Sunday, March 17, 2013

Joomla: hide backend with secret key to enhance security

If your website uses Joomla, it is easy to try login your back-end at the address: <your_website>/administrator/

Bad guys can attack your back-end with some technique, e.g. Dictionary attack.

There are many solutions to protect your back-end. Here, I suggest a way with small change in the file: administrator/index.php. Let add the following code after require_once lines:


$session =& JFactory::getSession();
$passport = $session->get('passport');
if(!$passport || $passport != "passed")
{
$goent = JRequest::getVar('your_secret_var','','get','text');
if(!$goent || $goent != "your_secret_value")
{
// Redirect to homepage
header('Location:  ../index.php');
}
else
{
$session->set('passport', 'passed');
}
}

After adding this code, you must login at: <your_website>/administrator/index.php?your_secret_var=your_secret_value

Any attempt to access <your_website>/administrator/ will redirect to your home page.

Best wishes.





No comments:

Post a Comment

Subscribe to RSS Feed Follow me on Twitter!