Whenever an unhandled PHP exception is raised (ie an error on a database query), Admin Tools will send an email containing all the details (time, file and line raising the exception) for later debugging.

Please note that emails sent from this feature contain information about errors on the public frontend of your site coming from any software installed on your site, be it Joomla! itself or one of the third party extensions you have installed. In the vast majority of cases, these errors do NOT come from Admin Tools. We cannot offer support for any issues coming from third party software. Please contact the developer of the software causing the error, not us.

When enabled, the IP new users signed up from will be stored as User Notes.

If the option above is enabled, select the category under which the User Note containing the sign-up IP address will be stored. The default is to use the default category Joomla! creates for user notes, titled “Uncategorised”.

It is advised to create a new category named something like “Sign-up Information”. To do that, go to Users, User Note Categories from the sidebar of your site, then click on the New button in the toolbar.

It is suggested to keep this option enabled. When enabled, all potential security issues —blocked by Admin Tools— will be logged in the database and made available under the Blocked Requests Log tool. This is required for the automatic IP blocking feature to work.

Please note that turning off this feature will also disable the debug log file, even if the option below is set to Yes.

Blocked requests due to these blocking reasons will not be logged. As a result, IPs getting their requests repeatedly blocked because of this reason will not be automatically banned from your site. Moreover, as there is no log, it will be impossible to tell why someone is being blocked from accessing your site when they trigger one of those reasons.

For a list of what each reason means please consult the list of WAF log reasons. You can start typing or click on on the field to show the list of reasons.

The default setting is an empty list.

It is suggested to keep this option disabled unless you are troubleshooting.

When enabled, Admin Tools will create a file named admintools_blocked.php in your site's administrator/logs directory (or wherever you have configured your logs directory to be). This contains all the information sent in the request that Admin Tools blocked. This may include sensitive information such as usernames, passwords and personally identifiable information. For this reason you must only enable this feature for a limited amount of time when troubleshooting. We may ask you to do this, and send us a copy of the log file, if you ask us for support.

The file has an extension of .php and begins with a PHP die() statement to prevent direct web access if your log directory is accidentally left web accessible. An attacker may try to access the file but all they will get is a blank page.

When you disable that option, the existing log files will be removed once you visit Admin Tools' Control Panel page again.

Do note that your logs directory MUST be writable for the log file to be generated.

Some servers use automated file scanners which will mistakenly flag Admin Tools' log file as a security threat. Because of that they might issue an automated warning to you that your site is hacked, rename / delete the file or prevent web access to your site (put it offline). This is a mistake and does not reflect the truth. Our log file does have an executable extension (.php) and does contain the signatures of hacking attempts (the hacking attempts it stopped from hacking your site!) BUT the hacking attempts signature themselves are NOT executable. In fact, the only reason this is a .php file is so that we can put a PHP die() statement at the top of the file to prevent it from being executable over the web. This information is also printed at the top of the file, in its header. If your host is giving you grief about the log file please show them this documentation page or ask them to actually review the file and read its header. If they still insist that they have to block your site please go to a different host that understands how PHP works and, by extent, is a much safer choice. In the meantime, just disable the Keep a debug log file option.

Admin Tools will provide you with a link to look up the owner of an IP address in the emails it sends you, as well as the Blocked Requests Log and Auto IP Blocking Administrator pages. By default, it uses the whatismyipaddress.com service. This option allows you to use a different IP lookup service if you so wish.

As of Admin Tools 7, the IP lookup service MUST use HTTPS since you are sending it IP addresses. Doing so over plain HTTP may carry privacy and/or security risks.

Enter the URL of the IP lookup service you want to use in this text box. The {ip} part of the URL will be replaced with the IP address to look up. For example, the default URL (using whatismyipaddress.com) is whatismyipaddress.com/ip/{ip}

Enter one or more email addresses (separated by commas) which will get notified whenever a request is blocked on your site. For example [email protected] for one recipient only or [email protected], [email protected], [email protected] for multiple recipients. The email addresses need not be in the same domain name and don't even need to be users of the site itself. Any email address will do.

A "blocked request" is anything which triggers the Web Application Firewall and causes it to block an incoming request to serve a page. This is useful to get an ahead warning in the event of a bot trying to perform a series of attacks on your site.

The contents of the e-mails can be configured using the Email Templates feature in the Web Application Firewall page.

Blocked requests caused by these blocking reasons will not result in an email being sent to the email address specified in "Email this address on blocked request".

For a list of what each reason means please consult the list of WAF log reasons. You can start typing or click on on the field to show the list of reasons.

The default setting is empty.

Enter an email address which will get notified whenever someone successfully logs in to your site's administrator back-end. If you do not wish to use this feature, leave this field blank. If you enter an email address, every time someone logs in to the administrator area an email will be sent out to this email address stating the username and site name. If you want to send a notification to multiple email addresses separate them with commas, e.g. [email protected], [email protected]. The email addresses do not need to be in the same domain and they don't even have to be linked to users of your site.

This allows you to get instant notification of unexpected administrator area logins which are a tell-tale sign of a hacked site. In that unlikely event, immediately log in to your site's back-end area, go to Extensions, Admin Tools and click on the Emergency Off-Line Mode button. This will cut off the attacker's access to the entirety of your site and gives you ample time to upgrade your site and its extensions, as well as change the password (and maybe the username) of the compromised Super Administrator account. For maximum security, after taking your site back on-line, log out, clear your browser's cookies and cache and log in again.

The contents of the e-mails can be configured using the Email Templates feature in the Web Application Firewall page.

Enter an email address which will get notified whenever someone tries to log in to your site's administrator back-end but is denied access. If you do not wish to use this feature, leave this field blank. If you enter an email address, every time someone unsuccessfully tries to log in to the administrator area an email will be sent out to this email address stating the username and site name. If you want to send a notification to multiple email addresses separate them with commas, e.g. [email protected], [email protected]. The email addresses do not need to be in the same domain and they don't even have to be linked to users of your site.

This allows you to get instant notification of unexpected administrator area login attempts which are a tell-tale sign of a hacked site. In that unlikely event, immediately log in to your site's back-end area, go to Extensions, Admin Tools and click on the Emergency Off-Line Mode button. This will cut off the attacker's access to the entirety of your site and gives you ample time to upgrade your site and its extensions, as well as change the password (and maybe the username) of a potentially compromised Super Administrator account. For maximum security, after taking your site back on-line, log out, clear your browser's cookies and cache and log in again.

The contents of the e-mails can be configured using the Email Templates feature in the Web Application Firewall page.

Enter an email address which will get notified when the number of blocked requests exceeds a certain number within a defined time period. This feature is meant to give you a warning if your site appears to be under heavier attack than normal. This lets you evaluate whether you need to apply additional security measures –such as but not limited to blocking entire IP ranges, enabling increased protection on a third party CDN/firewall such as CloudFlare CDN, etc– if you suspect this is the beginning of a sustained attack against your site.

If you want to send a notification to multiple email addresses separate them with commas, e.g. [email protected], [email protected]. The email addresses do not need to be in the same domain and they don't even have to be linked to users of your site.

The number of requests and the time period are defined in the next three options, which only appear once you enter an email address in this option here.

The email will only be sent approximately once defined per time period. We say “approximately” because detecting whether an email has already been sent is subject to your database server reporting back information which has been written into this database. There is always a small delay between writing data to the database and this data becoming available for reading. While this is usually in the order of a few milliseconds, if your site is under heavy attack and/or your server is under heavy load this might result in several (typically: between two and ten) requests not being told by the database server an email is already sent, therefore sending yet another email to you.

Also note that having a very low threshold of blocked requests, and/or a very short period of time for this feature will result in too many emails. Conversely, a too high threshold, and/or a too coarse time period may result in no emails, or emails coming too late to be of any practical use. The thresholds and time periods we recommend are 1000 blocked requests in 1 hour, or 100 blocked requests in 5 minutes.

The contents of the e-mails can be configured using the Email Templates feature in the Web Application Firewall page.

At least this many requests must be blocked in the defined time period to result in an email being sent to the configured email addresses with a warning about an increase in the number of blocked requests.

How many seconds, minutes, hours, or days are in the time period for the warning about an increase in the number of blocked requests.

The unit of time measurement for the warning about an increase in the number of blocked requests.