Backend protection

One of the main problems of Joomla is that everybody can reach the backend login page: you only have to write <your_site/administrator> . This makes easy to launch brute force and dictionary attacks. To avoid this, we have developed an option to add a 20 characters secret key to the url. If you don't provide this key, you will be redirected to the page set in the “url to be redirected to” field:

You can create keys of 5, 10, 15 or 20 characters, and you can set this value under Global configuration --> Tuning. By default, it is stablished to 20 characters. You only have to click in the 'Generate key' button and a new key will be generated. To protect your site, click in the 'Protect' option and the current key will be applied to your backend url:

Since then, to access your site backend you will have to write:

If you try to access using the old url, you will be redirected to a 'not_found' url or to your main page.

If you don't remember your secret key, you only have to access your site using a ftp application and delete your .htaccess file. Then you will be able to access your site backend using the <your_site/administrator> url.

If you use another component to hide your backend url, you must disable or uninstall it. If you don't do it, you won't be able to access your backend.