Support

Admin Tools

#39036 Admin area redirect

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 19 June 2023 03:57 CDT

Beachalog

Hi,

Β 

The main reason I have the pro version of Admin Tools is that I've heard I can use it to redirect the Admin area on Joomla 4? Can you please tell me where to find instructions for that?

Β 

Thanks.

nicholas
Akeeba Staff
Manager

That's a very generic description which could encompass a multitude of completely unrelated to each other features.

I will take a wild guess and assume you might be referring to the "Change administrator login directory to" feature, in Configure WAF, Basic Features. Please remember that this is an unsupported feature. Some third party Joomla! extensions and some web browser extensions may screw up the specially crafted session and cookies which make this feature work.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Beachalog

Hi,

Β 

Yes. I was told that your component allows users to redirect the www.yoursite.com/administrator URL, similar to what is done by the AdminExile plugin for Joomla 3.

That's what I want to do.

Is this what you are referring to in this response? If so, why is it risky? It was very simple with AdminExile, but there doesn't seem to be any equivalent for Joomla 4.

Thanks.

nicholas
Akeeba Staff
Manager

This is exactly what I am referring to, yes.

The risk is very, very small. There are some very rare cases where it does not work and the reasons are beyond our control. We kept telling the (very few) affected users what the reasons were and they kept blaming us for something we cannot control, so we decided to offer it as an unsupported feature. Use it, but we can't help with it if it doesn't work.

That said, "renaming" your administrator login page URL β€”because that's what it isβ€” is not a very effective security measure. The folder is still there, its static content is still accessible (which allows fingerprinting your site and doesn't prevent any vulnerable .php files from being directly accessed), a lot of requests to /administrator will still require your server to load the entirety of Joomla (which can be leveraged for a Denial of Service attack). We recommend using Admin Tools' Administrator Password Protection instead. This is applied using a .htaccess file, i.e. it is your web server enforcing this, not some PHP code. It is, therefore, very efficient. It also prevents all other classes of attacks.

You can further set up the Administrator Secret URL Parameter to further help in keeping the admin login safe.

Finally, and most importantly, set up Joomla's Multi-factor Authentication (previously released by our company as a separate extension called Akeeba LoginGuard). If all your other defenses fail AND the attacker has your username and password, they will still be unable to log into your site without access to your device.

Remember, single lines of defense always fall. The French learned this the hard way with the Maginot line. Layer your defenses.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Beachalog

Hi there,

Β 

Sorry for the long delay in getting back to you.

How does the Administrator secret URL parameter work? Do I just add a text string to the admin URL, and then use that when I want to access the admin login?

That's what Admin Exile does, so if that's how this works, that's pretty much what I want.

If so, do I need to put in the FULL URL, or just the part after the www.mysite.com/administrator part of it? Do I need to use a question mark or something before? I know I did with Admin Exile, but not sure why or if that's necessary here!

Thanks. Sorry - the documentation is not super clear on this.

Β 

Β 

nicholas
Akeeba Staff
Manager

Yes, that's what it does.

Let's say that you enter the secret URL parameter foobar and your site is installed at https://www.example.com.

Since you have added a secret URL parameter, you will have to access the URL https://www.example.com/administrator/index.php?foobar to access the administrator login page instead of just https://www.example.com/administrator.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!