How to restrict access to /administrator/index.php?

hackermade · Post by **hackermade** » Sun Jun 02, 2024 2:34 am

Greetings, i have successfully restricted access to the /administrator path but that restriction doesn't include the /administrator/index.php which is unrestrictable. Why this happened?

Thanks in advance!

Post by **toivo** » Sun Jun 02, 2024 3:47 am

How did you restrict the access to the administrator folder? If your host has given you cPanel, the simplest way is to go to Files - Directory Privacy and configure a username and password that only you and the web server know.

Post by **AMurray** » Sun Jun 02, 2024 5:33 am

if using htaccess / htpasswd, those files must be in the folder you're protecting i.e. /administrator folder.

In addition to what Toivo advised above, you can use an extension such as Akeeba Admin tools to protect the admin directory.

hackermade · Post by **hackermade** » Sun Jun 02, 2024 9:22 am

Hi, no i just added a location context (location /administrator { } ) in my nginx configuration and denied all the requests except those from my IP address.

hackermade · Post by **hackermade** » Sun Jun 02, 2024 12:52 pm

Actually now works great but when i add the username and the password in the /administrator page after that instead of send me in the dashboard throws a 403 forbidden page...btw I use the nginx access key to restrict access

tolkachyov_s · Post by **tolkachyov_s** » Tue Aug 13, 2024 7:43 am

This article can help you to hide access to /administrator/ without using 3rd party plugin:
Hiding URL to your Administrator Panel (Joomla)

Post by **AMurray** » Tue Aug 13, 2024 10:43 am

simpler just to use multi-factor authentication or Webauthn, which works by setting the device as trusted. Login won't work on any other device unless you set up the same authenticaiton method on each device. That works with things like Windows login (PIN, or its biometrics such as Windows Hello or fingerprint scan).

It's not a good idea to rename the /administrator folder. That could cause the site to break, permanently (or not without effort to restore it).

Post by **pe7er** » Tue Mar 18, 2025 6:41 pm

Efentof wrote: ↑Tue Mar 18, 2025 5:12 pmWordpress has a hide plugin that works very well: it allows admin to be accessible only via a custom, secret URL that all bots on the planet are not able to hit blindly. Any CMS should have something like this.

You can protect the /administrator/ back-end with a htaccess password.

And there are Joomla plugins available to protect it with a security token:
https://extensions.joomla.org/tags/access-security/
https://extensions.joomla.org/tags/back ... s-control/

JAVesey · Post by **JAVesey** » Tue Mar 18, 2025 6:58 pm

Efentof wrote: ↑Tue Mar 18, 2025 5:12 pm Any CMS should have something like this.

Agreed, and there are a number them around…

This is probably the best known and most well-used:
https://extensions.joomla.org/extension ... dminexile/

The Joomla! Forum™

How to restrict access to /administrator/index.php?

How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?

Re: How to restrict access to /administrator/index.php?