Joomla community powered logo

Site Slogan

Protect your Joomla administrator login

Let's be honest: there is no magic in finding out what engine/CMS is running your website. You only have to go to http(s)://mysite.ext/administrator and even without knowing the username and password of the administrator, everybody can see your site is running on Joomla. For WordPress, it's almost the same but you need to use the UL http(s)://mysite.ext/wp-admin. Pretty easy to get started if you want to attack a website, isn't it?

Joomla Administrator Login Page

Joomla Extensions

In the Joomla extensions directory, you can find a couple of plug-ins for Joomla which ask for an extra token before you can really see the administrator login page.There is e.g. the excellent adminexile plugin, which I used for a couple of months. A lot of other good plugins can also be found in the Joomla extensions directory about login protection. But it is for sure better to ensure nobody can start messing around in your administrator environment by keeping them out even before they can start sending specific URL's and checking what's the answer of your site.

Server hardening - .htaccess (Apache)

If your are running your site on an Apache server, you can make sure nobody (except the people who know the username and the password) can get around in the administrator part of the site by adding only a very small part to your .htaccess file.

IIS will be able to provide a similar kind of protection, but as I'm only working on Apache, I will not elaborate further details on IIS and only concentrate on Apache and .htaccess.

You will be only protecting the administrator part of your site, so you have to create a separate .htacccess file which will be placed in the /adminstrator directory of your site. That way, all other parts of your site will be available for public approach (as I suppose you want your site to be accessible by everybody from around the world to read your information or buy your products).

  • .htaccess file

    You have to create a new .htaccess file with the following content:

    AuthName "Restricted Area" 
    AuthType Basic
    AuthUserFile /serverpath to just above your www directory/httpd.private/joomla/pwd/.htpasswd
    AuthGroupFile /dev/null
    require valid-user
    AuthName gives you the name of the area you want to protect
    AuthType is Basic, this is all you need for normal website operation. More advanced types of authentication are only worth the effort for highly secured sites
    AuthUserFile provides the path to the password file where the user and the password you need to enter to pass this authentication step will be stored
    AuthGroupfile is not provided (/dev/null means nowhere)
    require is set to valid-user, so you will need a username AND a password to pass this authentication step.

    If you are really paranoid, you can even ban all IP addresses except your own one by adding these 2 lines at the bottom of your .htaccess file - replace the xx.yy.zz.aa by your own IP address.

    Deny from ALL
    Allow from xx.yy.zz.aa
    However, be careful if you do this: if you have a dynamic IP address on the computer from where you administer your site, be aware that any time your IP address is automatically changed to another one you will have to adapt the .htaccess file (most probably using your FTP client). If you plan to administer your site from everywhere around the world where you can get an IP address for your machine, don't use this as it will make your website adminstration a real complex operation.

  • .htpasswd file

    In the previous section, you can see the presence of a path for "AuthUserFile". This will be the file where you store a username and a password for every user which will be able to pass this authentication step by providing username and the corresponding password.

    Step1: create your .htpasswd file, by using the htpasswd tool of Apache. There are maybe a lot of tools available on the internet, but I prefer to use the local tool which is available on my localhost because I have installed an XAMPP package to test my installations before I put it on the internet. Open up a command line tool on your machine, go to the directory where your htpasswd tool is located (or if it's in your path structure, you can call anywhere on your machine) and execute the command. The username will be stored in plain text in the .htpasswd file, the password will be encrypted hence you will not recognize the password you entered.

    create the .htpasswd by the command (-c stands for "create", if you already have a .htpasswd file and you want to add a new user, please use the -a parameter instead)

    htpasswd -c .htpasswd yourusername

    htpasswd tool how to use

    and provide the passwords when asked for it. Please don't forget to note down your password (preferably in a safe password vault) or at least make sure you can remember it, as you will need this password to pass the authentication request once you have installed the .htaccess security on your directory.

    Step 2: put your .htpasswd file in the AuthUserFile path as indicated in the .htaccess file.
    Preferably, you put your .htaccess file in a directory which is not directly accessible through the web, so it has to be on a place outside the directory where your Joomla (or other website) software is installed. In most of the cases, you will have a kind of path provided by your hosting company which directs you to your site directory. In my case, I get a path /customers/.../ where there are only 2 subdirectories created for now:
    - httpd.www where all my www-files are hosted
    - tmp which is of course a temporary directory, so don't use it to store something permanent.

    You can create a new directory on the same level as these 2, which you can call "httpd.private". I prefer to give it this kind of name, so it's directly clear what kind of information you will store here: information headed to the site, but not directly accessible through a URL. Stepping further into the directory structure, I made 1 more subdirectory beneath httpd.private (and I named it www) to indicated that it will be used by my www site. In this directory, I now store my .htpasswd which I created in step 1 (using an FTP client to transfer the file from my local machine to my web space).

  • Test it!

    Maybe you will be surprised that I mention you to test your configuration, but every time again I see webmaster make the same mistake. I agree that you need to have some confidence in what you do, but please TEST it immediately after installation to ensure everything works fine. If you don't test it, be sure you will discover it doesn't work at a moment you need urgent access to your site. And most probably at that very moment you will also NOT remember how you tried to protect your site. So once again: please TEST it immediately after installation.

    Testing can be done by just typing the URL of your administrator part of the site, and you will get a popup where you have to fill your username and password which is encrypted in the .htpasswd file you generated in step 2 of the previous section. Only after passing this step with success, you will see the administrator login page.

    Popup authentication required

{tag}link rel="author" href="" /{/tag}


NOTE! This site uses cookies.

If you do not change browser settings, you agree to it. Learn more

I understand


To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

A number of our pages use cookies to remember:

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here.

How to control cookies

You can control and/or delete cookies as you wish – for details, see You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can find the full EU privacy guideline by clicking on this link