What features would you like to see in future versions of Joomla?

Ability to change /administrator folder name

After installing Joomla everyone have to enter into www.site.com/administrator

for more security reason if should be grate to have an option during the installation to change /administration name it will be one of the grate function fro joomla core.

912 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    koba kurdadzekoba kurdadze shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      • Michael RicheyMichael Richey commented  ·   ·  Flag as inappropriate

        This has been implemented by several extensions, my AdminExile extension being one of the most popular methods.

        Look in the Site Security section of the JED.

      • Anonymous commented  ·   ·  Flag as inappropriate

        My suggestion is to make the administrator folder as a variable, so that when installing joomla, the admin can easily configure his own admin folder name.


      • GuestGuest commented  ·   ·  Flag as inappropriate

        rather than making a random url why not use some kind of uuid for machine access. the uuid could then be used by all joomla enable site to block the users based on activity across multiple sites.

      • Ironclad360Ironclad360 commented  ·   ·  Flag as inappropriate

        To everyone who is suggesting that .htaccess is the solution for this, I just want to point out that limiting access to certain ip's defeats one of Joomla's key objectives - to allow the site to be administered from from virtually anywhere with internet access.
        With the increased shift to mobile technologies, telecommuting, travel, multi-administered community/non-profit sites, etc., I don't see how .htaccess is the end-all-be-all solution. Furthermore, I disagree with setting something on a client site (other than access rights through the User Manager) that requires myself, or a technical staff member of the organization, to add/edit/remove entries to keep access rights current.
        As far as allowing for the administrator folder name to be determined by the site owner/system administrator... I agree that this is a good feature to have. I don't see it being a headache for developers that follow the proper mvc - users already have the ability to use a different db prefix on install, why couldn't it be done for the JPATH_ADMINISTRATOR and $base['path']?
        I understand that this is somewhat "security through obscurity" but there are still people looking for the Lost Dutchman Gold Mine as well.

      • CirTapCirTap commented  ·   ·  Flag as inappropriate

        That feature is already present as of 1.6 using one's own "defines.php" in the site and admin root folders. It's not just de location of "configuration.php" than can be changed and relocated.
        It's only "lousy" extensions that failusing hardcoded JPATH_SITE.'/administrator' to include php files from the back-end instead of leveraging the several path constants like JPATH_ADMINISTRATOR, JPATH_COMPONENT_SITE and JPATH_COMPONENT_ADMINISTRATOR, both available since J1.5.
        That and not using the /media folder (also available since 1.5) in extensions to load browser ressources (css,js, images) shared between frontend and backend is what "breaks" bad written extensions.
        The very same extensions also fail miserably in one aims to protect the default "/administrator" URL with an .htaccess file.
        Create you own "defines.php" and you can have the site and backend run on different (sub-) domains provided they are on the same machine.

      • Web Design HeroWeb Design Hero commented  ·   ·  Flag as inappropriate

        As andrew mentioned, you can restrict access by .htaccess placed in the administrator folder, this is the method I use on many of my client's sites:

        ErrorDocument 403 http://www.your-ip-is-not-allowed-to-access-this-section.com
        Order deny,allow
        Deny from all
        Allow from X.X.X.X

        Where X.X.X.X if your public facing IP

        Now, if Joomla could force a complete separation between the frontend and backend (meaning no built in or 3PD frontend code call code store in the backend of vice-a-versa) and you could put the administration on a separate server, that would be worthwhile. It give more flexibility and would limit the possibility that a bug or vulnerability in the front end could lead to exploitation of more dangerous codes in the backend.

      • MartinMartin commented  ·   ·  Flag as inappropriate

        Agreed. This should be implemented by end admins via htaccess rather than hardcoded. The impact would to be great to other extensions.

      • Juan GarayJuan Garay commented  ·   ·  Flag as inappropriate

        This feature have been consider for the Joomla core developers no only for security reason, for perfomance for the web server when our site manage high traffic is better manage the front end and the back end in diferents Web servers.

      • Node-0Node-0 commented  ·   ·  Flag as inappropriate

        It would cause a a bit of a headache for developers.
        The administrator is not just a folder for the backend interface, it's half the site application. Thus all extensions which make use of any non-dynamic folder paths in the code, would need to change.

        This would break untold numbers of extensions and users would NOT be happy, in fact they'd be infuriated.

        Perhaps a better approach would be to setup a redirect-feature or other URL masking feature which would redirect any attempt at /administrator to a 404 page. This way the folder structure could remain intact, and the existing extensions would not break.

        The site admin would be able to configure the desired back-end access URL for clients to use.

        Having said this, none of those features will make a Joomla installation ANY safer. Real security is not about losing face by being unmasked as a "insert platform here" application. Real security is about practices and policies.

      • KostasKostas commented  ·   ·  Flag as inappropriate

        Absolutely. This can be done with a dirty htaccess and a second index file but I would prefer having the word administrator NOT HARDCODED so we can choose on install the folder name of the back-end

      • zonedabonezonedabone commented  ·   ·  Flag as inappropriate

        This can easily be done with a .htaccess file. Just create a rewrite rule and block the original address. I think. Better yet, use the IP blocking as suggested by andrew.

      • tugelanotugelano commented  ·   ·  Flag as inappropriate

        Koba great idea. But woulden't it be better if the "administrator/backend" could be opened in the webhost enviroment, this way it's by default behind an https curtain. This also adds an extra step a potential hacker has to take, hacking your webhost first, before it could get to you.

      • DaReignDaReign commented  ·   ·  Flag as inappropriate

        This should be done long time ago. But it also should be possibility to change administrator folder if you already have installed earlier version of joomla. If you update for example j1.5 to j1.6 should be possible to change link do backend and much more for example change prefix for tables ;)

      • DaReignDaReign commented  ·   ·  Flag as inappropriate

        @Andrew what will you do if your client don't have static ip. How you make list of allowed ips if yours client ip change every time when he connect to internet :):):)

      • AndrewAndrew commented  ·   ·  Flag as inappropriate

        This won't improve security other than site identification obfuscation. It will only make the detection that it is a joomla site more difficult. If you just want to prevent access to the administrator folder, use .htaccess and apache acl's.

        A Creative person would just use a .htaccess which would only allow certain ip's in, and presenting a regular "404 - Not Found" error to those not on the whitelist. Simple. Elegant. Does what most people need it to do.

      ← Previous 1

      Feedback and Knowledge Base