On this page

# Topics

Admin component in Joomla

13 June 2026

Every Joomla site has a component called com_admin. Most administrators have never opened a single one of its files, yet this small component plays a central role. It collects the system information you copy into a forum post when you need help.

It renders the Help screen. And, less obviously, it runs the actual database migrations every time you click "Update Now" on a Joomla core update.

The name com_admin is a trap. It sounds like it covers the whole backend, but the backend (/administrator/) is actually a neighbourhood of many small components. com_admin is just one of them, with one very specific job: it is the component about the administrator itself.

The small core component that runs Joomla's upgrades, shows system information, and powers the help screen.

This article walks through what com_admin contains, how it fits into the Joomla 6 architecture, why script.php is one of the most important files in Joomla core, and what makes this component a useful reference example for developers who want to build modern Joomla components.

1. The Basics

1.1 What is com_admin?

A Joomla component is a small MVC application that runs inside Joomla. Most components are about something:

com_content handles articles.
com_users handles users.
com_menus handles menus.
com_admin is about the administrator itself.

It is responsible for three concrete things: showing System Information, showing Help, and providing the upgrade engine that runs whenever Joomla updates itself to a new version.

1.2 Why com_admin Matters

The component is tiny on the surface but load-bearing underneath:

It is the screen you visit when something goes wrong and you need to share system details.
It contains the canonical history of Joomla's database schema in the form of SQL migration files.
It runs every Joomla core update, including file cleanups and asset table fixes.
It is the cleanest example in core of a modern Joomla 6 component, complete with Service Provider, custom Dispatcher, and PSR-4 namespacing.

1.3 The Name is Misleading

People often think:

"com_admin must be the whole administrator backend."

It is not. The administrator backend is simply the /administrator/ folder. Inside it live dozens of small components, each handling one concern. com_admin is one of them, alongside com_content, com_users, com_installer, com_joomlaupdate, and many others.

1.4 Neighbouring Components

To understand com_admin, you need to know which jobs belong to which neighbour:

Component	What it actually does	UI location
`com_admin`	System Information, Help, and the CMS upgrade engine	System → System Information / Help
`com_joomlaupdate`	The UI to check and trigger Joomla core updates	System → Joomla! Update
`com_installer`	Install, update, and manage extensions, plus Database Fix	System → Extensions / Database
`com_config`	The Global Configuration form	System → Global Configuration
`com_cpanel`	The dashboard tiles you land on	Home page after login

A common mistake is to assume that "Joomla Update lives in com_admin". It does not. The UI for the update lives in com_joomlaupdate. The engine that actually applies the upgrade lives in com_admin. They are two halves of one workflow.

2. Where com_admin Lives

2.1 The Folder Structure

You can find the component in your Joomla installation here:

public_html/administrator/components/com_admin/
├── postinstall/       (post-install handlers)
├── services/          (DI container wiring)
├── sql/               (versioned DB migrations)
├── src/               (PHP classes, PSR-4)
├── tmpl/              (view templates)
├── admin.xml          (manifest)
└── script.php         (the upgrade engine)

Notice what is missing: there is no media/ folder and no front-end folder. com_admin is a pure backend component.

2.2 How to Open It in the Browser

There are only two URLs that lead into com_admin:

/administrator/index.php?option=com_admin&view=sysinfo
/administrator/index.php?option=com_admin&view=help

There is no list view, no edit form, and no toolbar with publish or trash buttons. Two screens, nothing more.

2.3 The Manifest File

Every Joomla component has a manifest. For com_admin it is admin.xml:

<extension type="component" method="upgrade">
    <name>com_admin</name>
    <version>4.0.0</version>
    <namespace path="src">Joomla\Component\Admin</namespace>
    <administration>
        <files folder="admin">
            <filename>admin.xml</filename>
            <filename>script.php</filename>
            <folder>postinstall</folder>
            <folder>services</folder>
            <folder>src</folder>
            <folder>tmpl</folder>
        </files>
    </administration>
</extension>

The attribute method="upgrade" matters: it tells Joomla to always upgrade the component instead of installing it from scratch. com_admin is never reinstalled clean on a running site.

3. The Two Views

3.1 View 1: System Information

The first view (view=sysinfo) shows what you see under System → System Information: PHP version, MySQL version, Joomla version, server settings, raw phpinfo(), directory permissions, and configuration values.

The templates live in tmpl/sysinfo/:

default.php              (the tabbed wrapper)
default_system.php   (system table)
default_phpsettings.php
default_config.php
default_directory.php
default_phpinfo.php  (raw phpinfo)

This is the screen you copy into a support thread when you want help with a Joomla problem. It includes everything needed to diagnose an issue, but with one important safeguard described later in this article.

3.2 View 2: Help

The second view (view=help) is a small built-in help browser. It reads a file called help/<lang>/toc.json and renders a table of contents that points at help.joomla.org.

The files involved are:

tmpl/help/                  (templates)
src/Model/HelpModel.php     (data layer)

If toc.json is not present, HelpModel falls back to scanning XML and HTML files in the same folder and reads their <title> tag. This kind of graceful fallback is a recurring Joomla design value: old help packs still work, even if they predate the JSON format.

4. The Modern Component Architecture

Even though com_admin only has two screens, it uses the full modern Joomla 4+/5/6 component architecture. That makes it an excellent reference for developers.

4.1 Namespacing and PSR-4

The component uses a clean namespace:

Namespace:  Joomla\Component\Admin
Path:       administrator/components/com_admin/src/

Joomla 6 uses PSR-4 autoloading. The file:

src/Model/SysinfoModel.php

maps automatically to the class:

Joomla\Component\Admin\Administrator\Model\SysinfoModel

You no longer need JLoader::register() glue code. The autoloader finds the class because the folder structure matches the namespace.

4.2 The MVC Skeleton

The src/ folder contains a small set of classes that together form a complete component:

src/
├── Controller/DisplayController.php    (entry point)
├── Dispatcher/Dispatcher.php           (routing + access)
├── Extension/AdminComponent.php        (boot hooks)
├── Model/HelpModel.php
├── Model/SysinfoModel.php
└── Service/HTML/                       (HTML helpers)

This is classic Model-View-Controller, but with two Joomla 4+ additions: a Dispatcher and an Extension class.

4.3 The Service Provider

The file services/provider.php wires the component into Joomla's Dependency Injection container:

return new class () implements ServiceProviderInterface {
    public function register(Container $container)
    {
        $container->registerServiceProvider(
            new MVCFactory('\\Joomla\\Component\\Admin')
        );
        $container->registerServiceProvider(
            new ComponentDispatcherFactory('\\Joomla\\Component\\Admin')
        );
        // ...
    }
};

Every modern Joomla component has a services/provider.php file like this. It is the official entry point for the DI container.

4.4 The Custom Dispatcher

The Dispatcher of com_admin contains a small but very intentional trick:

class Dispatcher extends ComponentDispatcher
{
    /**
     * com_admin does not require check permission,
     * so we override checkAccess method and have it empty
     */
    protected function checkAccess() {}
}

The method that normally enforces ACL is intentionally empty. The reason is that System Information and Help must keep working even when ACL is misconfigured. They are diagnostic tools, and a broken ACL is exactly when you need them most. Very few Joomla developers know this pattern exists.

4.5 The Extension Class

The Extension class AdminComponent runs at boot time and registers HTML helper services:

public function boot(ContainerInterface $container)
{
    $this->getRegistry()->register('system',        new System());
    $this->getRegistry()->register('phpsetting',    new PhpSetting());
    $this->getRegistry()->register('directory',     new Directory());
    $this->getRegistry()->register('configuration', new Configuration());
}

This lets templates call helpers in a consistent way:

echo HTMLHelper::_('phpsetting.setting', $key, $value);

4.6 The Controller Does (Almost) Nothing

The controller is intentionally minimal:

class DisplayController extends BaseController
{
    public function display($cachable = false, $urlparams = [])
    {
        $viewName = $this->input->get('view', $this->default_view);
        $format   = $this->input->get('format', 'html');

        // Check CSRF token for sysinfo export views
        if ($viewName === 'sysinfo'
            && ($format === 'text' || $format === 'json')) {
            $this->checkToken('GET');
        }

        return parent::display($cachable, $urlparams);
    }
}

It has one job: when System Information is exported as text or JSON, it requires a CSRF token. That stops an attacker from tricking a logged-in administrator into leaking system information through a malicious link. Small, but important.

5. script.php: The Real Superpower

5.1 What script.php Is

The single file administrator/components/com_admin/script.php contains the class JoomlaInstallerScript. This class is the actual Joomla CMS upgrade script.

When you click "Update Now" in com_joomlaupdate, Joomla downloads the new version and then runs this script. The script does:

File deletions for files that core no longer needs.
Folder deletions for retired folders.
Schema patches and database fixes.
Asset table fixes for items that lost their ACL row.
Extension cleanup.
Error collection for the final report.

One file, hundreds of upgrade steps. It is essentially the history of Joomla written in PHP form.

5.2 The Full Update Lifecycle

The split between com_joomlaupdate and com_admin becomes much clearer when you look at the full update lifecycle:

+----------------------------------------------------------+
|  com_joomlaupdate  (the UI)                              |
|  1. Fetch update XML from update.joomla.org              |
|  2. Parse manifest, write rows to #__updates             |
|  3. User clicks "Install the update"                     |
|  4. Download the package                                 |
|  5. Extract files, copy core into place                  |
+----------------------------------------------------------+
                         |
                         v  hands off to
+----------------------------------------------------------+
|  com_admin  (the engine)                                 |
|  6. Run JoomlaInstallerScript::preflight()               |
|  7. Run every sql/updates/<driver>/X.Y.Z-YYYY-MM-DD.sql  |
|     newer than the version stored in #__schemas         |
|  8. Run JoomlaInstallerScript::update()                  |
|     - file deletions, folder deletions, asset fixes      |
|  9. Update #__schemas with the new version pointer       |
|  10. Clear cache                                         |
+----------------------------------------------------------+

In short: com_joomlaupdate is the face of the update, com_admin is the hands.

6. Versioned SQL Migrations

6.1 The Files

Inside sql/updates/ are folders for each supported database driver:

sql/updates/mysql/
├── 6.0.0-2024-08-11.sql
├── 6.0.0-2025-09-23.sql
├── 6.0.0-2025-10-11.sql
├── 6.0.1-2025-10-29.sql
├── 6.1.0-2025-10-30.sql
├── 6.1.0-2026-02-06.sql
└── 6.1.0-2026-03-13.sql

sql/updates/postgresql/
└── (same files, PostgreSQL dialect)

The pattern is consistent:

Each filename starts with the target Joomla version.
After the version comes the date.
Files are stored separately per database driver.

6.2 The Version Pointer in #__schemas

Joomla keeps track of which SQL files have already been applied. It uses a table called #__schemas:

SELECT e.element AS extension, s.version_id
  FROM jos_schemas s
  JOIN jos_extensions e ON e.extension_id = s.extension_id;

A typical result looks like this:

+------------------+---------------------+
| extension        | version_id          |
+------------------+---------------------+
| joomla           | 6.1.0-2026-03-13    |  (com_admin updates this)
| com_content      | 6.0.0-2024-08-11    |
| com_users        | 6.0.0-2025-05-20    |
+------------------+---------------------+

On every update, Joomla looks at the files in sql/updates/<driver>/, compares them to the last applied version_id, runs every file that is newer in filename order, and then stores the highest filename back into #__schemas.

If you ever need to force a re-run of a migration, this is the row to edit. Carefully.

6.3 A Real Migration File

An example from sql/updates/mysql/6.1.0-2026-03-13.sql:

-- disable autostart for the previous tour
UPDATE `#__guidedtours` SET `autostart` = 0
 WHERE `uid` = 'joomla-whatsnew-6-0';

INSERT INTO `#__guidedtours` (...)
SELECT 'COM_GUIDEDTOURS_TOUR_WHATSNEW_6_1_TITLE', ...
 WHERE NOT EXISTS (
   SELECT * FROM `#__guidedtours` g
    WHERE g.`uid` = 'joomla-whatsnew-6-1'
 );

Notice the WHERE NOT EXISTS guard. That makes the migration idempotent: running it twice does not cause errors or duplicate rows. Idempotent migrations are a recurring pattern in core Joomla updates.

7. Post-install Messages

7.1 What They Are

The postinstall/ folder contains a small set of PHP files. Each file defines one "after-update" notice that may appear under System → Post-install Messages:

postinstall/
├── addnosniff.php          (suggest X-Content-Type-Options header)
├── behindproxy.php         (suggest behind_loadbalancer setting)
├── htaccessbrotli.php      (suggest Brotli compression rules)
├── htaccesssetce.php       (suggest CE header tweaks)
├── htaccesssvg.php         (suggest SVG MIME handling)
├── languageaccess340.php   (language ACL migration helper)
├── statscollection.php     (anonymous stats opt-in)
└── textfilter3919.php      (text filter security upgrade)

Each file defines a small *_condition() function. Joomla calls these functions and shows the matching message only when the condition returns true.

7.2 The Anatomy of a Handler

The API is simple. A post-install handler can be as short as:

function admin_postinstall_statscollection_condition()
{
    return true;   // always show
}

To register a new message, you add a row to #__postinstall_messages that points at this function. Joomla then displays your message on the Post-install Messages screen when the condition is met.

7.3 What This Pattern Is For

Post-install messages are extension-level upgrade hints. They never apply changes automatically. Instead, they describe a change you might want to make (for example, enable Brotli compression in .htaccess) and let the administrator decide. This is a deliberate design choice: Joomla wants to inform, not to overwrite.

8. How a Sysinfo Page Request Flows

8.1 The Path of a Request

It helps to see the full path a request takes when you open System Information:

URL: /administrator/index.php?option=com_admin&view=sysinfo
                |
                v
   services/provider.php
   (DI: registers MVCFactory + Dispatcher)
                |
                v
   Dispatcher::checkAccess()
   (empty override, so no ACL block)
                |
                v
   DisplayController::display()
   (CSRF check if format=text or json)
                |
                v
   SysinfoModel
   (gather and redact data)
                |
                v
   tmpl/sysinfo/default.php
   (render HTML)

Every modern Joomla component follows the same flow. Once you understand it for com_admin, you understand it for all of them.

8.2 Privacy by Design in SysinfoModel

SysinfoModel gathers a lot of sensitive information: PHP environment, paths, cookies, database settings. To make the screen safe to share, the model filters out a hard-coded list of private values:

protected $privateSettings = [
    'phpInfoArray' => [
        'CONTEXT_DOCUMENT_ROOT', 'Cookie', 'DOCUMENT_ROOT',
        'extension_dir', 'error_log', 'Host', 'HTTP_COOKIE',
        'HTTP_HOST', 'HTTP_ORIGIN', 'HTTP_REFERER',
        'mysql.default_socket', 'MYSQL_SOCKET', ...
    ],
];

When you copy your System Information into a forum post, this is the code that redacts your secrets. Do not bypass it.

8.3 Security Choices, Summarised

Surface	Protection
Access to the view	None - diagnostics must work always
Export as text or JSON	CSRF token via `checkToken('GET')`
Private values in `phpinfo()`	Hard-coded allowlist filter in `SysinfoModel`
Schema updates	Idempotent SQL, tracked in `#__schemas`
Post-install messages	Conditional functions, never auto-execute changes

The design is opinionated: show enough to debug, hide enough to stay safe.

9. Why com_admin Matters for Developers

9.1 A Reference Template

For anyone learning to build a Joomla 6 component, com_admin is the cleanest tiny example in core. It demonstrates every part of the modern architecture:

A Service Provider in services/provider.php.
A PSR-4 namespaced source tree in src/.
Use of the DI container.
A custom Dispatcher.
An Extension class that registers HTML helpers.
Versioned SQL migrations per database driver.
Post-install handlers.

If you read the twelve files in com_admin from top to bottom, you understand the entire Joomla 6 component architecture.

9.2 Patterns You Can Steal

Several patterns from com_admin apply directly to your own components:

Idempotent migrations: write SQL updates that can be run twice without breaking.
Versioned filenames: use the pattern X.Y.Z-YYYY-MM-DD.sql so Joomla can sort them.
Track applied versions in #__schemas with one row per extension.
Graceful fallback: if the new format is missing, fall back to the old format instead of failing.
Privacy by allowlist: redact sensitive values from any output that might be shared.
CSRF tokens for exports: any URL that returns sensitive data should require a token.

10. Common Confusions, Cleared Up

Several beliefs about com_admin are widespread but wrong.

Belief	Reality
"`com_admin` is the whole backend"	No, it is just one component inside `/administrator/`.
"`script.php` only runs once at install"	It runs on every Joomla core update.
"Sysinfo is read-only"	Mostly. The text and JSON exports need a CSRF token.
"Post-install messages are nags"	They are upgrade hints, never automatic changes.
"Help is loaded from joomla.org"	The table of contents is local. The pages are fetched online.
"Joomla Update lives in `com_admin`"	The UI lives in `com_joomlaupdate`. The engine lives in `com_admin`.

11. Best Practices

11.1 For Administrators

Use System → System Information first when you need to share details about a problem.
Always export through the official screen, so the privacy filter and CSRF token apply.
Check System → Post-install Messages after every major update. The hints there are written by core developers.
Do not edit #__schemas by hand unless you know exactly why.

11.2 For Developers

Read script.php from top to bottom once a year. It is the best summary of what changed in Joomla core.
Read the files in sql/updates/mysql/ to learn safe migration patterns.
Use com_admin as the reference when you build your own component skeleton.
Never bypass the privacy filter in SysinfoModel with your own dump of phpinfo().

12. Quick Reference

OPEN SYSINFO    /administrator/index.php?option=com_admin&view=sysinfo
OPEN HELP       /administrator/index.php?option=com_admin&view=help
SCRIPT          administrator/components/com_admin/script.php
SQL UPDATES     administrator/components/com_admin/sql/updates/<driver>/
VERSION TABLE   #__schemas       (one row per extension)
POST-INSTALL    administrator/components/com_admin/postinstall/
DISPATCHER      src/Dispatcher/Dispatcher.php   (empty checkAccess)
EXTENSION       src/Extension/AdminComponent.php (HTML helpers)
SERVICES        services/provider.php   (DI wiring)

13. Summary

The component com_admin looks small, but it sits at the centre of every Joomla site:

It shows System Information when something needs to be debugged.
It renders the Help screen and falls back gracefully when needed.
It runs the upgrade engine for every Joomla core update.
It contains the schema history of Joomla in versioned SQL files.
It demonstrates the full modern component architecture in a few clean files.

If you wonder how Joomla updates itself, the answer is in com_admin. If you want to learn how to build a Joomla 6 component, the example you are looking for is also in com_admin. And the next time you copy your System Information into a forum post, you now know that a small but careful component is keeping your secrets out of the clipboard.

Small but central is a fair description. It is easy to overlook, but it is one of the components a Joomla professional should know well.

Peter Martin

Joomla specialist and Linux admin for fast, secure and scalable websites.

06 June 2026