Joomla powers about 3% of all websites on the internet, and much like Wordpress, it is a common target for attacks.
Since the administrator login page can be accessed just by navigating to /administrator on the webpage, a brute-force attack is very common. Even if the username and password are very strong, as time goes one these bots will become better at guessing login credentials.
Admins can use Apache Htaccess rules to block access to /administrator from all senders excluding localhost. While providing increased security, admins themselves will then have a difficult time accessing the admin dashboard.
Fortunately, we can use remote.it to access the Joomla admin dashboard while it's blocked to the outside world. In this guide, we'll deploy a Joomla configured AWS EC2 instance, lockdown /administrator using Htaccess, and create a proxy connection to the dashboard using remote.it.
A remote.it account. Don't have one?
An AWS account with EC2 privileges.
We'll be using an AWS EC2 to deploy our Joomla site. Specifically, we'll be using the BitNami Joomla EC2 AMI. This AMI automates the installation and configuration of Joomla.
If you're new to EC2, follow this AWS guide on how to configure and launch your instance. Make sure to select/generate an ssh key pair.
Enter the public IP address for your instance into your browser's search bar.
The page that appears will look something like this.
Notice how if you add
/administrator to your route you can access the admin login page. This is the security issue we're going to fix. We want to block all public access to this page but still be able to access it via remote.it.
We're going to use the key pair associated with your instance to connect via ssh. Run the following commands in your terminal.
chmod 400 PATH_TO_KEYssh -i PATH_TO_KEY ubuntu@INSTANCE_ADDRESS
You've now SSHed into the EC2 instance! Now we can start securing the Joomla site.
Htaccess is a directory level configuration file that, among other use cases, can be used to block access to particular resources. In the BitNami Joomla AMI, there is a single Htaccess file that handles configuration for the entire application. This is the file we'll be working with. To learn more about the BitNami Joomla AMI project structure, check out the documentation.
Inside the EC2 instance, run the following command to begin editing the website Htaccess configuration.
Add the following code to the bottom of the file.
<Directory "/opt/bitnami/apps/joomla/htdocs/administrator"># Block access to administrator login to all IP's excluding localhost.Order deny,allowDeny from allAllow from 127.0.0.1</Directory>
Save and exit Vim and run the following command to restart the web server.
sudo /opt/bitnami/ctlscript.sh restart
Once the server has restarted,
Site_IP/administrator will appear like this.
Congratulations - you've now blocked all incoming access to your website's admin portal. This dramatically increases the security of your site. However, we currently have no way ourselves to access the admin dashboard. This is where remote.it comes in.
Inside the EC2 instance, run the following commands
sudo apt-get updatesudo apt-get install connectdsudo connectd_installer
Start the connectd installer by running
sudo connectd_installer and sign in.
Enter 1 for
Attach/reinstall a remote.it Service to an application.
Chose the default port assignment (80).
Name the service
You've now configured a remote.it service on the host machine. We will now be able to make secure HTTP proxy connection to our machine via remote.it.
Navigate to app.remote.it and select the device with the name you entered.
joomla-admin http service. You will be presented with a proxy URL similar to
/administrator to this path. This URL takes you to the admin dashboard.
We've now just demonstrated the use for remote.it in securing your JOOMLA website. By using Htaccess, we've entirely blocked all public access to our admin dashboard making it inaccessible accept via remote.it. You can share your device with any other trusteD admins allowing your whole team to quickly and securely maintain your website.