Skip to main content

Joomla Access Key

Hide your Joomla administrator login behind a secret key in the URL. No key, no login form — just a message or a redirect. The bots that hammer /administrator with brute-force attempts never even see a login to attack.
Download free
Documentation
Free and open source Joomla 5 and 6 IP whitelist with CIDR

This is the whole idea

Open the backend with your key attached and the normal Joomla login appears:

https://www.website.com/administrator?YourSecretKey

Leave the key off and there is nothing to log in to. No form, no target, no brute-force.

Why Access Key

Your login form is the most attacked page on your site

Every Joomla site keeps its login in the same place: /administrator. Bots know this. Around the clock they throw username and password combinations at a form that is visible to the entire internet. Even when they never get in, the constant brute-force traffic floods your logs, wastes server resources and sits one leaked password away from a real breach.
Access Key removes the target. With the plugin enabled, the administrator login is only revealed to someone who already carries your secret key. Everyone else — every bot included — gets a plain message or a redirect. There is no form to brute-force, because there is no form at all.
What it does

Everything in one small plugin

Pick a key, decide what happens to everyone without it, and you are protected. No template edits, no extra services, no front-end impact.
Hide the login

Secret URL key

Choose any key you like and add it to your admin URL as ?yourkey. Only requests that carry the key reach the real login screen.
Skip the key

IP whitelist

Trust your own office or home connection. Whitelisted IP addresses reach the login without the key, and the plugin shows your current IP so you can add it in seconds.
Whole networks

CIDR ranges

Whitelist an entire network with CIDR notation such as 192.168.1.0/24 instead of listing every address by hand. IPv4 and IPv6 are both supported.
Decoy response

Show a message

Visitors without a key see a custom message instead of a login. The default is a flat “There is nothing to see here!” and you can write your own.
Send them off

Or redirect

Prefer to move them along? Redirect every keyless visit to any URL you choose, or fall back to your homepage.
No friction

Stays out of the way

Enter once with the key and your session remembers you, so you click through the backend normally. The front end of your site is never touched.
How it works

From bot magnet to closed door in four steps

  1. 1
    Set your key
    In the plugin options you choose a secret access key and decide what keyless visitors get: a message or a redirect.
  2. 2
    Reveal the login
    From now on you open the backend with the key attached: /administrator?YourSecretKey. The normal Joomla login appears and you sign in as usual.
  3. 3
    Everyone else gets nothing
    Any visit to /administrator without the key, from a person or a bot, gets your message or redirect. The login form is never rendered.
  4. 4
    Whitelist what you trust
    Add trusted IP addresses or CIDR ranges so your own connection skips the key entirely while everyone else still hits the wall.
Under the hood

Built for security, the Joomla way

Admin only

Front end untouched

The plugin acts on the administrator area and nothing else. Your public site and its visitors are never affected.
No spoofable IPs

A whitelist you can trust

By default only the real connection IP is trusted. Forwarded headers such as X-Forwarded-For are ignored, so nobody can fake a whitelisted IP. Behind a genuine proxy? Enable Joomla’s load balancer setting and forwarded IPs are honoured again.
Real subnet math

Accurate matching

IP matching uses real binary subnet calculations with IPv4 and IPv6 support, not loose string comparison that can be tricked.
Joomla 5 and 6

Modern codebase

A namespaced system plugin with a DI service provider and SubscriberInterface, built for Joomla 5 and 6 and ready for what comes next.
Honest about security

An extra layer, not a magic shield

Let’s be clear about what this is. Access Key is defense in depth: it hides your login so automated attacks never reach it, which removes the overwhelming majority of brute-force noise. It is not a replacement for the basics. Keep using a strong, unique administrator password and two-factor authentication — Access Key simply makes those last lines of defense far less likely to ever be tested.
Questions

Frequently asked questions

What does the Access Key plugin do?
It hides your Joomla administrator login behind a secret key in the URL. Without the key, visitors and bots never see the login form — they get a message you define or a redirect instead. It is a simple, effective layer that keeps automated brute-force attacks away from your login.
How do I log in once it is enabled?
Append your key to the admin URL, for example https://www.website.com/administrator?YourSecretKey. The normal Joomla login appears, you sign in as usual, and your session remembers you so you do not need the key on every click.
Is this a replacement for a strong password or two-factor authentication?
No, and it is not meant to be. Access Key is an extra layer (defense in depth). It stops bots from ever reaching your login form, which removes the vast majority of brute-force attempts, but you should still use a strong, unique password and two-factor authentication.
What happens if someone visits /administrator without the key?
You decide. Choose “Show Message” to display a custom message (the default is “There is nothing to see here!”), or “Redirect to URL” to send them to any address, or to your site root. Either way the login form is never rendered.
Can I skip the key from my own office or home?
Yes. Add your IP address, or a CIDR range such as 192.168.1.0/24, to the whitelist and those visitors reach the login without the key. The plugin shows your current IP address so you can whitelist it in one click.
Does the IP whitelist work behind Cloudflare, a proxy or a load balancer?
By default the plugin only trusts the real connection IP, because forwarded headers can be spoofed. If your site genuinely sits behind a trusted proxy or load balancer, enable “Behind Load Balancer” in Joomla’s Global Configuration (Server tab) and the whitelist will use the forwarded IP again.
Help, I forgot my key and locked myself out!
No problem. With FTP access, rename the plugins/system/accesskey folder (for example to --accesskey) to get back in, then set a new key. With database access, run UPDATE #__extensions SET enabled = 0 WHERE name = 'PLG_SYSTEM_ACCESSKEY', log in and choose a new key. The full guide is in the documentation.
Does it affect the front end or my visitors?
No. The plugin only ever acts on the administrator area. Your public website and everyone visiting it are completely untouched.
Which Joomla versions are supported?
Access Key supports Joomla 5.x and 6.x.
In which languages is the plugin available?
The plugin interface is available in six languages: English, Dutch, German, French, Spanish and Italian.
Is it really free?
Yes. Access Key is GPL licensed and free to use on as many Joomla sites as you want.
How do I install it?
Download the package from the Joomill website and install it through System > Install > Extensions using the Upload Package File tab. The plugin is published automatically. Note that enabling it logs you out, so set your key and keep a backup before you switch it on.

Lock down your Joomla login in two minutes

Free, GPL licensed and yours to use on as many Joomla sites as you want. Set a key, pick a message or a redirect, and the bots are locked out.
Download the Free version
Get Bundle - €65
One license, unlimited sites · Personal support from the developer