Support

Thank you for your kind words!

Well, the login pages can be used to brute force the password of your super administrator - provided that the attacker knows the username. Even as such, Admin Tools by default prevents logging in the Super Administrator to the front-end of the site, so it's no big harm done.

That said, using .htaccess to redirect those pages is probably the best approach. The other approach would be creating a login plugin which would detect front-end logins and automatically log them out, throwing the familiar error message you get when entering the wrong password. I'd personally go for the .htaccess method :)

I don't think that any other Joomla! pages need be protected. The reason we want to protect the login pages is that an attacker could potentially try to brute force your password. The other pages can't be used to exploit your site, as long as you follow all of the sane security practices like updating the same day (at the latest!) a new release of Joomla! and its extensions (including templates) is released, sane ownership/permissions, using secure passwords and so on.

It's true, they don't sleep. Actually, they do sleep, they just let scripts run 24/7. The good thing is that most of these attacks fall downright in the pathetic range. You'd laugh at how many attacks targeting Mambo, WordPress, Joomla! 1.0 and Joomla! component versions from 4 years ago I see every month. Or how many stupid attempts to brute force my administrator password using the username "admin" (which I of course don't use!) and some of the most common passwords. I usually have a lot of fun reading my site's logs. Sometimes I am mildly worried; that's when I recalibrate a feature in Admin Tools or add something new. Good thing, this hasn't happened in a while. Of course, I have to admit that if a site is targeted by a real hacker, with a strong incentive to deface your site, he will eventually be able to. But unless you are Sony, CIA, NSA, NASA or another high profile, high value target I guess that the possibility of this happening is equal to the possibility of being thrown out of a Vogon ship in outer space only to find yourself transformed into a sofa in the starship of the Galactic President (sorry for the Hitchhiker's Guide To The Galaxy reference, I couldn't resist!). You are right about one thing: the less extensions you have, the better it is for security. If nothing more, the less extensions you have to update, the more likely you are to update everything in time to prevent a vulnerability.

Regarding spammers, the best thing you can do is to apply for a Project Honeypot API key and enable the HTTP:BL feature in Admin Tools. It's not watertight. It will only block known spammer and hacker IPs. But it will decrease the number of phoney subscriptions by a fair percentage. The best way to avoid phoney subscriptions is to have email confirmation of newsletter subscriptions and a CAPTCHA in the registration page. The vast majority of spammin scripts can't solve CAPTCHAs (even though there are rather cheap solutions to that) and certainly don't visit links in emails. So, even if the spammers do submit an email address, it won't be activated and won't count towards your MailChimp list limits.

Now, as to what works best to gather subscribers, I can't answer that. I've found that newsletters tend to become very tiring for the recipient. At some point I had subscribed to dozens of newsletters. I ended up with an overloaded inbox I had to shift through every day. I began removing all my newsletter subscriptions and stick to the good old RSS feeds. That worked the best for me. I also used to have a newsletter (about once every 3 weeks) on this site. At some point I realised that only 10% of the recipients opened the newsletter, another 1% reported it as spam (it was an opt-in newsletter!) and the effect on the conversion rate was zero. Word of mouth had a much greater impact to my conversion rate. So, if you ask me, my anecdotal, non-scientific evidence is that newsletters are annoying and wasting resources. Invest your time to creating a better product, get a critical mass of happy customers and then they will come (more clients to your site). Always take my empirical advice with a pinch of salt; I know what works for my site; your site may be completely the opposite :)

Most of the times these are dumb spam robots. They try to find all forms on a site with an email address and submit them. It's a hit and miss operation for them. Usually, they end up filling in a contact form which delivers their spam message to the site's owner. I get quite a few of those spam messages every week, even though my contact form is protected with a CAPTCHA. I know how they break ReCAPTCHA (they use a service similar to Amazon's Mechanical Turk, only that it's geared towards breaking CAPTCHAs only). Don't worry about them too much. They are very annoying, but they don't cause much harm. IMHO, it's a waste of time trying to prevent them from filling in the form. There are solutions to that, but they are so complicated and of such a dubious effectiveness (it's easy for an updated version of the spam bot to circumvent them) that it makes no sense wasting resources on them.