I'm not sure if this is even possible.

Let's say the name of the administrator directory was an option in the Global Configuration, how would you reference this in an XML file? For example

<fieldset addfieldpath="/administrator/components/com_plugins/models/fields">

Today within J3 it's not possible.
In future (J4 or J5) it may become an option to implement. However it could also become useless if the two application (site and admin) no longer are separated.
It depends a lot on future development.

Personally, I think it is not worth the effort anyway. The ressource you save a negligible. Keep in mind that a request to a non-existant administrator folder still uses some ressources, likely about the same as to a protected one.

Its not possible at all with the current architecture. The limited benefits
of hiding the path are outweighed by the whole heap of issues

On 12 September 2016 at 10:12, Lodder notifications@github.com wrote:

I'm not sure if this is even possible.

Let's say the name of the administrator directory was an option in the
Global Configuration, how would you reference this in an XML file, for
example:

?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#12015 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8fo8bk8i336i6QZIQku3tsRfVCW1ks5qpReKgaJpZM4J6VeL
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

Thank you all for the reply. About the xml, I'm not sure on how to do that, but when you parse the xml if you find {administrator} it will be changed to hash.
It's just an idea and I know it's not the solution, but maybe it can help by limiting entry points.
As I said, just an idea ?

There is an extension named "AdminExile" i know (but not tested) that use an access key append to the url to restrict login via the path /administrator:

http://extensions.joomla.org/extensions/extension/access-a-security/site-security/adminexile

The login is than only available via e.g. /administrator?key=keyvalue.
Could be helpful to check the functions this plugin used.

There are LOTS of extensions that do that

On 12 September 2016 at 12:45, Frank notifications@github.com wrote:

There is an extension named "AdminExile" i know (but not tested) that use
an access key append to the url to restrict login via the path
/administrator:

http://extensions.joomla.org/extensions/extension/access-a-
security/site-security/adminexile http://url

The login is than only available via /administrator?key=keyvalue.
Could be helpful to check the functions this plugin used.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#12015 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8SE7lh0Tgib8gwiopoUYyhEWiGcAks5qpTs9gaJpZM4J6VeL
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

Yes, there are a lots of extensions for that. In my experience that doesn't solve the problem because bots still try to open /administrator (and J! query the db for the correct combination of key=value). An http error like 404 or 403 doesn't involve database or php interpreter so I think it's better of any extension (the only other option is to password protect via .htpasswd the administrator folder).

htaccess will work. Moving the admin to a different folder will have the
same effect on the server as htaccess - so you dont gain anything

On 12 September 2016 at 12:50, bettinz notifications@github.com wrote:

Yes, there are a lots of extensions for that. In my experience that
doesn't solve the problem because bots still try to open /administrator
(and J! query the db for the correct combination of key=value). An http
error like 404 or 403 doesn't involve database or php interpreter so I
think it's better of any extension (the only other option is to password
protect via .htpasswd the administrator folder).

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#12015 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8aOAOvc8LKiS58mrBJTFq3HQI_Wjks5qpTyQgaJpZM4J6VeL
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

Exactly, I think about something on server side (like htaccess). A different folder or a password protected folder is the same thing in terms of performance and resources.
The different folder doesn't require to manage user and password for htpasswd and Joomla

I know maybe it's impossible with current architecture but I hope a function like that help users to protect their websites and save some resources ( /administrator when attacked is visited about 4 times per second, and on shared hosting it's a problem).

Moving the folder does NOT save server resources

On 12 September 2016 at 13:02, bettinz notifications@github.com wrote:

Exactly, I think about something on server side (like htaccess). A
different folder or a password protected folder is the same thing in terms
of performance and resources.
The different folder doesn't require to manage user and password for
htpasswd and Joomla

I know maybe it's impossible with current architecture but I hope a
function like that help users to protect their websites and save some
resources ( /administrator when attacked is visited about 4 times per
second, and on shared hosting it's a problem).

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#12015 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8WeVNLELaKbozTclF7hlRrAwSWAuks5qpT86gaJpZM4J6VeL
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

As pointed out here, making this a possibility introduces more issues than benefits. And simply "if you find {administrator} it will be changed to hash" is not enough to deal with that from a path processing perspective (i.e. if I'm running on my local Mac system and my CMS install is at /Users/administrator/Sites/joomla-cms it'd be impossible for the app to ever work). You have to fix every possible filesystem operation, the extensions installer, the core update system, AND this has to work without being dependent on your system's configuration.php file to know what the filesystem name is.

You're only obscuring one directory name. The one that has an executable index.php file in it. You're not closing any other path that could be pinged to cause your site's resource use to escalate quickly. One could very easily target any of the files in libraries/phputf8 or libraries/vendor as an example to accomplish the same (at least causing the server to trigger PHP and run the files even if they don't do anything but load a class or two into memory). So there's still a major logical fallacy in obscuring the administrator path only.

You can use apache2 mod_security module to block bots which send too much POST requests.

Going to close this as it will certainly not be done in J3.

<fieldset addfieldpath="/administrator/components/com_plugins/models/fields">

@C-Lodder for most cases you don't need this, given that you follow the appropriate scaffolding

Thank you all for the inputs ?