I`ve been using joomla from past 2 years. As joomla is a very popular CMS for php lovers so hackers are always trying to deface the website in joomla. Anyone can easily detect the website is using on joomla or any other programming language by using wappanalyzer software. In joomla we can access the administrator panel by typing
http://phalana.com/administrator.
So my question is how to change the /administrator to something else so that hackers will not get to the administrator panel. So far i've seen the number of extensions in official joomla directory But still something is lacking on it.Can anyone help me to change the administrator path.
Changing /administrator is a very bad idea for a lot of reasons top amongst, ironically, is security. Apart from that it:
breaks lots of components
cuts you off from easy application of security updates
the effects of renaming are unknown from a security point of view
The best way to secure Joomla's /administrator area is to follow some simple steps...
Add realm authentication to the /administrator directory that way unless you hacker manages to figure out the username and password they're stumped.
Use an extension like JSecure or Akeeba's Admin tools (both allow your to set a "secret word" on the administrator URL) or check the extensions already available in the Login Protection section of the Joomla! Extension directory (called JED for short). N.B. I personally like Admin tools the most, with the /administrator?secreword, their application firewall and the .htaccess maker.
Follow the advice on the Joomla Doc's website Security Checklist
Personally we do all of these things and a bit more... as we keep telling people.
You can protect or hide your /administrator directory by creating an alternative directory wich sets a cookie that is sent to the http header in the request. That cookie will be validated from the index.php file at the /administator directory, if is not validated (when an unauthorized user wants to detect if your site is Joomla based by the known /administrator directory), then it will be redirected to the root directory for your site.
These are the steps.
*create an alternative /administrator directory ie: /admins_place
*inside /admins_place, create an index.php with the following code
snippet
<?php
$admin_cookie_code = "_hashed_secret_code_here_";
setcookie("JoomlaAdminSession", $admin_cookie_code, 0, "/");
header("Location: ../administrator/index.php");
?>
*In administrator directory add this code snippet at the beginning of
the index.php file.
<?php
if($_COOKIE['JoomlaAdminSession'] != "_hashed_secret_code_here") {
header("Location: ../index.php");
}
I hope this helps
Related
My joomla site is hacked by someone.The hacker change the content of my files and replace their content. I find it and deleted but again and again he is doing this.I changed my ftp and cpanel details.But no use.How to prevent this.Please help me any one
Thanks In Advance
For the moment, at least update to 1.5.26 and after that also install this patch.
Remove any unneeded extensions and also try to make sure that the rest of your extensions are up-to-date as much as possible.
You can also strengthen up your site's security with advanced .htaccess rules and security extensions like admin tools by Akeeba.
Read also:
Joomla Security Checklist
https://joomla.stackexchange.com/questions/2305/what-to-do-if-my-joomla-website-got-hacked
Also, this Google Search Results Page will present you with links to useful and important information.
I know that that similar issues and topics exist, however my issue differs slightly and none of the proposed fixes have worked.
I was accessing the Magento backend as normal. Approximately 10 minutes after that I could no longer access the Magento backend.
What I mean is that when I go to the admin url login page, I get a 404. However the 404 isn't generated by my host, it's generated by my webstore.
Everything about my webstore works as normal.
I've seen a number of fixes, mainly this one...
http://www.magentocommerce.com/boards/viewthread/207981/#t274443
I have a few main issues.
Admin Custom URL had been set (but not by me). It was set over a year ago when Magento was installed. It worked entirely fine until today.
I do not even have "admin/url/custom" and "admin/url/use_custom" in my "core_config_data" PHP table. It simply does not exist so I cannot change it. I looked manually for it and did a search for it. Nothing.
I tried updating the local.xml file and clearing "var/caches" and "var/sessions" but that did not work either.
I've been working this for hours and it's beyond frustrating. It's imperative that this be fixed ASAP because we are a fairly sizeable company.
Thanks ahead for helping. Anything at all would be appreciated.
First Check your Apache configurations
I know that you said you were only in the Magento admin but I would first check that apache was configured correctly. This is the first point of contact and you need to ensure that it's working right.
You need to locate a default Magento htaccess file that you can upload to your server. There's additional configurations that you need to make if you're in a subdirectory and also check to make sure that your mod_rewrite is working properly. There's an extensive tutorial on these things here, magento htaccess.
Make sure that you have the right magento admin url
I have to assume that you know what your magento admin url is, but of course I would double check that you're getting it right. There is an option in the admin area to change the admin url, you could have adjusted that on accident.
You say that you don't have "admin/url/custom" and "admin/url/use_custom" in your core_config_data table. This actually means that you didn't set the magento admin url from the admin area. However there is a third place that you can look for your admin url. This is in app/etc/local.xml but you couldn't have changed this from the administration area.
Did you turn off search engine friendly urls?
If you had been accessing your administrative area using /admin and then accidentally turned off SEF urls, then your admin area could have just simply moved to /index.php/admin. Of course you mentioned that you have a custom admin url, but I don't know what that is, so I'm giving examples with the default.
I can't really give you any more suggestions without more information. I hope that this helps!
Found this and thought I would post here since it shows up in google.
http://sourcelibrary.org/2011/05/19/magento-404-page-not-found-error-for-admin-panel-access/#comment-8444
I've just moved a Joomla 1.7 site to a new server.
Administration back-end works fine. Configuration.php seems fine. Get "The requested document was not found on this server." for every page other than Home.
Must be talking to the database OK or I'd get an error. Could this be a problem with the PHP?
Thanks,
Andy
Did you clear joomla cache ?
Disable page and/or module caching.
Disable any plugin that optimizes "loading speed".
Try removing SEF URLs (Joomla! and any 3rd party extension).
If you are using a custom .htacess, then use an unmodified joomla one.
Disable some system plugins.
Disable modules in the homepage.
Have you tried using another template (site) ?
You have Seach Engine Friendly URLs enabled in /administrator/ area's global configuration settings. You have probably enabled the option to use the mod_rewrite function which removes the /index.php/ portion of the urls.
It is a requirement of this mode that you have the .htaccess file in place in the root of your site. You probably had this correctly configured on your development server but perhaps forgot to move the file across when you went live. Some FTP programs hide dot files (files starting with a leading dot in the filename) so depending upon how you transferred the files (I'm guessing manually with FTP rather than Akeeba backup or similar) the file may have been missed. Look through your FTP client's options/preferences for an option to show/hide hidden files.
Failing this - the file could be correctly in place - but if you were developing in a sub-folder on your development server you would have set the RewriteBase line to your /sub-folder/
RewriteBase /sub-folder/
Now you've moved to the live server this line could be incorrect. If this is the case, edit the file to Read
RewriteBase /
Chances are it is one or other of these issues - missing .htaccess file or incorrect RewriteBase. A third and nowadays somewhat more unlikely option is that your server doesn't have mod_rewrite enabled - but I think that would result in server 500 errors.
Check whether you are using any modules that is calling database and you have not changed DB details in that module after migration. If admin panel is working fine then I think problem with some modules that are used in front-end. You can do debugging by disabling few suspected modules and check whether your site works fine or not. Else provide some more information about your site so that I can check further.
For some reason, when I log into my joomla 1.6 backend, it is now empty, displaying only a logout button. Any Ideas?
I just went through the same problem but on J!1.7.3. There may be many, many reasons but please check using just URL if you can see for example:
[YourDomainHere]/administrator/index.php?option=com_content or
[YourDomainHere]/administrator/index.php?option=com_modules
If content is listing and you're missing just Admin-menu and sub-navigation in back-end --> this means you messed-up with access levels and viewing access.
If you can't see content listing - ignore the rest of this post :-)
...with access levels and viewing access. To check that, try entering [YourDomainHere]/administrator/index.php?option=com_users&view=levels and enter each position in the list. Joomla backend navigation module usually has Access set to Special, so focus on this one. When enter Special - manager, author and super administrator should be ticked. If everything empty in any from the list - this is your issue :)
You need to add manager, author and super administrator to your Special access level. Obviously you can't see Save button, so you need to use database. [wrrr :) sounds scary?] Not a big deal, just go there using for example phpMyAdmin and find _viewlevels table. In there just edit Special and add [6,2,8] values to set up manager, author, super.....
Update database. Try to log-in one more time (close browser and clean cache before).
I hope if this wasn't helpful for you, will be for somebody else.
p.s. There may be a way of 'saving' changes in you joomla access levels with URL. Then you don't need to go to DB .. but I don't know if this is feasible at all :)
Check the rewrite of htaccess and the $mosConfig_absolute_path variable in config.php
Apparently, the Bluestork Template (admin template) has some security issues. In my case there were some missing files in the template folder /administrator/templates/bluestork/ that caused the administrator screen to appear blank. I've copied a clean version of the template in the bluestork folder and after that I was able to see the backend admin area.
I've removed the bluestork templates entirely for now, which seems to be the best option. Joomla installs 2.5.8, 2.5.6, 2.5.2, 1.7.0, 1.6.3 are affected. The Blustork Template is a target for hacks with old Joomla.
this happening becoz of admin user lost his permissions. see below article to fix this issue
http://www.codentalk.com/joomla-admin-showing-blank-page/
I want to change administrator path of mysite in joomla. ex. currently i have admin path http://myserver/mysite/administrator but now i want to change it
http://myserver/mysite/admin .
Check out the constants in /includes/defines.php and /administrator/includes/defines.php
Unfortunately Joomla doesn't have a clean way of changing this without changing core files and even then this will cause problems while applying update patches in the future.
What you should consider is installing jSecure, an an extension which will prevent people from hitting mysite.com/administrator page directly. You can access your admin panel by going to mysite.com/administrator?MySecretKey (set your own secret key) but people who try to access it directly will be redirected to the front page.
I hope this helps.