Support

Admin Tools

#22320 Readd 'Change administrator login directory to'

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by smartweb on Tuesday, 31 March 2015 13:26 CDT

Monday, 23 March 2015 04:07 CDT

smartweb
Hi,

After problems with some Joomla sites with Admin Tools installed, I just found out that you removed one of the most important options in Admin Tools, 'Change administrator login directory to'.

Just two months ago, I've changed more than 20 Joomla sites to an different url with a message for all clients that it's much more secure like this.

Now, only a few weeks later I have to tell them something completly different? That is a very uncomfortable situation for me (and the relationsship between you and your clients), not very trustworthy.

So please readd the option 'Change administrator login directory to', I never had problems on several shared hosting servers. All worked like expected, without problems.


Thank you
Stefan

Monday, 23 March 2015 04:55 CDT

nicholas
Hello Stefan,

The thing is that this feature doesn't make your sites much more secure. It merely obscures the point of entry, it doesn't make it more secure. The best way to secure your administrator is applying the following:
  • Use the administrator password protection with a username and password different than the one you use for the Super User. This is the MOST efficient anti-brute-force protection! It takes place in the web server itself, long before PHP loads. This can defend your login form against the vast majority of brute force attacks.
  • Use the secret URL parameter. It offers the same level of login form obscurity as the changed administrator directory without any of the problems.
  • A decent username. Avoid admin, administrator, god, owner, manager or any word combination which can be derived from the domain name and/or one of those easily guessed names.
  • A good password. I'm using 40 character passwords with alphanumeric and special characters. They are impossible to remember or guess, which is the whole point. Use a password manager such as LastPass, KeePass, 1Password etc to manage them.
  • Enable Two Factor Authentication. Even if someone steals the username and password they will still need your smartphone or your YubiKey to log in. We had this feature in Admin Tools, two years ago we improved it and donated it to the Joomla! project to the benefit of all Joomla! users. Now it's part of Joomla! 3.2 and later.
  • If possible, use HTTPS. This doesn't protect the login form against brute force attacks but it does protect you when you're logging in from a public Internet connection. If you're using plain HTTP it's easy for someone to subvert the login information, for example using the WiFi Pineapple.


As for the changed administrator directory we decided to remove it because it cannot be made to work with the vast majority of servers. If a feature cannot be made to work for more than 95% of our clients who can reasonably expect to use it we don't include it. This feature was the #1 cause for support requests and we could not resolve almost any of them – the only ones resolved were the ones where the user forgot to enable the SEF URLs on a supported server, but I can count them on one hand... This meant for us that this feature was a big failure. We did try our damnedest to make it work but it ends up being up to the server configuration and in a way that we cannot even reliably predict and warn users that it will not work (unlike, say, .htaccess Maker where we can very reliably predict when it won't work and warn users in advance). It's OK to fail. It's not OK to pretend that you didn't fail. So we accepted our failure and did the only honest thing we can do: remove the failed feature and tell you the alternatives to get a very secure back-end login form.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 31 March 2015 13:26 CDT

smartweb
Thank you for your answer, Nicolas. It doesn't make my situation more comfortable, but I can understand your situation and I'm now able to explain this to my clients.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!