Joomla-cms: [4.0] Admin folder anonimization&hardening

Rename administrator directory to xxx

configuration.php

Add:

public $admin_dir = 'xxx';

xxx/includes/defines.php

defined('_JEXEC') or die;

// Global definitions
$parts = explode(DIRECTORY_SEPARATOR, JPATH_BASE);
array_pop($parts);

// Defines
define('JPATH_ROOT',          implode(DIRECTORY_SEPARATOR, $parts));
define('JPATH_CONFIGURATION', JPATH_ROOT);
define('JPATH_SITE',          JPATH_ROOT);

ob_start();
require_once JPATH_CONFIGURATION . '/configuration.php';
ob_end_clean();

$config = new JConfig;

define('JPATH_LIBRARIES',     JPATH_ROOT . DIRECTORY_SEPARATOR . 'libraries');
define('JPATH_PLUGINS',       JPATH_ROOT . DIRECTORY_SEPARATOR . 'plugins');
define('JPATH_INSTALLATION',  JPATH_ROOT . DIRECTORY_SEPARATOR . 'installation');
define('JPATH_THEMES',        JPATH_BASE . DIRECTORY_SEPARATOR . 'templates');
define('JPATH_API',           JPATH_ROOT . DIRECTORY_SEPARATOR . 'api');
define('JPATH_CLI',           JPATH_ROOT . DIRECTORY_SEPARATOR . 'cli');
define('JPATH_ADMINISTRATOR', JPATH_ROOT . DIRECTORY_SEPARATOR . $config->admin_dir);
define('JPATH_CACHE',         JPATH_ADMINISTRATOR . DIRECTORY_SEPARATOR . 'cache');
define('JPATH_MANIFESTS',     JPATH_ADMINISTRATOR . DIRECTORY_SEPARATOR . 'manifests');

Same change needed for the ROOT/includes/defines.php

@mbabker Very basic example which seems to work for me. Would there be more to it than this?

This would not provide any additional security at all.

@brianteeman come on... and how about Brute Force?

@PrestaShark prevented by htaccess or by very many free plugins for joomla

That should be core feature for years ;)

Thanks team for consider that Milestone change in Joomla world!!!

@c-lodder there are also uses in the core where the admin path is explicit for example in the xml
https://github.com/joomla/joomla-cms/blob/16eb98e058dbd8b9e6374a22ad6ace0d8bfc7db0/administrator/components/com_contact/config.xml#L4-L8

and not forgetting all the extensions

@brianteeman ah yes, forgot about the XML files

That should be core feature for years ;)
It could have been but it is not because it has no benefit

I’ve spelled it out on here a number of times in the past, but it is just
too heavily involved to make it easy to change any part of the core file
structure for the sake of security by obscurity. You’re better off with
web server level directives to restrict access than hoping changing a
folder name keeps you “safe”.

On Wed, Aug 28, 2019 at 6:34 AM Brian Teeman notifications@github.com
wrote:

That should be core feature for years ;)
It could have been but it is not because it has no benefit

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/joomla/joomla-cms/issues/26055?email_source=notifications&email_token=AACZ7IKRRNAEERO5YYYVVIDQGZPCVA5CNFSM4IRASQJ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5KZZTQ#issuecomment-525704398,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AACZ7IKM3TQJPJ3IFPT3TQTQGZPCVANCNFSM4IRASQJQ
.

>

• Michael Please pardon any errors, this message was sent from my iPhone.

@mbabker and thats what i call answer. Thank You. So its just a lot of core work to make it's done and keep everything works (themes, plugins, components etc.)

Closing for reasons stated.