Hiding an administration URL is pretty easy.
“Joe, how are we protecting the admin urls?”
“Well, I put it on a very long secret url that nobody will ever guess”
There's a few problems with Joe's approach that might allow others to find the Admin url easily:
Browser crashes will pass URL information to developers.
URL history often stays in shared browsers, like at public libraries.
Some browser toolbars send copies of URLs to marketing organisations for analysis. Toolbars tend to be dodgy so there is a good chance the wrong people will see the URL.
Proxies and their logs can keep records of your URLs.
Other public wifi users can see your URLs, even if you are using HTTPS or if you all have the same wifi access key.
If you mistype the URL, some browsers feed it into search engines to have another go at it. The might end up displaying in someone's auto-complete.
There are so many ways for the “secret” URL to accidentally leak.
Instead Joe should have required a username and password for login, locking the account after a number of incorrect attempts.
