The JoomlaXTC Administrator Lock plugin adds two new security features to the administrator pages of a Joomla website:
URL keyword to Administrator area: Hides the administrator page to unwanted visitors unless they know a private keyword. Authorized visitors must enter the keyword as part of the URL to gain administrator login access, where they can enter their login user and password information, for example: https://yourwebsite.com/administrator?keyword
Strict personalized backend component access per user ID: Sometimes it is desirable to grant backend access to certain people and still being able to restrict their access to critical or information-sensitive administration components. This feature allows to restrict which components are available to each backend user independently of their administrator level or any other security measures in place.
Installation
Install the JoomlaXTC Administrator Lock plugin using the standard extension installer from the administrator page in your Joomla website.
Configuration
Once installed and configured, the plugin needs to be enabled to work. This is a strong security extension so make sure to double-check your settings before enabling or you may get yourself locked out.
To edit the plugin parameters go to the regular Joomla's Plugin manager and click on the plugin to see the following parameters.
Keyword:
Use this parameter to specify the desired keyword. Keep in mind, the value is case-sensitive. The feature will be automatically enable if there is a keyword entered, leave a blank value to disable the feature.
Once enabled, any user wanting to access the administrator area of your site must add the keyword to the URL in their browsers, for example:
URL before:
https://yourwebsite.com/administrator
URL after keyword feature is enabled:
https://yourwebsite.com/administrator?keywordvalue
Users failing to enter the right keyword will be automatically sent to the site home page.
Component Permissions:
Component permissions are granted at userid-component level, this means users can either be allowed or not to use one or more particular components regardless of any other access control offered by those components or even Joomla.
Use this parameter to enter one or more permission groups for any number of administrator userids you need. The syntax for a permission group is as follows:
user#=component,component,..,component;
Where:
user# is the numeric user's ID number (as seen on the user manager page).
component is the component name as seen in its "option" URL variable.
Please notice how each group is formatted, with an equal (=) sign between user# and the components, and ending with a semi-colon character (;). You can specify as many components as needed separating them with a coma. If you want to grant access to all components then use a value of *
The component IDs can be obtained by visiting their administration page and looking at the "option" value in the URL. You may want to get a list of your existing components first before setting this parameter.
The feature will be enabled automatically when at least one permission group is entered. Leave the field empty to disable the feature.
A note of caution: it is advisable to enter at least one administrator ID that has access to all components, this way you can always come back and edit the plugin settings or any other administration parameter. If you enable the feature without doing so, you can effectively be locked out of your own administrator area.