| Joomla

ow to Password Protect Joomla’s Administrator Directory

Every Joomla website has the same URL to get to the backend Control Panel. This means bots can attempt to login to your website easily unless you take precautions to block it.

By adding password protection to the /administrator directory, you can help ward off attacks and hack attempts to your website.

It’s easy to set up. I’ll show you how.

Password protecting the /administrator directory is simple to do. What it does is creates a second login box before allowing you, a visitor, or a bot to access the main login page.

Here’s what it looks like.

password protected administrator directory

To set up a password protected directory, you’ll need access to your site’s hosting control panel. We’re using cPanel but other hosting dashboards will have a similar option. You may need to contact your host or look at their documentation to learn how.

  • Login to cPanel or your hosting account dashboard
  • Click on the Directory Privacy button (It may also say Password Protect Directory)

directory privacy

You will then get a list of directories available on the server.

list of directories

  • Click on the name of whatever directory your site is in. (Often this is public_html. For me it’s staging.domain.com.)

This will bring you to the Joomla file structure of your site. We want to password protect /administrator.

  • Click the Edit button to protect /administrator

select administrator directory

  • Tick the box to Password protect this directory.
  • Enter a name for the protected directory (I entered Admin)
  • Click Save
  • Click Back

name protected directory


Create User

This next screen will already have the top part filled in. The bottom portion of the screen under Create User you’ll need to fill in.

  • Enter the Username. I used Jenn.
  • Enter a Password. I used a system generated one.
  • Click Save.
  • Click Go Back.

username password

  • Test your password protection by going to [replacewithyourdomain]/administrator.

The box shown at the beginning of this article should appear, and you should be able to login with your newly created Username and password for the directory protection.


What to do if you get a 404 when Password Protecting /administrator

If you get a 404 when you go to /administrator, we have some other steps to follow.

  • Copy this line: ErrorDocument 401 "Authorisation Required"
  • Go to the home page of cPanel or your hosting control panel
  • Click on File Manager

file manager

  • Double click on public_html (or whatever subdomain you are trying to password protect)
  • Double click on administrator
  • Click once on the file .htaccess 
  • Click the Edit button at the top

administrator dot htaccess file

  • Click the Edit button to edit the file
  • Paste the line ErrorDocument 401 "Authorisation Required" at the top of the .htaccess file

add line to htaccess

  • Click the Save Changes button at the top
  • Go to [yourdomain]/administrator and see that the box now comes up

 

Great job! This is a good deterrent for bots that want to break into your site. Instead of just two things to get through, they now have to get through four.

For more about Joomla Security, do check out OSTraining’s course How to Keep Joomla! 3 Sites Safe .


About the author

Jenn has worked with Joomla since 2006 and for clients since 2010. She co-organised the JUG Bay Area for many years and volunteers for the Joomla! Project regularly. Originally from Santa Cruz, CA, she now lives near Austin, TX.