Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Wednesday, 05 February 2025 00:45 CST
Dear Akeeba,
I have a question about the Administrator secret URL parameter mechanism.
Is it correct that this mechanism only protects against not permitted login?
Is it neccesary to otherwise protect the files in the administrator area ? If yes, how?
Regards,
Ben Hillen
The Administrator URL Parameter only protects access to administrator/index.php URLs which does include the backend login page. It does not, and cannot, protect direct access of other .php, .js, .css, .ini, .xml, .json, or other files in the administrator directory. It's meant to offer a modicum of protection against brute force attacks, i.e. attackers trying various usernames and passwords hoping that they will get lucky and find out something that works on your site.
For best protection, we strongly recommend using the Administrator Directory Password Protection feature instead. This is only available when your host is using the Apache or LiteSpeed web server; it is not available on Microsoft IIS, or NginX. This feature is actually implemented by the web server. Admin Tools just writes a configuration file. It requires a username and password to access any file under the administrator directory. This prevents access to static files such as .js, .css, .ini, .xml, and .json files which can be used to enumerate the installed third party extensions on your site, as well as their versions and Joomla's own version. Moreover, it prevents access to arbitrary .php files, therefore eliminating the risks that come with this kind of access. It is a much more comprehensive protection.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Dear Akeeba,
Thank you for your help.
I have two more questions:
When choosing the Administrator Directory Password Protection feature:
- do I need then also to use an Exclusive IP whitelist?
- if I want to adapt a file: do I need to log in per file or can the Administrator Directory Password Protection temporarily be disbled?
Regards,
Ben Hillen
do I need then also to use an Exclusive IP whitelist?
No. In fact, the whitelist is only meant to be used in very special cases where everyone managing the site is on a static IP address. In practice, this is only likely to happen with large web agencies which have an Internet connection with a (relatively expensive) static IP address.
if I want to adapt a file: do I need to log in per file or can the Administrator Directory Password Protection temporarily be disbled?
I am a bit unclear as to what “adapt” refers to here; I can interpret it in different and conflicting ways. If you mean that you need to access a specific static or .php file directly: you will have to temporarily rename administrator/.htaccess to lift the password protection before accessing that file.
If you give me a use case I can give you a better reply, tailored to your needs.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!