Автоматический подбор пароля является самым распространенным способом взлома сайта. В данном руководстве мы рассмотрим, как усилить защиту админки Вторая по популярности система управления контентом в мире после WordPress.
Стандартный вход в админку Joomla
Прежде, чем приступать к обеспечению дополнительной защиты доступа к админке сайта, давайте рассмотрим, для чего это вообще нужно.
По умолчанию, вход в панель администрирования сайтов на Joomla осуществляется через форму по ссылке: ваш-сайт.ru/administrator
После ввода логина и пароля мы попадаем в админку и можем использовать доступный функционал.
Может показаться, что панель администрирования надежно защищена данными для входа, но:
всем известно, по какому адресу доступна страница для входа в админпанель Joomla;
также известно, что логин и пароль в Joomla может вводится неограниченное число раз.
Это даёт возможность злоумышленникам просто подобрать логин и пароль в автоматическом режиме: программа будет вводить данные до тех пор, пока вход в админку не осуществится, после чего сайт будет взломан со всеми вытекающими последствиями.
Установка двойной защиты админки
Обезопасить панель администрирования Joomla от взлома можно с помощью дополнительных данных, для чего используем компонент Admin Tools от Akeeba.
Карточка расширения для Joomla
Admin Tools
Категория
Безопасность
Включает
K M P
Совместимость
3 4
Бесплатно
✔️
Платно
✔️
Страница на JED
Официальный сайт
Разработчик
Akeeba
Установка компонента Admin Tools
скачайте компонент с официального сайта,
скачайте русскую локализацию,
установите компонент и локализацию через менеджер расширений Joomla.
Настройка двойной авторизации в админке
в меню панели администрирования выбираем Компоненты → Компонент Admin Tools
в разделе Безопасность выбираем Защита администратора паролем
в соответствующих полях вводим Имя пользователя и Пароль
жмем по кнопке Защита паролем
Теперь при переходе по адресу на страницу входа в админку браузер будет выводить всплывающее окно с полями для логина и пароля, которые в свою очередь предоставят доступ к форме непосредственной авторизации.
Как работает двойная защита админки Joomla?
После совершения действий, указанных в настройке двойной авторизации, компонент Admin Tools создаст 2 файла в папке administrator :
.htaccess — обеспечивает вывод всплывающего окна.
.htpasswd — содержит дополнительные логин и пароль.
Для восстановления доступа к админке (например, если логин и пароль будут забыты) потребуется удалить эти файлы по FTP или через панель управления хостингом.
Также удалить данные файлы (отключить функцию двойной авторизации) можно через функционал Admin Tools (вкладка Безопасность → Защита администратора паролем → Выключить защиту паролем).
Support
Documentation
Admin Tools’ Web Application Firewall (WAF) locked you out of your site
Prev
Admin Tools for Joomla troubleshooting guide
Next
Admin Tools’ Web Application Firewall (WAF) locked you out of your site
It’s easy to be overzealous and apply very strict security settings for the Web Application Firewall of Admin Tools. An overzealous configuration, a misbehaving third party extension or a misconfigured server can cause you to be accidentally locked out of your own site. Here we’ll see how to fix that.
Step 1. Regain access to your site’s administrator
There are two ways to regain access to your site, Rescue Mode and FTP.
Using the Rescue Mode to regain access to your site’s administrator
Important
Note that if you are not the only Super User on your site, or if you used another company / freelancer to build your site, it’s possible that they have turned off Rescue Mode. If these instructions don’t work you should assume Rescue Mode is not available or disabled on your site.
Assuming that your site’s URL is http://www.example.com and your Super User email address is This email address is being protected from spambots. You need JavaScript enabled to view it. you need to visit the following URL to request a Rescue URL to be sent to you:
http://www.example.com /administrator/index.php?admintools_rescue= This email address is being protected from spambots. You need JavaScript enabled to view it.
You will see the message «Check your email for Rescue URL information» printed on your screen.
Check your email. You will receive an email from your site with a Rescue URL. The Rescue URL looks like this:
Do note that the part after admintools_rescue_token is very long and completely random. Also note that it’s only valid for use from the SAME browser and IP address that you requested a Rescue URL to be sent to you. The link is only valid for a short period of time (default: 15 minutes). All of that is done for security reasons!
Visit the Rescue URL either by clicking on it or by copying it and pasting it to your browser’s address bar. If all goes well you will see your site’s administrator backend login page or the Joomla! administrator control panel. If you see the login page just log in with the Super User account which corresponds to the email you used when requesting a Rescue URL to be sent to you.
Tip
If you were logged in as a different Super User account you will still be blocked. You will need to repeat this process using the email address of the Super User account you were logged in with on your site. Alternatively, use your browser’s Private Browsing mode to request and visit the Rescue URL.
Now you can go to Components, Admin Tools and unblock yourself. Remember that you have a limited period of time (default: 15 minutes) for security reasons!
Using FTP to regain access to your site’s administrator
The failsafe way to regain access to your site’s administrator backend is using an FTP application or your hosting control panel’s File Manager to rename a file.
Go inside the plugins/system/admintools/admintools directory on your site (on older versions of Admin Tools: plugins/system/admintools ). You will see a file named main.php . Rename it to main-disable.php . This will turn disable the Web Application Firewall from executing and you can access your site’s back-end again.
After you have fixed the cause of your issue remember to rename main-disable.php back to main.php , otherwise your site will remain unprotected!
If you are still blocked
There are two cases where the Rescue URL feature, or renaming the Admin Tools system plugin’s file, will not help you. These are the two cases where Admin Tools has created a server configuration file, meaning that you are blocked by your server , not Admin Tools.
The first case is the Administrator password protection feature. Please delete the files named .htaccess and .htpasswd from your site’s administrator directory.
The other case is when you’ve used the .htaccess Maker feature of Admin Tools. In this case there’s a .htaccess file in your site’s root. You may want to replace its contents with the default Joomla! .htaccess file content.
In both cases you should not that the files have names beginning with a dot. That makes them hidden. You will need to enable the display of hidden files to edit / delete those files. If you are unsure how to do that please ask your host and tell them that you need to edit/delete hidden files. Usually they will point out an option in their hosting control panel’s file manager.
If you are still blocked your issue is unfortunately unrelated to Admin Tools. Do you have another security plugin on your site? If you do, check its settings. If not, check with your host. More often than not, hosts have their own server security systems which can block you out of your site. If you are unconvinced follow the the instructions under «Using FTP. » above. Doing that you prevent Joomla! from loading Admin Tools’ code at all . If you can reproduce your issue when Joomla! cannot load Admin Tools’ code you can be certain that your issue is completely unrelated to Admin Tools. Code which isn’t loaded cannot run. Code which doesn’t run cannot affect your site.
Step 2. Unblock yourself
In most cases the easiest way to unblock yourself is simply going to Components , Admin Tools and click the big Unblock My IP button. If this doesn’t work, or the button is not visible, follow the instructions below.
Do remember to end the Rescue Mode or renamed back main.php after you’re done unblocking yourself!
Automatically banned IP address
Go to Web Application Firewall and click the Exceptions Log button. Delete all records with your own IP address. Then, go back to Web Application Firewall and click on the Auto IP Blocking Administration button. Select the record showing your IP address and click on the Delete button to delete the block.
Tip
Don’t know what your IP address is? Just visit whatismyipaddress.com to find out!
If this problem keeps happening without you doing anything and the IP blocked is NOT the same as the one reported by whatismyipaddress.com you will have to do one more thing. Go to Components , Admin Tools , Web Application Firewall and click on the WAF Configuration button. In the first tab set Enable IP workarounds to Yes, no matter what the automatically detected recommendation is.
If that was not the case, you have two options. The first is to troubleshoot the reason of the ban. Go to Components , Admin Tools , Web Application Firewall , Security Exceptions Log and check the Reason and Target URL for the entries which have your IP address in the IP address field. Find the reason in the «List of blocking reasons» documentation page to find out why you’re being blocked. If you are not sure what that means, please file a support ticket remembering to copy the information from the Security Exceptions Log. Kindly note that you need to have an active subscription to receive support.
The second option at your disposal is adding your IP address to either of the IP whitelists, as follows.
The first approach is to add your IP address to the Administrator IP Whitelist. Using this option will limit access to the administrator section of your site only to the IPs listed in the whitelist. We strongly recommend you to not use it unless you and all of your back-end users have static IP addresses. In all other cases you may get blocked out of your site. Go to Components , Admin Tools , Web Application Firewall and click the Administrator IP Whitelist button. Add your own IP address.
The second approach is to use the Safe IP List. All IPs in that list will not be automatically banned. In order to do that, go to Components , Admin Tools , Web Application Firewall and click on the WAF Configuration button. Inside the Auto-ban Repeat Offenders area find the Never block these IPs field. This is a comma-separated list. Add the IPs you want to never be automatically blocked separated by commas on that list.
Administrator IP Exclusive Allow List
If you have enabled the administrator exclusive allow IP list you have to make sure that your IP address is included in the exclusive allow list to be able to access your site. Go to Components , Admin Tools , Web Application Firewall and click the Administrator IP Exclusive Allow List button. Add your own IP address.
Warning
Don’t use the Administrator IP Exclusive Allow List if your ISP assigns an IP address dynamically. This is the default unless you are paying them extra for a «static IP».
IP Deny List
If you have enabled the IP Deny List you have to make sure that your IP address is not included in the blacklist in order to be able to access your site. Go to Components , Admin Tools , Web Application Firewall and click the Site IP Deny List button. Remove your own IP address.
Administrator Secret URL parameter
If you have forgotten your Administrator Secret URL parameter go to Components, Admin Tools, Web Application Firewall, Configure WAF, click on the Basic Protection Features tab and find the Administrator secret URL parameter option. Change or remove all of the text in that box to reset or unset, respectively, this feature.
The Joomla! Forum™
Disable administrator completely
Disable administrator completely
Post by oligalma » Sun Oct 29, 2017 8:22 am
Re: Disable administrator completely
Post by gws » Sun Oct 29, 2017 10:42 am
Re: Disable administrator completely
Post by JAVesey » Sun Oct 29, 2017 2:40 pm
Exactly. It’s not a good idea to do as you suggest.
Take a look at the AdminExile plugin. Use it to set a unique Administrator URL that only you know
Re: Disable administrator completely
Post by oligalma » Sun Oct 29, 2017 2:56 pm
Re: Disable administrator completely
Post by JAVesey » Sun Oct 29, 2017 4:06 pm
So you’d FTP/upload a replacement file, login and do your stuff, logout and then FTP/upload the amended file? Sounds like more trouble than it’s worth.
Try AdminExile; so much easier than what you’re suggesting. It also offers «Brute Force» protection to Frontend and Administrator login attempts.
Re: Disable administrator completely
Post by AMurray » Sun Oct 29, 2017 9:30 pm
A couple of other suggestions :
Admin Tools from Akeeba also does the AdminExile thing with the secret key and brute-force protection but also offers a firewall with settings such as White list/Black list of IPs.
If you have a static IP, you can specify that if it’s your primary login «location» and so any other IP will be denied access but as long as your IP is in the list allowing logins for super admins you can access the back end. All others will be just redirected to the public home page. The component has a range of security measures such as easy set up of administrator folder protection (with htaccess).
Akeeba also has LoginGuard, a 2-factor authentication component. I use it instead of the built in 2FA as I don’t have a smart phone which is required to use the Google Authenticator app. The Akeeba LoginGuard can send the codes to email which I find more convenient.
Re: Disable administrator completely
Post by sozzled » Sun Oct 29, 2017 9:37 pm
From a professional’s, manager-of-several-website’s point of view, this is not a good idea.
For your purposes, @oligalma, you should do whatever you want to do and please do not listen to professionals or people who manage several websites. If you think it’s a good idea then I agree with you: for you, it’s a good idea.
