Perhaps the biggest advantage and disadvantage of every OpenSource CMS is that anyone can download full source code, from any corner of the earth, at any time, without any restrictions. That’s why, it’s easy for an attacker to determine if your site is running Joomla! All he has to do is to add “/administrator” to the URL and look for the login panel. He knows weak points, sometimes better than you.
Some elements in the Joomla! since Mambo remained unchanged, as this address to access the administration panel. Yes, I know that a good password protection and user name wise, the risk of a successful attack decreases, it is difficult to estimate by what percentage.
Fortunately, there are extensions that make it difficult for young and angry hackers access to the panel, by changing the name of address of the login screen. So it could like this: http://www.yoursite.com/administrator?secretkey. Some of them are already working with the new Joomla! 1.6, for which he certainly deserves thanks to the creators that have done updates so quickly.
- jSecure (joomlaserviceprovider.com) – was probably the first extension of the functionality prevents access to administration (back end) login page without appropriate access key. For some time, this plugin is commercial. jSecure Authentication 2.X has a range of improvements including option to be emailed each time someone tries to access your admin page, block IP’s from accessing your administration area and use a second login form to further protect you admin page. Produces added log feature (the System will log who access jSecure). Support for Joomla! 1.5 and 1.6.
- kareebu Secure (kareebu.com) – this plugin is a fork of jSecure. What’s different ? It is true that it has less extra features, but it has two ways in which it can operate: HTTP Authentication and (old) Compatibility mode. kareebu Secure is free script released under GNU/GPL.
- AdminExile (richeyweb.com) – works only with Joomla! 1.6. This plugin also adds a layer of security to your administrator backend by requiring a URL variable as an initial access key. Like author said, it was released to fill the gap left by JSecure when it went commercial. It is not as feature-filled as JSecure but it’s work.