Joomla – How to use .htaccess to protect the ‘administrator’ directory

As a Joomla administrator one of the simplest things you can do to protect your website is to lock down the ‘administrator’ directory – to reject all access except from you.

This can be done quite easily using .htaccess. If you’re unfamiliar with .htaccess – it’s a file which can be placed in any directory and will tell your apache web server (assuming that’s what you’re using, but it is the most common type) what to do with the content, such as who can access it.

To do this you will need access to the folders and files on your server, for example using your cpanel or FTP access.

  1. The first step is to know your IP range. If you don’t already know see what is my ip. This will tell you what your public IP address is – the address your network uses to connect to the Internet – and what your Joomla installation see’s when you log in.
  2. In this example I will pretend my IP address
  3. The next step is to create a blank text file, and to call it .htaccess – that is, dot htaccess with no spaces.
  4. Open the file, and add the following content:
<Limit GET POST>
 order deny,allow
 deny from all
 allow from 192.168.0.


This does two things – tells apache to DENY first, then ALLOW as you define, as well as the IP address range that is allowed.

Note: the last digit is left off – that is because on my network I will always be in that range, you may choose to make it less detailed, such as 192.168. (with the dot at the end) or make it more detailed by listing the whole IP address.

Optional: You may also need to add other networks you use, such as your home and work network. This is done by adding another line, for example

allow from 10.0.0.

Save your changes and add the file to the /administrator folder. Make sure the file is called .htaccess. The folder will look like this:


Now when ever someone tries to access the administrator page they will receive the following error message – and will not be able to brute force your admin console!