Ability to change /administrator folder name
After installing Joomla everyone have to enter into www.site.com/administrator
for more security reason if should be grate to have an option during the installation to change /administration name it will be one of the grate function fro joomla core.
Michael Richey commented
This has been implemented by several extensions, my AdminExile extension being one of the most popular methods.
Look in the Site Security section of the JED.
Ankit Agrawal commented
gr8 idea to avoid unwanted activities
My suggestion is to make the administrator folder as a variable, so that when installing joomla, the admin can easily configure his own admin folder name.
rather than making a random url why not use some kind of uuid for machine access. the uuid could then be used by all joomla enable site to block the users based on activity across multiple sites.
To everyone who is suggesting that .htaccess is the solution for this, I just want to point out that limiting access to certain ip's defeats one of Joomla's key objectives - to allow the site to be administered from from virtually anywhere with internet access.
With the increased shift to mobile technologies, telecommuting, travel, multi-administered community/non-profit sites, etc., I don't see how .htaccess is the end-all-be-all solution. Furthermore, I disagree with setting something on a client site (other than access rights through the User Manager) that requires myself, or a technical staff member of the organization, to add/edit/remove entries to keep access rights current.
As far as allowing for the administrator folder name to be determined by the site owner/system administrator... I agree that this is a good feature to have. I don't see it being a headache for developers that follow the proper mvc - users already have the ability to use a different db prefix on install, why couldn't it be done for the JPATH_ADMINISTRATOR and $base['path']?
I understand that this is somewhat "security through obscurity" but there are still people looking for the Lost Dutchman Gold Mine as well.
That feature is already present as of 1.6 using one's own "defines.php" in the site and admin root folders. It's not just de location of "configuration.php" than can be changed and relocated.
It's only "lousy" extensions that failusing hardcoded JPATH_SITE.'/administrator' to include php files from the back-end instead of leveraging the several path constants like JPATH_ADMINISTRATOR, JPATH_COMPONENT_SITE and JPATH_COMPONENT_ADMINISTRATOR, both available since J1.5.
That and not using the /media folder (also available since 1.5) in extensions to load browser ressources (css,js, images) shared between frontend and backend is what "breaks" bad written extensions.
The very same extensions also fail miserably in one aims to protect the default "/administrator" URL with an .htaccess file.
Create you own "defines.php" and you can have the site and backend run on different (sub-) domains provided they are on the same machine.
Web Design Hero commented
As andrew mentioned, you can restrict access by .htaccess placed in the administrator folder, this is the method I use on many of my client's sites:
ErrorDocument 403 http://www.your-ip-is-not-allowed-to-access-this-section.com
Deny from all
Allow from X.X.X.X
Where X.X.X.X if your public facing IP
Now, if Joomla could force a complete separation between the frontend and backend (meaning no built in or 3PD frontend code call code store in the backend of vice-a-versa) and you could put the administration on a separate server, that would be worthwhile. It give more flexibility and would limit the possibility that a bug or vulnerability in the front end could lead to exploitation of more dangerous codes in the backend.
Agreed. This should be implemented by end admins via htaccess rather than hardcoded. The impact would to be great to other extensions.
would be great
Juan Garay commented
This feature have been consider for the Joomla core developers no only for security reason, for perfomance for the web server when our site manage high traffic is better manage the front end and the back end in diferents Web servers.
It would cause a a bit of a headache for developers.
The administrator is not just a folder for the backend interface, it's half the site application. Thus all extensions which make use of any non-dynamic folder paths in the code, would need to change.
This would break untold numbers of extensions and users would NOT be happy, in fact they'd be infuriated.
Perhaps a better approach would be to setup a redirect-feature or other URL masking feature which would redirect any attempt at /administrator to a 404 page. This way the folder structure could remain intact, and the existing extensions would not break.
The site admin would be able to configure the desired back-end access URL for clients to use.
Having said this, none of those features will make a Joomla installation ANY safer. Real security is not about losing face by being unmasked as a "insert platform here" application. Real security is about practices and policies.
Absolutely. This can be done with a dirty htaccess and a second index file but I would prefer having the word administrator NOT HARDCODED so we can choose on install the folder name of the back-end
Durgadas Acharya commented
I agree too
This can easily be done with a .htaccess file. Just create a rewrite rule and block the original address. I think. Better yet, use the IP blocking as suggested by andrew.
Koba great idea. But woulden't it be better if the "administrator/backend" could be opened in the webhost enviroment, this way it's by default behind an https curtain. This also adds an extra step a potential hacker has to take, hacking your webhost first, before it could get to you.
This should be done long time ago. But it also should be possibility to change administrator folder if you already have installed earlier version of joomla. If you update for example j1.5 to j1.6 should be possible to change link do backend and much more for example change prefix for tables ;)
@Andrew what will you do if your client don't have static ip. How you make list of allowed ips if yours client ip change every time when he connect to internet :):):)
This won't improve security other than site identification obfuscation. It will only make the detection that it is a joomla site more difficult. If you just want to prevent access to the administrator folder, use .htaccess and apache acl's.
A Creative person would just use a .htaccess which would only allow certain ip's in, and presenting a regular "404 - Not Found" error to those not on the whitelist. Simple. Elegant. Does what most people need it to do.