ability to choose your own name for the admin location and have the install script make the required entries at that time so everything works? Seems if the installation is writing the files to use the /administrator directory at install time, any name could be specified at that time. Would seem to be a good security feature since hackers would have a very hard time guessing what directory to attack vs. everyone knowing as it is now.

...

[stuffdone]

I read the info on jSecure but seems the most powerful part of that extension is covered with a simple .htaccess with only the IP addresses of the authorized computers.

I also use an .htaccess in the images folder to prevent any scripts from running from that location. Any extension other than .png, .jpg etc won't be allowed to "run" so no scripts or pdf files in that directory.

[deleted user]

I am not a developer but would it be feasable for some future release of Joomla to provide the ability to choose your own name for the admin location and have the install script make the required entries at that time so everything works?

No, it wouldn't. The three things I mentioned above are just the tip of the iceberg when it comes to issues with renaming the admin directory. The same issues apply to any directory which has a JPATH_ constant applied to it (which in theory means one could redefine the paths to those directories, not just the /administrator directory but /plugins and /libraries too as examples). Just adding a parameter to rename your administrator directory is not enough; the number of code changes needed to make this work honestly make the effort not worth it and IMO lowers the code's stability versus the "known" path it is today.

[stuffdone]

Ok but that was not what I was suggesting. Not "re-naming" admin on anything existing but having the option at some time in future to specify a name for new installations where the installation would adjust paths according.

[deleted user]

The same effort to allow it for new installs would also affect existing installs. So it's an all in one package. At a very high level, adding a single field to the install app to specify a name and then having the install app rename the admin directory is very simple. That single action though will immediately break a site without rewriting the core path constant definitions. Those path constants are defined at a point before even the configuration file is loaded, and ironically the config file also has a customizable path constant that lets you map your config file elsewhere. That alone gets you into a chicken or egg type scenario. Auto-generating this defines.php file isn't too terribly difficult, and Joomla core already supports a custom path to find that, so that part can most likely be done without catastrophic failure. But again though, that single change doesn't solve the rest of the infrastructure changes needed, to include:

- Overloading native extraction package behaviors to change the file path for part of the package when you're running a core update (instead of extracting the package in place over your existing install, you'd most likely have to extract it into your /tmp directory then move things over)
- Ensuring that extension install adapters correctly place files destined for /administrator in your custom path (for most extension types, this is not an issue as they have standardized paths; the files adapter though lets you specify custom paths so if /administrator is specified as the root path for files in that adapter does it mean that it will always be the /administrator directory or is that string magically converted to whatever the user who installed the extension has set their directory name to be?)
- Ensuring that form definitions do not break when they add lookup paths (the XML schema has several addXXXpath methods which would have the same quirks as the files extension adapter)

Even if the core CMS did make the changes needed to support that, it also requires every extension to validate that they are using paths in a specific way. JPATH_ROOT . '/administrator' and JPATH_ADMINISTRATOR are the same thing as it relates to Joomla file paths in the core code, but if I'm using the former structure in my code this means I am explicitly looking for something in an administrator directory that may not exist if you've renamed it.

I'm not trying to say the idea is bad by any means. But being familiar with the technical issues surrounding renaming any directory in Joomla core, my stance is that this is going to cause more hassle both in the core code and how extensions do things in Joomla than the convenience to end users is worth.