Credits: Video Training produced by Brian Teeman
There are several methods in Admin Tools to restrict access to the administrator interface of your website.
The first we have already seen in the Web Application Firewall video.
If we look at the Configure WAF here we can see that I can restrict administrator access only to IP addresses in a whitelist or disallow access to IPs that are in a blacklist.
As most people want to be able to access their website administrator wherever they are, perhaps when they are roaming from an internet cafe or their mobile phone, I don't recommend that you set the whitelist up.
You can also lockdown your administrator interface at certain hours of the day by setting an away schedule. For example I can prevent access from 18:00 to 08:00. However, again in case of emergency this might not be the best option.
Another option that we saw in the installation video is to set an Administrator secret URL parameter.
If you Enter a word or phrase here that is easy to remember AND without any spaces, and then Save & Close. If we now log out of our website and try to log back in by typing in the administrator url, you will be redirected to the home page of your website.
The only way you will be able to log in to the administrator is by typing administrator followed by question mark and then the special word or phrase. Once you've done that you can log in as usual.
Whilst this will prevent most types of brute force attacks, a far better option is to use the password protect feature we also saw in the installation video.
With this method you can prevent access to your administrator with an additional username and password. Enter the username and password that you want to use. This should not be the same as your password for anything else, including your Joomla administrator login. And click on Password protect.
A pop up box will immediately be displayed requesting authentication and before you can proceed you must now enter the details that you just entered.
If someone now goes to your website and attempts to log in to the administrator URL they will get a popup box asking for that additional username and password.
The final protection that Admintools provides is called Emergency Off-line.
If for any reason you need to make sure that your web site is completely offline and can't be used for anything we can select this option and it will add these rules to your .htaccess file in the site root.
What this will do is ensure that any requests to your website are redirected to a file called offline.html. You will of course need to create some simple html file called offline.html to explain that your site is offline otherwise they will see an ugly not found message.
If I activate this by clicking on the Set Offline button the site is now in Emergency Off-line mode and anyone coming to the site will be redirected to that offline.html.
As long as your internet connection and your IP address do not change, you will still be able to access the site even when it's in offline mode.
When you're ready to turn the site back online, simply select Emergency Off-line and click the green Set Online. Anyone visiting your site now will see the site as you intended them to see it.