Hiding The Admin Login URL

If someone attempts to hack into your admin panel, they will typically target common entry points such as the default admin login URL and the URL that processes post requests from the login form. Knowing your login URL doesn't mean they have succeeded, but it does give them a useful foothold for malicious activity.

Therefore, it's a security best practice to keep your admin login URL secret - ideally impossible to guess - to make it much harder for attackers to gain access.

By default, the admin login URL for Trongate websites is the base URL followed by trongate_administrators/login. For example:

Additionally, a shorter URL using the base URL followed by tg-admin is also supported.

This shorter alias works because of custom routing defined in the custom_routing.php file inside the config directory.

How To Create A Secret Admin Login URL

Step 1: Choose a Secret Word

Select a word that is difficult to guess but meaningful and easy for the site owner to remember. This can be a made-up word or a combination of words. Avoid spaces or special characters.

For example, if you choose fantasticola, your new admin login URL would be:

Step 2: Update Your Custom Routing File

Next, open the custom_routing.php file inside the config directory. Replace all instances of tg-admin with your secret word.

For example, after modification (using fantasticola) you would have:

Step 3: Declare Your Secret Login Segment

Finally, open Trongate_administrators.php. If you are using Trongate version 1.3.3031 or higher, around line 12 you will find the following commented line:

Uncomment this line and replace "tg-admin" with your chosen secret word. For example:

Done!

Once these steps are complete, the default admin login URL (trongate_administrators/login) will return a 404 error, effectively hiding it. To access the admin panel, users must navigate to your base URL followed by your secret word (e.g., https://example.com/fantasticola).