You should always have something in place to try and protect your Joomla setup from brute force attacks. These attacks are where a script or cracked website continually tries to login either through the front or the admin area of your site.
If you install something such as the Brute Force Stop extension or the security options in sh404sef then you can usually deny entry.
The downside to this is server load. Each time a login attempt is made there is a call to the server and your Joomla install. For the admin login it's far better to stop attempts before they get to the Joomla login system. You can't really use this system on the front of the site though as no-one will be able to access it!
To protect the admin area you need to password protect the administrator directory. There are a number of ways to do this:
- You could use the Password Protect Directories function in your cPanel
- You could use the Password Protect Administrator button in Akeeba's Admin Tools
- You could use a desktop application like Website Access Manager from CoffeeCup
- You could roll your sleeves up and code away in the relevant .htaccess and .htpassword files
Any of these ways will do it but I think Akeeba's Admin Tools is by far the easiest.
However, depending upon how your server is set up you may come across the dreaded 404 Error when you password protect the administrator directory. As soon as you set the protection you're dumped to the front page of your website with a 404 error. Not good. The solution is to make an adjustment to the .htaccess file in the root directory, not the administrator directory!
All you need to do is to drop this code in before the rewrite engine on code:
ErrorDocument 401 ./error.html
ErrorDocument 403 ./error.html
Hopefully if you do come across this issue then this will provide a very simple fix. If not then perhaps reply to this post and share your solution.