Protect your administrator back-end with a password


This feature uses .htaccess files which are only compatible with Apache, Litespeed and a very few other web servers. Some servers (such as NginX and IIS) are incompatible with .htaccess files. If we detect a known to be incompatible server type this feature will not be shown at all in Admin Tools' interface. It should be noted that even if you do see it in the interface it doesn't necessarily means that it will work on your server. This depends on your server's capabilities. If you are unsure or believe it doesn't work please consult your host.

The Password-protect Administrator tool of Admin Tools is designed to add an extra level of protection to your site's administrator back-end, asking for a username and password before accessing the administrator login page or any other file inside the administrator directory of your site. It does so by using Apache .htaccess and .htpasswd files, so it won't work on hosting which uses IIS or NginX.


Some prepackaged server bundles and some live hosts do not allow using .htaccess files to password-protect a directory. If it is a local server, edit your httpd.conf file and modify every AllowOverride line to read:

AllowOverride All

If you are on a live host, please consult your host about the possibility of them allowing you to use this feature on your site.

Password-protect Administrator


There are several password hashing schemes supported by different versions of Safari. It's possible that if you password protect your administrator directory on one server and then transfer your site on a different server you will receive a blank page or an Internal Server 500 error page when accessing your site's administrator backend. This is normal and expected. All you have to do is to remove the .htaccess and .htpasswd files from your administrator directory after restoring the site. Then you can re-apply the administrator protection from within Admin Tools.

To apply the password protection, enter a desired username and password and click on the Password-protect button. After a few seconds your browser will ask you to supply the username and password you just specified. This will also happen each and every time anybody tries to access the administrator back-end of your site. In other words, you have to share the username and password with all back-end users of your site.

If you wish to remove the password protection you can either remove both the .htaccess and .htpasswd files from your administrator directory, or click on the Remove Password Protection button.

There are two more options on this page you should be aware of.

Administrator resources to protect. In the past, the administrator password protection was an all-or-nothing feature. This is no longer the case. This option lets you choose which resources under the administrator directory will be protected with a password. “Joomla” only protects Joomla's index.php (the administrator application entry point). Everything else can be accessed freely, including .php files from third party applications. “All PHP files” protects all PHP files in the administrator folder and its subdirectories. “Everything” works the same as old versions of Admin Tools, disallowing access to any file in the administrator folder and its subdirectories, regardless of its extension.

We recommend using “Everything”. That's the default option and equivalent to how things worked in the past.

If you see the password prompt come up in the front-end of your site it means that an extension you are using is trying to load static media such as CSS and JavaScript from a folder located under your site's administrator folder. This is a bug in the extension which should be fixed. In the meantime, you can select the “All PHP files” option, thereby allowing access to the static media resources. This is a bit less secure, in the sense that it makes it easier for attackers to identify which version of Joomla and its extensions you are using by directly accessing their static media files and translation files. While not enough to compromise your site directly, it gives the attacker some insight into your site they could exploit for a future attack. We strongly recommend using our .htaccess Maker and its Backend Protection feature to mitigate this security concern.

In very rare cases, typically third party payment plugins for e-commerce applications, you may need to allow access to arbitrarily named .php files hosted in a directory under your site's administrator folder. This is NOT recommended; using Joomla's com_ajax is the best way for developers to do that. If, however, you do bump into this case you can select the “Joomla” option. This is the least secure option and you may also need to add an exception in the .htaccess Maker page if you are using that feature as well.

Reset custom error pages. This will resets Apache custom error pages for HTTP 401 and 403 to the most minimal built-in error page in Apache. This prevents a 404 Article Not Found error when trying to access the administrator login page after enabling the Administrator Password Protection feature. You are strongly advised to keep this option enabled unless it causes and HTTP 500 Internal Server Error problem.