Support

These are all three independently controlled settings.

If you use the custom administrator directory you cannot use the Administrator Secret URL Parameter. It's an either/or thing. Don't use the custom administrator directory feature, it's really not worth the hassle and not as secure as the alternative.

You can use the Administrator Secret URL Parameter and the Administrator Password Protection at the same time; they are not just different settings, they are implemented in different layers of your site's stack.

The Administrator Password Protection is implemented at the web server level, with a .htaccess file in the administrator directory. This is the safest and most efficient way to protect your backend login. It blocks all requests to the administrator directory unless the special username and password is provided in the request. This blocks bots and attackers long before PHP —let alone Joomla itself— loads. It takes nanoseconds to do the block versus the hundreds of milliseconds it takes for the Administrator Secret URL Parameter (implemented in PHP, as a Joomla plugin) to kick in, making it more than a million times(!) more efficient.

The Secret URL Parameter, as I mentioned above and in the documentation, is implemented in PHP code, as a Joomla plugin. The way it works is that as soon as you use the secret parameter in an administrator URL it sets a flag in your user session and a cookie in your browser. This is why further attempts to access /administrator from the same browser works without entering the secret URL parameter; either your session is still active or the cookie kicks in.

As for your mobile browsers, they have cached the redirection and don't visit the /administrator/index.php?whatever URL at all. This is a trick used by mobile browsers to make fewer requests to give you the impression of being faster than your mobile network really is. If you restart your phone it should work correctly again.

One more thing to note: www versus non-www and character encoding. Make sure to access your backend as https://igkt.net/administrator/index.php?your_secret_word_here without www. If your secret word contains characters other than a-z, A-Z, 0-9, dash and underscore it needs to be URL encoded; that's why we tell you not to do that. Support for non-URL encoded characters varies by browser and server.

FYI I am using both the administrator password protection and the secret URL parameter on my sites with mobile browsers (Safari in iOS/iPadOS and mobile Google Chrome on Android). It does work fine.

Finally, let me comment on this:

> Name servers were only changed last night, so DNS is still propagating.

Make sure DNS is fully propagated before doing any further tests. Remember that your mobile connection is using a different DNS resolver than your primary (wired) Internet connection. It is very possible that each connection sees a different IP address for your site. Wait 2–3 days for DNS to propagate and DNS caches to clear in your mobile devices before testing with them.