SSL Labs ScoreHSTS Preloaded

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

× Extension Discussions


5 years 2 months ago #55 by michael
AdminExile was created by michael
There was once a free Joomla extension called JSecure and...

Your Joomla /administrator area is vulnerable to many forms of attack. Without protection, anyone can begin a brute force attack by simply typing "/administrator" - That's too easy!!

Keep honest people honest, and keep everyone else OUT! Secure your site with AdminExile

Any jackwagon can go to your website and type /administrator - that sucks.

AdminExile puts an end to drive-by (and more serious) attempts to access /administrator. By using URL access keys (query parameters), attempts to access your /administrator login page will be met with either a redirect to your homepage, a 404 error, or a redirect somewhere else (I recommend or redirecting them to a huge file download like a Linux ISO image, that's always fun).

AdminExile Blocked Attempts

High volume attacks (hundreds and even thousands of hits) may drown out the lower volume attempts. There is rarely an hour where there are no attacks.

This image updates automatically every 5 minutes.

As you can see, the attacks come in waves. These numbers are coming from server logs generated by the logging feature of the 3 series. I put my server at risk by not blocking these attempts with the brute force protection feature - partly because I want this graph to reflect actual attack patterns, and partly because my AdminExile access keys are ridiculously long non-words.

Attackers eventually give up, because AdminExile doesn't give them any feedback. They must wonder - is this even a valid URL?

Packed with features (even the free version), AdminExile exists to serve one purpose - to protect your /administrator login page.

AdminExile Features:

Version 3.16.3 Features Free Pro
/administrator key and/or key+value URL Protection
Prevent /administrator session cookie
Block configured users from frontend login*
Lost/Forgotten Link Recovery
Failure Logging
IPv4/6 Whitelist with CIDR capability
IPv4/6 Blacklist with CIDR capability
Bruteforce Detection and Blocking
Bruteforce Notification Email
Live data reporting
Download 36

Bug Reports

Documentation: Online

Live Demo:

Total reviews: 144
Ease of Use
Value for Money

*As of Joomla 3.7 - Frontend Restrictions are not operational. I am working on a solution to restore this functionality.

Please Log in or Create an account to join the conversation.

4 years 2 months ago #201 by slashdottom
Replied by slashdottom on topic AdminExile
Like others, I too 'upgraded' (read: downgraded) AdminExile from version 2.3.7 to the latest 3.3, only to be very disappointed with the removal of features that has been available to us for a long time in 2.x versions, in particular the Brute Force / notification tab.

Although I very much appreciate Richey's work, moving features to the newly released Pro version that were already available to us and coded in existing versions is quite an annoying move. I can understand if IP6 support is added or other new features added, meaning more coding required, a paid for Pro version makes sense, but not making something available for such a long time and now taking it away.

Yes I understand everyone has to make money, fair enough, but this move just doesn't seem right, as already pointed out above. Perhaps a better approach might have been to create something new and leverage your existing extension's long standing user base to notify of such new products.

I'm left wondering if upgrading from version 3.3 back to 2.3.7 is a viable option, unless some security issue has been discovered. Unfortunate for newer users of Joomla! who will not have the previous version 2.3.7 software, but read the many articles across the interwebs that talk about the included brute force feature and possibly be enticed to seek out the older full featured version instead, likely leading to more sites being hacked and possible ramification of that; moving to another CMS, negative stats in news as a result of infected extensions, etc.

On a side note, similarly annoying is 'actively' typing this message in your forum and being told 'You have been idle for too long, and your session has expired.' I'm typing!... not idle, jeeze. While I'm about it, what a distraction that large animated arrow-up.svg is, just saying.


Please Log in or Create an account to join the conversation.

4 years 2 months ago - 4 years 2 months ago #204 by michael
Replied by michael on topic AdminExile
If you would like to re-write 2.3.7 for J3.x compatibility - go for it. I GPL'd it for a reason....if you can do it better, then by all means.

Several features stopped working after updates in J3.5. IP Security, as well as several of the options in Brute Force stopped working because of Javascript changes in Joomla - Frontend Restrictions stopped working because of authentication system changes. More features would have stopped working in the upcoming J3.7 release.

This is a complete rewrite with better performance and fewer server requirements (GMP is no longer necessary to support IPv6 - more code written to circumvent a missing PHP module that most hosts don't have installed). I completely rewrote the PHP and the admin interface Javascript. These things take up my time and I still released a free version. I spend time answering dozens of support requests for lost keys every week, and I still released a free version. I have to pay for bandwidth for these downloads, and I still released a free version!

I've been providing this software for free for a long time, and I'm still providing it for free. People who know what they're doing can use the free version along with software like Fail2Ban and IPTables to achieve exactly the same thing as the paid version provides. I don't use the pro version on my sites, because I run my own servers and I use other tools to fill those gaps.
Last edit: 4 years 2 months ago by michael. Reason: typo

Please Log in or Create an account to join the conversation.

4 years 2 months ago #205 by michael
Replied by michael on topic AdminExile
By the way, the session timed out message is preceded by a "would you like to renew your session before it times out" message. Cancel one, suffer the other. Is that more annoying than allowing Joomla to operate normally - which would time out your session without warning?

That's another piece of software I released for free.

Please Log in or Create an account to join the conversation.

4 years 2 months ago - 4 years 2 months ago #238 by Nicola
Replied by Nicola on topic AdminExile
Dear Michael,
I use your AdminExile plugin from some years ago and I think that it was great to protect my websites. And continues to do so.
I believe that I have to say thank you for your time and for your great plugin that is still free. It's right that who wants more features recognizes the small fee you ask.
So, thank you!
Last edit: 4 years 2 months ago by Nicola.

Please Log in or Create an account to join the conversation.

4 years 2 months ago #257 by danjde
Replied by danjde on topic AdminExile
Hi Michael,
I've installed your very very useful Admin Exile plugin on Joomla 3.6.5 hosted on my VPS Debian Jessie.
Today, after upgraded Adimin Exile to the 3.9 version I've realized that Is not possible to open the plugin options.
In fact if I try to clit into the plugin link (in backend) obtain only a description white page.
If I try to make the same with other plugins, all seem works fine.

I've clear all kind of cache with no results.

Could be a misconfigured php server setting?

many thanks!


Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Powered by Kunena Forum