Securing your Joomla admin login from brute force attacks.
I noticed that several of our Joomla sites would slow down significantly. Looking at the access log showed one IP address with numerous GET and POSTs such as
178.137.93.### – – [11/Dec/2012:07:40:15 -0700] “POST /administrator/index.php HTTP/1.1” 303 – “http://www.XXXX.com/administrator/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
178.137.93.### – – [11/Dec/2012:07:40:16 -0700] “GET /administrator/index.php HTTP/1.1” 200 1736 “http://www.XXXX.com/administrator/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
The IP addresses usually resolved to a Pacific Rim or European location.
We had installed the Securitycheck extension. However, the offending IPs had to be added manually. That was not a workable solution.
There are a number of commercial and non-commercial Joomla extensions that can help. We tried Adminexile. The extension works by having you set a key and or key/value combination. The end result is that going to www.yoursite.com/administrator no longer takes you to your admin control panel. Rather, it will redirect to whatever page you specify. The default is the home page.
Your new login will look like www.yoursite.com/administrator/index.php?key where key or key=value is what you set in the plugin.
NOTE – It would be a very good idea to back up your site with akeeba backup or other backup tool in the event that something goes wrong. We’ve tried it on a number of sites with no problem.
So, in summary, you should be:
- Checking your access log periodically for evidence of someone trying repeated Gets and Posts to your /administrator/index.php
- Running a security app such as Securitycheck
- Running an extension to protect your administrative login page
- Be sure to use a strong password that is resistant to dictionary attacks or commonly used password attacks.
- Workaround when admin menus aren’t working in Joomla 1.5.x
- SOLVED – WPS Hide Admin not working after deploying HTTPS in WordPress
- WordPress – Brute force attacks stopped with the wps-hide-login plugin
- setting up WordPress on an IP until you transfer the domain
- Securing your WordPress site
- Deleting COM_INSTALLER_TYPE_ entries in the extension manager of a Joomla 3 site
- Pharma hacks explained – How to fix
- J-Google-Adsense extension for Joomla showing wrong publisher ID