Protecting login into Joomla! administration area

It is very easy to identify a site built with Joomla!. Once you know that the site is built with Joomla!, you also know where is the administration area. Hackers may try to login to Joomla! administration area by typing its URL, such as Once the URL of administration area is known, the hackers only need to crack the administrative username and password.   You may think about hardening security of your site adding some extra checks in this login system. In this recipe I am going to show you how you can add another security layer to Joomla! administration area.

Getting ready
A third-party extenion jSecure Authentication allows you to  add extra security layer to Joomla! administration area. You can download the plugin from The site requires free registration for downloading the file. Once downloaded the file, install it from Extensions | Install/Uninstall screen in Joomla! administration panel.

How to do it…
Once installed the plugin, follow the steps below:
1.    From Joomla! administration panel, click Extensions | Plugin Manager. That shows Plugin Manager screen listing all installed plugins. From the list, click on System – jSecure Authentication link. That shows Plugin:[Edit] screen for the plugin.

2.    Select Yes in Enabled field.
3.    In Plugin Parameters section, type a secret key in Key field.
4.    Check Redirect to index page in Redirect Options field.
5.    Click Save button in the toolbar.
6.    Now preview the site by clicking on Preview button. Type admin panel’s URL in the address bar. You will be redirected to home page of the site.
7.    For accessing the administration panel, add the secret key at the end of the URL. For example,
8.    Now you will be able to see the login box for administration area.

How it works…
The jSecure Authentication plugin adds a secret key to the administrative login system. Whenever an administrator type the login URL for administrative area, she is redirected to site’s homepage or to an 404 page. It pretends that the URL doesn’t exist. challenged to provide the secret key.

However, when the secret key is appended to the URL, for example, , the administrator sees the login page, and can login using administrative username and password.

There’s more…
You can customize the redirection by selecting Custom Path in Redirect Options field and specifying the redirect URL in Custom Path field.

The secret key you type in Key field can be alphanumeric, that is it can contain characters and numbers only. It is case sensitive, too. Therefore, to protect the administration area, you need to assign the secret key carefully and keep it secret. Anybody knowing the secret key can see administration login page.

Want more recipes for Joomla!? Look into  my book Joomla! Top Extensions Cookbook, published by Packt Publishing.

Enhanced by Zemanta

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.