How to find admin panel of a website ?

What is an admin panel?

An admin panel of the website or web application is like a management system used by its admins or editors to manage the website like adding new pages, uploading images, changing the website layout, adding new posts, new notices, etc.

To access the admin panel you need these two things:
1. Credentials of the admin user (username and password)
2. URL of the login page, for example

Now the most important question, the path or URL for all websites is not always admin.php. Developers use different paths of filenames to hide admin panels so that hackers can’t find them easily.

How to find the admin panel of a website?

Well, there is no 100% working method for finding admin panels but all we can do is try multiple techniques to find the exact path. Let’s start finding a few methods for finding admin panels.

1. Guessing the path

One of the methods is guessing possible paths or filenames of mostly used admin panels. Developers may have used common names such as admin, admin-panel, administration, control-panel, administrator, etc. Now, we have to append the above guess at the end of our target website such as,

Most of the CMS/ Frameworks do have a predefined path for the admin panel. For example, the admin panel for WordPress is always at wp-admin. The admin panel of this blog is itself at

Well, what if the developer or system admin is not stupid and not using a common URL for the admin panel? What if he/she is using a path like In such cases, checking for common URLs will not work.
Let’s try something else now.

2. Crawling of Fuzzing

Crawling/Fuzzing is the process of fetching all the URLs present on the website. For example, if you enter the URL in a crawler, the program will find all the links on that page. Then it will visit all the linked pages and will search for further links. This process will go on until it meets a dead end.
There are many tools available for fuzzing endpoints. Some of the very popular tools are dirb, dirbuster, FFUF, etc. In the image below we have fuzzed the URL of hacknopedia and it found posts, directories, etc. To this, we have to give a list of possible files or paths which is called the dictionary.

Using Dirbuster

image 3
Fuzzing URL with dir buster

Using FFUF

image 5
Fuzzing admin panel with FFUF
ffuf is an acronym for “fuzz faster you fool!”, and it’s a cli-based web attack tool written in Go.

As shown above, FFUF successfully found the admin path in the targeted URL.

3. Using Google Dorks

As we all know google keeps crawling our websites regularly and stores the information on websites. By using google dorks we can find the admin panel of the website as shown below. In the image below we used google dorks such as site: com to give a target domain ending with .com and URL path admin to find the admin panel of all websites. We can also set our target website as site:

image 6
Using google dorks to find the admin panel.
image 7
Finding secret URLs with google dorks

A few more google cheat sheet to find the admin panel is listed below. You can always try new things on your own by guessing possible paths and using them in google dorks.


4. Checking robots.txt file

Every website has a robots.txt file that contains URLs that should not be crawled or indexed by google. You can view this (not always) by going to Sometimes, the stupid developer may have included the admin panel URL in the robots.txt file to make it not visible to search engines. But, wait we are hackers, we look at robots.txt files at the very first stage of information gathering.

image 8
Finding a sensitive path in the robots.txt file.

Well, these were a few of the methods posted here. If you know about some other way to find admin panels then please comment after all we all are here to learn. Aren’t we?
That’s all for now. I hope you enjoyed this article and learned something new.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *