Overview

Backdoor is a Joomla system plugin designed to secure access to the /administrator URL and prevent unauthorized access to the /administrator login form itself.

 

Installation

  1. Download the Backdoor zip-file and store it at your computer.
  2. At the Joomla administrator menu, go to the "Sytem" menu and select "Extensions" at the "Install" panel.
  3. Select the "Upload Package File" tab
  4. Press the "Choose File" button to browse your system and locate the plugin file you downloaded
  5. Press the "Upload & Install" button

At this point, the extension is installed but not enabled. If you enable it without configuration, it will work - but the URL keys will be default (well known) and not secure. Enabling without configuration is NOT recommended.

 

Configuration

  • To configure this plugin, go to the Joomla administrator menu, go to the "Sytem" menu and select "Plugins" at the "Manage" panel.
  • Type "adm" at the search field and click the magnifying glass.
    Now you should see "Backdoor"
  •  Click the name to open the configuration.

 

Plugin

This is the basic configuration tab (the initial tab displayed) when editing the plugin configuration. It is on this tab where the plugin can be published and unpublished. It is suggested to configure, save, then enable. Don't get ahead of yourself or you may need the "HELP" section (below) sooner than later.

The default options are as follows:

  • URL Access Key: "backdoor"
  • Redirect URL: {HOME}
  • 404 Template: described below
  • Frontend Restrictions
    • Enable/Disable
    • Restricted Groups
  • Link Recovery
    • Enable/Disable
    • Allowed Groups
  • Logging
    • Enable/Disable

Another portion of this tab, above the configuration options is the "AccessURL:" link. This is a live updated URL which reflects the currently configured options within this tab of the plugin. As you alter the key or key value, the display shows the new URL that will be active when the plugin is saved and activated. You can return at any time to the plugin configuration to retrieve the current /administrator URL.

URL parameters (variables) are restricted to a certain list of characters, and additionally - there are some characters which have a special meaning to Joomla. Backdoor actively monitors the input values of the key and key-value fields to ensure that an invalid character isn't entered. Don't bother typing these, as the plugin will not allow them to be used and will display this list to remind you. It's much easier to display the list of invalid characters, so they are presented here:

Invalid Characters

  • SPACE- ( )
  • QUOTE- "
  • POUND- #
  • DOLLAR- $
  • PERCENT- %
  • AMPERSAND- &
  • PLUS- +
  • COMMA- ,
  • FORWARDSLASH- /
  • COLON- :
  • SEMICOLON- ;
  • LESS THAN- <
  • EQUALS- =
  • GREATER THAN- >
  • QUESTION- ?
  • AT- @
  • LEFT BRACKET- [
  • BACKSLASH- \
  • RIGHT BRACKET- ]
  • CARAT- ^
  • GRAVE- `
  • LEFT CURLY- {
  • PIPE- |
  • RIGHT CURLY- }
  • TILDE- ~

URL Access Key

The default setting is "backdoor".

It is possible to use ONLY this configuration option. This is like adding a password to enter your gate before someone can approach your front door. They can't break in the door, if they can't get past the gate.

Passwords are notoriously easy to break. Give a machine some time and it will eventually break any password. A good rule of thumb is, your password should be longer than 8 characters. Any shorter and it can be broken in a matter of hours (minutes and seconds for the very shortest passwords).

There are numerous places for password advise online. Pick something you like, something longer than 8 characters, and please don't let it be "backdoor" (the default)

Redirect URL

The default setting is {HOME}.

The {HOME} setting uses the Joomla API to determine what your homepage URL is, so you don't need to bother altering it when changing hosts or moving from development to production servers.

A complete URL is also valid, which may be local or remote.

A setting of {404} will return no session cookie, and will display a configurable 404 error template. The 404 Template configuration will appear after {404} is typed into the Redirect URL field.

{404} is the safest, as it may confuse enough to cause an attacker to find another target. Any redirection may tip off an attacker that there's something there to attack.

404 Template

The default mimics a factory Apache 404 error page and is designed to fool an attacker into believing there is truly nothing to see. Actual server values are substituted into the template to make it more authentic. The template is as follows:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL {url} was not found on this server.</p>
<hr>
{serversignature}
</body></html>
  • {url} and {serversignature} are replaced with the appropriate values obtained from the server

Frontend Restrictions

This is the second tab available within Backdoor configuration and is present for administrators who like to have certain users who are not allowed in the front-end. There are a variety of reasons for this, but to be succinct - if an administrative user account remains unknown to the outside world, it cannot be attacked.

By default, this feature is disabled as it could cause problems if automatically enabled. An administrator must explicitly turn it on, and must explicitly choose groups to restrict from front-end access. This is the ONLY front-end action that Backdoor takes.

  • Restrict Frontend Groups: No
  • Group Selection: <blank>

Setting "Restrict Frontend Groups" to "Yes" will display the "Group Selection" field.

Any member of a group chosen in "Group Selection" will be unable to log into the website frontend.

Link Recovery

For many organizations, password expiration is something you can set your watch by. In a large organization with many administrative users, it may not be practical to contact everyone to inform them of the new Backdoor generated URL to access /administrator. This is where the Mail Link configurations can make life more simple. When enabled, an authorized /administrator user can enter a special URL which will trigger an email containing the current URL. No need to notify all of your users, the plugin can notify them for you.

  • Enable Mail Link: Yes
  • Mail Link Groups: [Super Users]

When enabled, any user who is a member of any of the "Mail Link Groups" is able to enter a URL which will trigger an email containing the /administrator URL.

This is the URL they will use: /administrator/?maillink=<username>

The plugin will look up the user, determine if they are a member of a group which is allowed to make this type of request and if so, email a link. Usernames which are not authorized are treated as any other invalid access - they are given the redirect option chosen on the Plugin tab.

Logging

Failures (key, blacklist, bruteforce) trigger an entry in the server error log. RicheyWeb.com servers use these log entries to trigger Fail2Ban.

 Help

If you forget your secret access key, there where different ways to regain access to your login page.

1. Backdoor can send you the key by mail

See Link Recovery

2. Edit the php code

Connect to your webserver by FTP
Edit the backdoor.php code by opening joomla-root/plugins/system/backdoor/backdoor.php
Search for "enable on emergency" and remove the "//" at the beginning of the NEXT line