Update:

Since this question was asked Joomla StackExchange has been setup and the same questions exists there please add any answers or comments to that question

Original:

I am using Joomla 3.0.3 for a fairly big new client, security is a must. I therefore decided to try change the Administrator URL, normally

example.com/administrator

changed to

  example.com/newadminurl

Reason being if the folders aren't where potential hackers expect that is the first hurdle before they can even try anything else.

However that has now meant whenever I go to the new URL it brings up a 403 error. I have tried searching if there is a global config setting I need to change but can't find anything on the web or Joomla site. Anyone know how to change this deep down in the source code?

While there are hacks around that do this, they introduce new security issues as the Joomla! core isn't built to work this way.

In fact the it is common practice both in the core and in 3rd Party extensions and templates to load models, controllers and other assets from /administrator.

The best practise is to secure your site is:

1. Keep your Joomla! installation up-to-date (the most common cause is outdated installs)
2. Don't hack core files, if you need extra functionality duplicate the core component and extend that, not the core.
3. Add a realm password /administrator
4. A secret word on the /administrator url e.g. /administrator/?s3cr3tpa55w0rd
5. An ip whitelist that only allows on select IP addresses to access /administrator
6. Use unique and strong passwords
7. Don't share passwords even with your significant other...
8. Enact a password policy on your site.
9. Keep a tested and regular site backup in an off-server storage location.
10. Run a file scanner to help you detect a hack so that you're aware of where your last good back was taken.

You can find extensions that do one or several of these things for you in the Access & Security section of the Joomla! Extension Directory (JED), and for integrated backup to cloud or other storage you can't go past Akeeba Backup (and personally for the tiny fee compared to the cost of my time we always go with the Pro versions).

In fact Akeeba's Admin Tools Pro (included in any of their subscriptions) also provides most of the features on that list through it's WAF (web application firewall). The only area not covered is Password Management of which there are several solutions available.

Step 1. Create a new directory in your root directory (eg. "newadminurl")

Step 2. Create an index.php file in your "newadminurl " directory..

$admin_cookie_code="3429020892";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: /administrator/index.php");
?>

Step 3. Add this to .htaccess of your real Joomla administrator directory

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=3429020892
RewriteRule .* - [L,F]

Explanation:

Now, you need to open "http://yoursite.com/newadminurl/" before you open your “administrator” path. Here we have created a cookie that expires at the end of the session and redirect to actual administration page. Your actual “administrator”path is inaccessible until you don’t open on your secret link .

I hope this is what you were looking for.

While there are hacks around that do this, they introduce new security issues as the Joomla! core isn't built to work this way.

In fact the it is common practice both in the core and in 3rd Party extensions and templates to load models, controllers and other assets from /administrator.

The best practise is to secure your site is:

1. Keep your Joomla! installation up-to-date (the most common cause is outdated installs)
2. Don't hack core files, if you need extra functionality duplicate the core component and extend that, not the core.
3. Add a realm password /administrator
4. A secret word on the /administrator url e.g. /administrator/?s3cr3tpa55w0rd
5. An ip whitelist that only allows on select IP addresses to access /administrator
6. Use unique and strong passwords
7. Don't share passwords even with your significant other...
8. Enact a password policy on your site.
9. Keep a tested and regular site backup in an off-server storage location.
10. Run a file scanner to help you detect a hack so that you're aware of where your last good back was taken.

You can find extensions that do one or several of these things for you in the Access & Security section of the Joomla! Extension Directory (JED), and for integrated backup to cloud or other storage you can't go past Akeeba Backup (and personally for the tiny fee compared to the cost of my time we always go with the Pro versions).

In fact Akeeba's Admin Tools Pro (included in any of their subscriptions) also provides most of the features on that list through it's WAF (web application firewall). The only area not covered is Password Management of which there are several solutions available.

There might be all sorts of dependencies in the core and in third party extension that will hard code the admin path, even though there are platform variables to assist this.

I would recommend that you instead configure your .htaccess to prevent public viewing of your administrator folder and restrict access only to approved IP addresses. This will prevent them from accessing the admin folders, but of course will not protect against attacks which do not require direct access (e.g., some third party app that calls code in an admin folder for the component from the front end).

Note: This goes in the .htaccess file in your administrator folder not the .htaccess in the site root, i.e. [siteroot]/administrator/.htaccess

Here is an example of the .htaccess you may configure:

ErrorDocument 403 http://www.your-ip-is-not-allowed-to-access-this-section.com
Order deny,allow
Deny from all
Allow from X.X.X.X

Where X.X.X.X. if the IP address you want to allow to the admin section. You can specify multiple addresses with multiple Allow from X.X.X.X lines.