---
title: "Access Key plugin"
date: 2026-06-12
author: "Jeroen Moolenschot"
---

# Access Key plugin

![](https://www.joomill-extensions.com/images/extensions/accesskey/logo-access-key-2025.png) 
# Joomla **Access Key**

 Hide your Joomla administrator login behind a secret key in the URL. No key, no login form — just a message or a redirect. The bots that hammer `/administrator` with brute-force attempts never even see a login to attack.

 
- Download free
- [Documentation](https://www.joomill-extensions.com/documentation/access-key-plugin)

 
- Free and open source
- Joomla 5 and 6
- IP whitelist with CIDR

 ### This is the whole idea

 Open the backend with your key attached and the normal Joomla login appears:

```
https://www.website.com/administrator?YourSecretKey```

Leave the key off and there is nothing to log in to. No form, no target, no brute-force.

 Why Access Key

 
## Your login form is the most attacked page on your site

 Every Joomla site keeps its login in the same place: `/administrator`. Bots know this. Around the clock they throw username and password combinations at a form that is visible to the entire internet. Even when they never get in, the constant brute-force traffic floods your logs, wastes server resources and sits one leaked password away from a real breach.

 Access Key removes the target. With the plugin enabled, the administrator login is only revealed to someone who already carries your secret key. Everyone else — every bot included — gets a plain message or a redirect. There is no form to brute-force, because there is no form at all.

 What it does

 
## Everything in one small plugin

 Pick a key, decide what happens to everyone without it, and you are protected. No template edits, no extra services, no front-end impact.

 
- ### Secret URL key

 Hide the login

 Choose any key you like and add it to your admin URL as `?yourkey`. Only requests that carry the key reach the real login screen.
- ### IP whitelist

 Skip the key

 Trust your own office or home connection. Whitelisted IP addresses reach the login without the key, and the plugin shows your current IP so you can add it in seconds.
- ### CIDR ranges

 Whole networks

 Whitelist an entire network with CIDR notation such as `192.168.1.0/24` instead of listing every address by hand. IPv4 and IPv6 are both supported.
- ### Show a message

 Decoy response

 Visitors without a key see a custom message instead of a login. The default is a flat “There is nothing to see here!” and you can write your own.
- ### Or redirect

 Send them off

 Prefer to move them along? Redirect every keyless visit to any URL you choose, or fall back to your homepage.
- ### Stays out of the way

 No friction

 Enter once with the key and your session remembers you, so you click through the backend normally. The front end of your site is never touched.

 How it works

 
## From bot magnet to closed door in four steps

 
- ### 1

 Set your key

 In the plugin options you choose a secret access key and decide what keyless visitors get: a message or a redirect.
- ### 2

 Reveal the login

 From now on you open the backend with the key attached: `/administrator?YourSecretKey`. The normal Joomla login appears and you sign in as usual.
- ### 3

 Everyone else gets nothing

 Any visit to `/administrator` without the key, from a person or a bot, gets your message or redirect. The login form is never rendered.
- ### 4

 Whitelist what you trust

 Add trusted IP addresses or CIDR ranges so your own connection skips the key entirely while everyone else still hits the wall.

 Under the hood

 
## Built for security, the Joomla way

 
- ### Front end untouched

 Admin only

 The plugin acts on the administrator area and nothing else. Your public site and its visitors are never affected.
- ### A whitelist you can trust

 No spoofable IPs

 By default only the real connection IP is trusted. Forwarded headers such as X-Forwarded-For are ignored, so nobody can fake a whitelisted IP. Behind a genuine proxy? Enable Joomla’s load balancer setting and forwarded IPs are honoured again.
- ### Accurate matching

 Real subnet math

 IP matching uses real binary subnet calculations with IPv4 and IPv6 support, not loose string comparison that can be tricked.
- ### Modern codebase

 Joomla 5 and 6

 A namespaced system plugin with a DI service provider and SubscriberInterface, built for Joomla 5 and 6 and ready for what comes next.

 Honest about security

 
## An extra layer, not a magic shield

 Let’s be clear about what this is. Access Key is defense in depth: it hides your login so automated attacks never reach it, which removes the overwhelming majority of brute-force noise. It is not a replacement for the basics. Keep using a strong, unique administrator password and two-factor authentication — Access Key simply makes those last lines of defense far less likely to ever be tested.

 Questions

 
## Frequently asked questions

 
- ### What does the Access Key plugin do?

 It hides your Joomla administrator login behind a secret key in the URL. Without the key, visitors and bots never see the login form — they get a message you define or a redirect instead. It is a simple, effective layer that keeps automated brute-force attacks away from your login.
- ### How do I log in once it is enabled?

 Append your key to the admin URL, for example `https://www.website.com/administrator?YourSecretKey`. The normal Joomla login appears, you sign in as usual, and your session remembers you so you do not need the key on every click.
- ### Is this a replacement for a strong password or two-factor authentication?

 No, and it is not meant to be. Access Key is an extra layer (defense in depth). It stops bots from ever reaching your login form, which removes the vast majority of brute-force attempts, but you should still use a strong, unique password and two-factor authentication.
- ### What happens if someone visits /administrator without the key?

 You decide. Choose “Show Message” to display a custom message (the default is “There is nothing to see here!”), or “Redirect to URL” to send them to any address, or to your site root. Either way the login form is never rendered.
- ### Can I skip the key from my own office or home?

 Yes. Add your IP address, or a CIDR range such as `192.168.1.0/24`, to the whitelist and those visitors reach the login without the key. The plugin shows your current IP address so you can whitelist it in one click.
- ### Does the IP whitelist work behind Cloudflare, a proxy or a load balancer?

 By default the plugin only trusts the real connection IP, because forwarded headers can be spoofed. If your site genuinely sits behind a trusted proxy or load balancer, enable “Behind Load Balancer” in Joomla’s Global Configuration (Server tab) and the whitelist will use the forwarded IP again.
- ### Help, I forgot my key and locked myself out!

 No problem. With FTP access, rename the `plugins/system/accesskey` folder (for example to `--accesskey`) to get back in, then set a new key. With database access, run `UPDATE #__extensions SET enabled = 0 WHERE name = 'PLG_SYSTEM_ACCESSKEY'`, log in and choose a new key. The full guide is in the documentation.
- ### Does it affect the front end or my visitors?

 No. The plugin only ever acts on the administrator area. Your public website and everyone visiting it are completely untouched.
- ### Which Joomla versions are supported?

 Access Key supports Joomla 5.x and 6.x.
- ### In which languages is the plugin available?

 The plugin interface is available in six languages: English, Dutch, German, French, Spanish and Italian.
- ### Is it really free?

 Yes. Access Key is GPL licensed and free to use on as many Joomla sites as you want.
- ### How do I install it?

 Download the package from the Joomill website and install it through System > Install > Extensions using the Upload Package File tab. The plugin is published automatically. Note that enabling it logs you out, so set your key and keep a backup before you switch it on.

 
## Lock down your Joomla login in two minutes

 Free, GPL licensed and yours to use on as many Joomla sites as you want. Set a key, pick a message or a redirect, and the bots are locked out.

 
- Download the Free version
- 
- 

 One license, unlimited sites · Personal support from the developer


## Custom Fields

**Extension Name:** Joomill Access Key plugin

**Cache Key:** accesskey

**OCH categorie:** 19

**Prijs Gratis versie:** 0

**Extension URL:** https://www.joomill-extensions.com/extensions/access-key-plugin

**Extension Download URL:** https://www.joomill-extensions.com/downloads/access-key-plugin