Securing Your Joomla Administrator Folder From Attackers

Previously, I wrote a way on how you could help protect your Joomla administrator folder from hackers.  However, that method doesn’t always work in many cases.  Why?  Because some components, plugins, and modules will need to use some materials from the administrator folder.

So, there is a better way to do it.  The absolute best thing to do is to password protect the Joomla administrator folder to help prevent attacks.  If this method is used in conjunction with the ConfigServer Firewall (CSF) instructions that I previously wrote about, there is a clear amount of security provided to your Joomla administrator portal.  CSF can be installed if you using a hosting provider that uses cPanel – or if you want this protection built-in, contact BsnTech Networks so we can host your website and make it much more secure than other providers out there.

So, if you at least want to help protect your Joomla administrator folder more, you need to setup the folder as a password-protected directory – but also make it so that any other file within that folder can be accessed from components, plugins, and modules.  The instructions below are for web servers running Apache.

1. Use the HTPASSWD generator to set a username and password.
2. Create a file in the administrator folder named “.htpasswd”.  Note the dot in front of the file name.  Now copy and paste the line of code from the HTPASSWD generator into the file and save it.
3. Create a “.htaccess” file in your administrator folder.  Again, note the dot in front of the file name.
4. In the .htaccess file, use these lines and then save the file.

Let me go through these settings so it is easy to understand.  First, you need to know your full path on your web hosting provider and fill that in to the “FULL_PATH_TO_ADMINISTRATOR_DIRECTORY”.  So as an example, if you login to your web hosting account and see that your account is in the /customer/7828374/home/public_html folder – and you have Joomla installed right in your main directory, that “FULL_PATH_TO_ADMINISTRATOR_DIRECTORY” should look like this:

/customer/7828374/home/public_html/administrator

Next – AuthName “Administration”.  When the pop-up box comes up asking for username and password, it will show “Administration” in the popup box

AuthType Basic – This indicates that it is a basic authentication type against an Apache web server and to show the pop-up box.

AuthUserFile <FULL_PATH_TO_HTPASSWD_FILE> – This points to the .htpasswd file that you previously created that has the username and password in it.  As an example, if Joomla is installed in the root hosting directory and your hosting directory is /customer/7828374/home/public_html, that <FULL_PATH_TO_HTPASSWD_FILE> should be set to:

/customer/7828374/home/public_html/administrator/.htpasswd

require valid-user – Just that.  It means that the username and password that is in the .htpasswd file must be exactly matched to access the page.

Now, there is a second directory in there – “FULL_PATH_TO_ADMINISTRATOR_DIRECTORY/*/*” with a “Satisfy-any” clause.  This tells the server that anyone can access any sub-directory under the Administrator folder and no password is required.  That is what allows components, plugins, and modules to access any files in there that may be needed.  Notice the “/*/*” in the directory – that is the wildcard path that ensures that they are at least going down to another sub-directory in the Joomla administrator directory.  If that is left out, then the Joomla administrative login page will not be protected.

Do note that the above instructions will provide a second layer of security by protecting the Joomla administrator directory – but it still must be used in conjunction with a good username and password for the actual administrator login for Joomla.

Finally, let’s take a total look at the .htaccess file (again, should be placed in the administrator folder for Joomla) using the example /customer/7828374/home/public_html as the web hosting root folder: