Protect Joomla /administrator/ Url With A .htaccess Password

Phil Taylor's recommendation & Why this is important in 2016

The /administrator/ folder of Joomla is well known by hackers, they will try their luck and if you are not taking security seriously and use weak usernames/password they will be able to login - so keep it secure :-)

  1. The reason we highly recommend that you protect your /administrator/ folder with a .htaccess/.htpassw login prompt is to protect the login page with another layer. It is very easy for a hacker to create a Joomla super admin on a compromised site, less so a .htaccess popup user, they could, but they have not been known to.
  2. Secondly, the Joomla login page is susceptible to repeat brute force attacks, where hackers use automated scripts to try and guess your username/password many hundreds of times a second/hour/day - the extra layer prevents this.
  3. We have seen also that if you DONT have a .htaccess protection on the /administrator/ login page, then when a hacker attempts a brute force attack the server load increases dramatically as PHP and MySQL struggle to entertain the requests from the hacker. If you place .htaccess protection on the folder then the request is stopped by apache way before invoking php/mysql and thus increased server load can be avoided greatly.

As a server administrator, Phil Taylor have seen servers crippled when several Joomla hosted sites have been targeted on the same host at the same time.

In 2013 there were many reported attacks that having a .htaccess protection would help mitigate, see this article: Brute force attacks against WordPress and Joomla sites have tripled

Please note: .htaccess is an apache specific file and will not work on IIS, Nginx, Litespeed servers. Each server will have its own equivalent but as apache is the number one server used worldwide we are using apache specific language in this article.

 

Bron:  https://myjoomla.com/