CEDC
Nonprofit Design by CEDC

Joomla security tip: add a password to the administrator directory with .htaccess

Submitted by laryn on

We received a call recently from a group who had a Joomla site that was hacked. It turns out that one of their staff members had an insecure password and the hackers obtained the password, giving them direct access to the administration pages. Another way that hackers will sometimes try to compromise your site is to try to directly access insecure code from components or modules that haven't been updated. I thought it might be useful to post a quick security tip for non-profits that are running Joomla!

Obviously, your primary focus should be keeping your passwords secure and making sure you are using credible components and updating them whenever a security release comes out. There is a second step you can take which will be a good addition to your site's security: add a second level password to the administrator area.

Adding a pop-up password with .htaccess

Think of this as "belts and suspenders." By adding a password requirement at the file system level, no one can even access the administrative back end without knowing this first password. (Note that if they have somehow obtained an admin password they can still do some damage from the front end). Functionally it means your administrators will have to enter one more username and password, but it's worth the extra effort. You should be sure to use a different username and password than you are using for your Joomla! login credentials.

To add the second-level protection, you need to create two new files, a .htaccess file in the administrator directory, and a .htpasswd file (in a folder that is not web-accessible).

.htpasswd

If you have access to the command line on your server you can create the password file by using the htpasswd command. If you need a little more guidance, you can use a site such as this .htaccess generator to create the files and provide them to you. The .htpasswd file will contain a username and an encoded password and it should be placed in a directory that is outside the web root if possible. (e.g. if your web root is in /[path-to-home-directory]/public_html you could create another folder in /[path-to-home-directory]/pw to store this file). Here is what a sample .htpasswd file looks like (the username is 'editor' and the password is encoded behind it):

editor:edEbsSZTeFf6M

.htaccess

If you already have a .htaccess file in the administrator directory, make a backup before adding the following code. If you don't have one, create one using the code below.

AuthUserFile /[path-to-home-directory]/pw/.htpasswd
AuthType Basic
AuthName "[Name to show in popup window]"
<Limit GET>
require valid-user
</Limit>

Good luck in keeping your site safe! You may also be interested in the official Joomla! security checklist.

Comments

Joomla Login

Sorry if this is off topic but I am worried about my Joomla site's admin login info when I use free wifi or other public networks. Is there a way in joomla to not send my username and password in clear text? i do not have SSL. Any help?

Security in joomla

 jSecure hides your Joomla administrator URL with a special key so that only you can access. The problem with Joomla is that anyone can tell if your site is Joomla by simply typing in the default URL to the administration area (i.e. www.yoursite.com/administrator). jSecure helps you hide the fact that your website is built with Joomla from prying eyes. Check out jSecure in action here: http://www.joomlaserviceprovider.com/

Follow CEDC

CEDC on Facebook CEDC on Twitter CEDC on LinkedIn

Share this page

Drupal Joomla CiviCRM NTEN Nonprofit Roundtable