Many hack attempts on Joomla Websites begin at /administrator The best way to avoid such attemps is to block them at the gate. One way to do this is to use .htaccess to Limit Access to the directory itself.
The following examples may be edited to suit your needs for dirctory level security on your website.
This requires a .htaccess file. There are two approaches to restricting by IP address:
1.) In the first example we deny everyone access, then allow specified hosts and/or IP addresses.
AuthName "Joomla Administrator"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 192.168.10.
allow from .your-joomla-admin-ip.net
allow from your-host.joomla.com
allow from your-joomla-buddy.joomla.net
</Limit>
2.) In the second example we allow everyone except for specified hosts and/or IP addresses
AuthName "Joomla Administrator"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .annoying-script-kid.org
deny from 10.0.0.10
deny from annoying.script-kid.net
</Limit>
Another way to accomplish something similar but less secure (allows directory access) would be to use a network ACL which you would define in the index.php of your joomla administrator directory. For example, say you only want to allow access to the Joomla administrator to the host 10.0.0.10 because thats your web masters ip address and no one
else should need access to the back end. Open the index.php file in the administrator directory and insert the following code right at the top of the file
before // Set flag that this is a parent file.
/* Secure Joomla Administrator */
$isr_allow_ips = array('10.0.0.10');
$scanned_ip = $_SERVER['REMOTE_ADDR'];
if(!in_array($scanned_ip, $isr_allow_ips))
{
die("Access restricted. Your IP is $scanned_ip. This system is for the use of authorized users only. All activity is being monitored.");
}
/* Secure Joomla Administrator */
Now lets say that you have several people who are responsible for the website and therefore would need several machines to be able to access
the joomla administrator directory simultaneously. Take note of $isr_allow_ips = array('10.0.0.10'); In order to define multiple ip addresses simply
seperate them with comas and close the line like in the following example.
$isr_allow_ips = array('10.0.0.10','10.0.0.20','10.0.0.30','10.0.0.40');
Thats it!
Now only ip addresses you define will be able to access the secured joomla administrator control panel.
Now we have our directories locked up nice and tight but were not quite done. If there were ever an unauthorised user who had either physical
access to one of our allowed ips or was able to successfully spoof one of our authorised ip addresses we would then need to defend against
bruteforce attacks at a minimum. While we can never achieve total security as long as the machine is plugged in our hope here is to make the annoying script kid
pass us up for some one who is a little less diligent in their security efforts. In the next example we are simply going to strengthen our
defense against brute force attacks (manual or automated password guessing) that are targeting Joomla s default administrative user.
In your Joomla Administator menu mouse over SITE and click on USER Manager
Create a new account and Assign privileges: GROUP - SUPER ADMINISTRATOR
Save the user and log out of the joomla administrative control pannel and log back in with your new user.
Navigate back to SITE --> User Manager and enter the Administrator "Admin" properties dialog box.
There you will asign the admin user to GROUP - Public Frontend And Select BLOCK USER YES.
I hope this helps all the joomla admins out there that are trying to be as vigilant as possible in addressing security concerns. Note. This can also be helpful in denying robot and user access during development stage of new sites if you choose to add this to the public html directory .htaccess file.
