System - AdminExile

Your Joomla /administrator area is vulnerable to many forms of attack. Without protection, anyone can begin a brute force attack by simply typing "/administrator" - That's too easy!!

Joomla
Plugins
AdminExile
v5.0.6
Joomla! 3/4/5

P

P

Any jackwagon can go to your website and type /administrator - that sucks. Keep honest people honest, and keep everyone else OUT! Secure your site with AdminExile.

AdminExile puts an end to drive-by (and more serious) attempts to access /administrator. By using URL access keys (query parameters), attempts to access your /administrator login page will be met with either a redirect to your homepage, a 404 error, or a redirect somewhere else (I recommend https://www.nsa.gov or redirecting them to a huge file download like a Linux ISO image, that's always fun).

High volume attacks (hundreds and even thousands of hits) may drown out the lower volume attempts. There is rarely an hour where there are no attacks.

As you can see, the attacks come in waves. These numbers are coming from server logs generated by the logging feature of the 3 series. I put my server at risk by not blocking these attempts with the brute force protection feature - partly because I want this graph to reflect actual attack patterns, and partly because my AdminExile access keys are ridiculously long non-words.

Attackers eventually give up, because AdminExile doesn't give them any feedback. They must wonder - is this even a valid URL?

Packed with features (even the free version), AdminExile exists to serve one purpose - to protect your /administrator login page.

Joomla! 5 Native!

Starting with version 5, a complete rewrite using modern Joomla internals.  It's faster, more reliable, I even found and fixed a bug nobody had ever reported.  Don't worry, it wasn't a bad bug - just unexpected behavior in the key checking code.  If you did NOT have a key value set, it allowed you to authenticate using the key and a value (any value).  Now, if you don't have a value set, attempting to authenticate with a key and value will fail.

I have removed features that I never really liked, and that can be accomplished in better ways.  The bruteforce detection and blocking can be better accomplished with something like fail2ban.  Frontend block seems silly, as does link recovery.  It's easy enough to get back in with filesystem access.

As promised the new version is free with no pro versions offered.  You get IPv4 & IPv6 CIDR white and blacklists out of the deal.

Features

  • /administrator key and/or key+value URL Protection
  • Prevent /administrator session cookie
  • Re-entry period after logout
  • Block configured users from frontend login* (This should be another plugin)
  • Lost/Forgotten Link Recovery (This was always a can of worms that almost nobody used)
  • Failure Logging
  • IPv4/6 Whitelist with CIDR capability
  • IPv4/6 Blacklist with CIDR capability
  • Bruteforce Detection and Blocking (The next 3 are what tools like Fail2Ban are for)
  • Bruteforce Notification Email
  • Live data reporting

Video

  Download the System - AdminExile Plugin version 5.0.6  3 5

  Report a Bug   Documentation