Support

Admin Tools

#12737 Administrator secret URL

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 21 June 2012 10:53 CDT

Thursday, 21 June 2012 09:45 CDT

Accredited Design
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the tickets before posting? yes
Have I read the documentation before posting (which pages?)? yes
Joomla! version: 2.5.6
PHP version: 5.2.17
MySQL version: (unknown)
Host: 1&1 managed/dedicated linux
Admin Tools version: 2.5.6

Description of my issue:

This is a suggestion rather than a support request. It hit me that would-be hackers seeing an instant index.php redirect after attempting mysite.com/administrator would indicate that there is an admin area of some kind being protected? Perhaps an option in admin tools waf settings to present a "fake" 404 page would be of benefit, and present a hacker with an expected negative result? Please forgive if this is already available and I'm missing it and being ignorant.

Thursday, 21 June 2012 09:49 CDT

nicholas
Hackers have many more ways in determining that you have a Joomla! site, most of which can not be blocked (it would kill your site). The rationale of the redirection is that the attacker should not be able to submit the login form, making it impossible to brute force the password. The only loophole would be the attacker using the front-end login page for the same brute-force attack. But this is also blocked ("Forbid Super Admin front-end login") by Admin Tools' WAF. On top of that, the automatic IP blocker will also block an attacker repeatedly trying to access the back-end login page.

If you deploy Admin Tools as per the Quick Setup chapter's instructions and you follow sane security practices your site is very well protected :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 21 June 2012 10:00 CDT

Accredited Design
Thanks for the reply Nicholas. Understood, and I get the rationale. I use the Quick Setup chapter's instructions and also use a 3rd party server-wide security suite which looks for many other forms of attack.

Thursday, 21 June 2012 10:53 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!