SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

AdminExile

Any jackwagon can go to your website and type /administrator - that sucks.

AdminExile puts an end to drive-by (and more serious) attempts to access /administrator. By using URL access keys (query parameters), attempts to access your /administrator login page will be met with either a redirect to your homepage, a 404 error, or a redirect somewhere else (I recommend https://www.nsa.gov or redirecting them to a huge file download like a Linux ISO image, that's always fun).

AdminExile Blocked Attempts

High volume attacks (hundreds and even thousands of hits) may drown out the lower volume attempts. There is rarely an hour where there are no attacks.

This image updates automatically every 5 minutes.

As you can see, the attacks come in waves. These numbers are coming from server logs generated by the logging feature of the 3 series. I put my server at risk by not blocking these attempts with the brute force protection feature - partly because I want this graph to reflect actual attack patterns, and partly because my AdminExile access keys are ridiculously long non-words.

Attackers eventually give up, because AdminExile doesn't give them any feedback. They must wonder - is this even a valid URL?

Packed with features (even the free version), AdminExile exists to serve one purpose - to protect your /administrator login page.

AdminExile Features:

Version 3.16.3 Features Free Pro
/administrator key and/or key+value URL Protection
Prevent /administrator session cookie
Block configured users from frontend login*
Lost/Forgotten Link Recovery
Failure Logging
IPv4/6 Whitelist with CIDR capability
IPv4/6 Blacklist with CIDR capability
Bruteforce Detection and Blocking
Bruteforce Notification Email
Live data reporting
Download 36

Bug Reports

Documentation: Online

Live Demo: https://www.richeyweb.com/administrator

Total reviews: 146
Overall
Functionality
Ease of Use
Support
Documentation
Value for Money

*As of Joomla 3.7 - Frontend Restrictions are not operational. I am working on a solution to restore this functionality.