Incredible situation found bt mistake... googling email of any customer and boom

[quintangai]

As hard to believe that I cannot find any guide to my poor knowledge...
I was advised by a friend that googling my own email address "quintangai@gmail.com"
or any of the customers on WM and clicking on the results that point to our shop "El Rebost Català" takes directly to the backend !! right on the orders or customers Virtuemart page...

Deleting orders from or even customers does not affect at all...  you keep going directly to backend without having to enter administrator area...

Any idea on how to deal with it...??   
Since I cannot delete searches from google I should be able to stop entering backend from any link without passing first from login page...

Thanks to anybody how can enlighten me...

[Studio 42]

Check your settings right for Virtuemart here https://elrebostcatala.com/administrator/index.php?option=com_config&view=component&component=com_virtuemart
And yes, mange front is visible in Google.
So best redirect any access from fron-end for now
Something so in your .htaccess
RewriteCond %{QUERY_STRING} (^|&)manage= [NC]
RewriteRule ^ index.php [L,R=301]

[jenkinhill]

Which Joomla/VM versions? http://forum.virtuemart.net/index.php?topic=118683.0

Sounds like you have some incorrectly set ACL, or may have been hacked!

[quintangai]

thanks for your replies
My joomla is 3.6.5 and VM 3.0.18 ...that is last versions... php is 5.6

I guessed it is something of ACL and yesterday I kept on messing around 2 more hours ending with the expected behaviour of google search links ending to a Not allowed message and getting directed to the front end... 
all looked OK, until I tried to enter backend... that I could not do ... so you may guess that I am not a top level user...
I spent whole morning trying to enter as admin, but it has been easier to restore all from a backup and start over again...

I wil appreciate if you teach me what  ACL is correct for Virtuemart ...

Meanwhile I will also try the .htacess guides and see what happens...

Many thanks to all of you for your time and patience

Regards

[Studio 42]

I can only confirm that something is better as before, but you always see your front management.
So your ACL are not set.
All need to be red for all user groups except super user and admin accounts

[jenkinhill]

Be aware that many Joomla sites that were slow to update when security releases were made available were hacked - and many also before the security patches were publicly available. Some of the hacked sites had changed ACL, opening the site to all and changing the password(s) of super admins. If the backup, was from before the 3.6.4/3.6.5 updates then you should be OK.