The Joomla! Forum ™

I know there are lots of extensions to add another layer of protection to administrator page, for example, the free one ksecure can protect your site's administrator page by asking user another password either through a prompted window, or simply adding the password in the link itself (http://yoursite/administrator?yourpassword).

First of all, I don't think it is wise to tail the password in clear text in the link, so I thought maybe the only option is to choose using the prompted window to type in username/password to get into the administrator page (and from there you type in the admin credential to enter the admin site)

But, surprisingly I found, even after I enabled the ksecure plugin, the administrator folder is still accessible by anyone, for example, without doing anything, I can access /administrator/help/helpsites.xml file, and /administrator/components/com_admin/admin.xml

I also read reviews for some other extensions and many are the same. I didn't check those commercial ones though.

I am not a joomla expert, nor a security expert, but this is making me worrying if any information under the administrator folder could be exploited by malicious visitors.

Is there any non-commercial extension/plugin that prevent user from visiting any files in administrator folder?

Thanks.

how about Akeeba admin tools or Admin Exile

hi there you can choose an extension from here.

http://extensions.joomla.org/extensions ... protection

_________________
Regards
Ralph Mark
http://www.testchief.com/

Thanks for all replies.

I will check some of them later on, actually I already did some and I mentioned that in my OP

You also have the option of using the htaccess method which would result in not relying on an extension at all.

http://docs.joomla.org/Security_and_Per ... taccess.3F

You will also find lots of other information using the htaccess method by doing a search in Google, etc.

Mark

go to cPanel:

_________________
Majid-Mit
my knowledge is know to not know
http://freeclup.com/index.php/en/

Thank you guys, I believe cPanel is the easiest way to do this, but if no cPanel, which method can protect the folder (including all the sub folders and files)?

hi
you can create backdoor trap

_________________
Majid-Mit
my knowledge is know to not know
http://freeclup.com/index.php/en/

Can you elaborate? Thanks.

Hi ! To secure Administrator folder you can do this Step :
After installing Joomla everyone have to enter into www.site.com/administrator

for more security reason if should be grate to have an option during the installation to change /administration name it will be one of the grate function fro joomla core.

The password method is a bit cumbersome as you have to enter a double password to get into the Admin Directory. The password method works great if you have multiple people that need access to the Admin directory or back-in login.

However if you only have a few people that need access to the admin login then you can do a very simple and easy method of blocking everyone out except for you and a few selected other people.

Using a .htaccess and a deny all command:


The '#' in the front of the line is simply a comment. Where as the ###.###... represents numbers that you would put in place of the # sign.

To find your IP address go to:
https://www.google.com/search?q=what+is+my+ip&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official

Or do a Google search for "What is my ip" This will give you the IP address you can add to the allow access lines in the .htaccess file.

Using this method lets you setup a deny all and then only allow access by a specific IP address or addresses.

You would replace the ###.###.###.### by your IP address or other IP addresses you wish to allow access. If you only specify the first 3 sets of numbers then you open up a range of IP address: for example 192.161.100. --- opens up 192.161.100.1 - 192.161.100.255

This would allow you to limit the IP address that can access your admin directory and effectively wipe out all of Russia, China or other countries trying to access your admin directory.

Be careful where you put this .htaccess file
.htaccess file settings flow downwards. Which means that IF you set the .htaccess file in the root level of the administration directory (which is where you want this file) THEN all folders under the administrator folder are also protected by this same method.

The .htaccess only blocks http or https access does not block FTP Access, or cPanel's File Manager, Unlimited FTP access or Shell SSH Access.

_________________
============
John Boone
http://www.boonewebmaster.com - Web Design - Joomla 3.x
http://www.genealogyarticles.com - Articles about Genealogy - Joomla 2.5.x