How to add captcha on administrator login form.

[arun914]

Hi Everyone,

I want to add captcha on administrator login form for security purpose.

there is no option in joomla to add captcha there... can anybody help me.

[gregsms]

There are extensions available that add that but why? If security is the concern why not simply enable two-factor authentication?

[arun914]

Thanks for your reply,

I have searched many plugins but they are only for the frontend view. I need captcha on backend admin login form :- www.example.com/administrator

Actually client is asking to add captcha for admin login.

[fcoulter]

You can use JSecure: https://extensions.joomla.org/extension/jsecure/, this does this and quite a few other things.

[leolam]

You can use the award winning extension Admintools by Akeeba for this nicely https://extensions.joomla.org/extension ... min-tools/

Not only helps you to protect your admin access but it offers you a lot more (read the docs)

Leo

[fcoulter]

Actually Leo, I don't think admin tools does include this feature, either in the pro or free version.

There are a lot of features, so maybe I overlooked this. But it is not mentioned in the documentation either.

It does include the option to password protect the admin folder, which is useful, but not the same thing as adding a captcha. I mean it is arguable that this is at least as useful as what the client asked for, but still not what the client asked for. I am guessing that the OP wants to give them what they want. That's the annoying thing about clients, sometimes they have their own ideas.

[sozzled]

I am guessing that the OP wants to give them what they want. That's the annoying thing about clients, sometimes they have their own ideas.

I fully agree! Sometimes we have clients who think they know what's best. As software integrators we bash our heads against a brick wall and (sometimes) we take the line of least resistance and yield to our customers' demands only to find that, three days after the site's gone live, the added requirements have been removed (or the clients then realise that their ideas were impractical) and all our efforts have been wasted.

I have a simple rule when it comes to dealing with difficult customers. My rule is "sure you can have that feature but it will cost you an extra thousand dollars". That principle seems to work fairly well: put a price tag on implementing a non-standard feature, like a CAPTCHA on login, and see how the client reacts.

Let's all acknowledge that CAPTCHA is not foolproof; it doesn't prevent serious hackers from attacking a website. CAPTCHA may be effective against bots, but it's not effective against humans.

The first law of security is this: "The best way to keep something secret is to not tell people that you're keeping anything secret." Applying this principle is easy: if there's a reason to secure a website—in this particular case its the Joomla administrator site—don't "advertise" the fact that the website is a Joomla website.

We all know how to access the backend in Joomla: add /administrator to the domain name, right? But what if you did that and all that happened was that the frontend was displayed instead? In other words, what if you "hid" the address of the Joomla backend and only those people who had legitimate access to it knew the "hidden" location?

Yeah, if you have a client who insists that they want to add CAPTCHA to login, and no amount of reasonable argument can dissuade them from that opinion, offer them two alternatives: (a) offer to continue the implementation of the site in a standard way (i.e. without CAPTCHA) and suggest that they pay for you to engage a professional to add the CAPTCHA feature (and make a little profit on the transaction), or (b) refer your customer to this forum discussion topic and let them realise that what they're asking for is not best-practice site security.

[fcoulter]

I have a simple rule when it comes to dealing with difficult customers. My rule is "sure you can have that feature but it will cost you an extra thousand dollars". That principle seems to work fairly well: put a price tag on implementing a non-standard feature, like a CAPTCHA on login, and see how the client reacts.

Yes but as I mentioned above, JSecure will do exactly this, for the price of a pot of tea and cake (in a fairly fancy tea shop), so charging a thousand dollars seems a bit unreasonable.

I don't think that the client's requirements are silly in this case, they just want what they want, and there is an extension available which will do it for them.

I think your point would be correct if they were asking for something really daft, but they aren't (in my view).

[sozzled]

JSecure looks as if it does this—the ability to add a CAPTCHA to the administrator login form—yes, and at a modest price, too.

The point I was [awkwardly] trying to make is that, when a person asks for something that's not standard and is not considered "best practice" among the professionals who implement websites for paying customers, it's probably worth attempting to disincentivise them by putting a price tag on their requests. Remembering, too, that people will ask for "everything" and, in the cool light of day, they'll regret their decisions and ask for the added bits to be removed because those added things make life more difficult. Sometimes it's worth taking a gamble that, by putting a seemingly-high price tag on doing something, the client may still insist. So be it; money talks, doesn't it?

The main point—from a security perspective—is that CAPTCHA is ineffective (regardless of whether it costs money to implement it).

By default, CAPTCHA is not part of the login system for administering Joomla websites; there's a good reason for that: people (generally-speaking) don't want it!

There is no option in joomla to add captcha there ... can anybody help me.

That's right, there's no built-in option to add CAPTCHA to the administrator's login. The question was asked and various suggestions have been offered. It's no longer a "panel discussion" as to whether this feature is feasible; it's feasible and that's all that we can say. Whether it's desirable or beneficial, that's something for the end user to decide; whether or not it's free ... well ...

"Hey, I love your BMW: any chance that you could add pad-bolts to all the doors in addition to the existing security system?"

[arun914]

Website is in third party security audit they don't understand that it is in joomla cms.

They need captcha on admin form and captcha should not be of third party like google.

Then only they will give security certificate.

[sozzled]

Use JSecure. Apparently this will give your customer what they've requested.

[dwmolyneux]

The first law of security is this: "The best way to keep something secret is to not tell people that you're keeping anything secret." Applying this principle is easy: if there's a reason to secure a website—in this particular case its the Joomla administrator site—don't "advertise" the fact that the website is a Joomla website.

We all know how to access the backend in Joomla: add /administrator to the domain name, right? But what if you did that and all that happened was that the frontend was displayed instead? In other words, what if you "hid" the address of the Joomla backend and only those people who had legitimate access to it knew the "hidden" location?

Hi. I was actually looking for a solution or how to regarding something else when I saw the OP's post and I read on I agree with what sozzled said. I have always felt that should be able to be done with hiding that admin location but I have actually not been sure where or how I would need to go to do this and not take down the rest of the site in doing so.

I have used Joomla before on several occasions but I'm still learning it and several version updates have happened since I last used it.

I do have questions about some things that I'm trying to do but as this not the place to post, I'll be posting them in their own thread/topic.

[JAVesey]

[...I saw the OP's post and I read on I agree with what sozzled said. I have always felt that should be able to be done with hiding that admin location but I have actually not been sure where or how I would need to go to do this and not take down the rest of the site in doing so.

Check out the AdminExile plugin.

Does exactly this (and lots of other stuff too). Look no further.