Protect your Joomla Administrator folder

If you have used Joomla before, you know how uncomfortable is to have your administration folder showing for everybody.

I do.  Anybody could just get into your mysite.com/administration/ url and try to guess the password for any user name or for the ‘admin’ username.

So this was one of my main worries on my joomla sites and I decided to write a PHP code that could take care of this.  If you’re not looking for installing another plugin just for this, go ahead and try this code on your joomla install.

Just insert the code on your Joomla administration index file, at the end of the file before the // Return the response (joomla 1.6+) or the /** * RETURN THE RESPONSE */ (joomla 1.5-)

www.mysite.com/administration/index.php

/* Block access to administrator
 --------------------------------------------- */
$user =& JFactory::getUser();
$secretkey = 'mysecretkey';
$redirectto = 'location: http://www.mysite.com';
$usertype = 'Registered';

//Check if the user is not logged in or if is not a super user:
if ($user->guest || (!$user->guest && $user->usertype != $usertype) ) {
 //Check if the secret key is present on the url:
 if (@$_GET['access'] != $secretkey) { header($redirectto); }
}
/* --------------------------------------------- */

Change ‘mysecretkey’ for whatever you want to use for accessing your administration site and change redirectto value ‘www.mysite.com’ to whatever address you want the visitor to go if they “illegally” enter into your administration folder.

You now should visit your site in two URL to test if this is working correctly:

www.mysite.com/administration/

www.mysite.com/adminstration/?access=mysecretkey

The first link should redirect you to the site, and the second one should take you to the admin page.

4 Comments Add yours

  1. theo says:

    i have made the changes but it lets me go to the administrator page.
    please check it out and let me know.

  2. Alexandru Daniel says:

    Hi,

    I have tested your solution with Joomla 2.5 and it almost works. For me, this is what happens:

    When adding your code, indeed, accessing the /administrator folder is no longer possible as a re-direct takes place if the “access” part is not added to the URL.

    If I use it as: /administrator/?access=key, it works, I get to the Joomla login page. I log in, I get to the back-end and all is fine. However, as soon as I click ANYTHING from that back end (be it, Menus, Components, or whatever) it simply redirects me to the homepage.

    Any ideas ? Thank you!

    1. ZAJDAN says:

      yes….same behavior it does on my site

  3. ricko says:

    I try the instruction above but in administration control panel, I can’t access anything. It’s always back to var from redirectto whar ever address. need your help…thank

Leave a Reply