This page lets you configure Admin Tools' Web Application Firewall. This tells Admin Tools how to protect your site. By default, only a basic set of options is enabled. When you use the Quick Setup Wizard feature when you first install Admin Tools a slightly bigger subset of features which are generally “safe” for use on most sites will be enabled.
Using this page you can tailor Admin Tools' protection for your site. Remember that the options are not automatically applied; you will need to click the button to apply them. If you change your mind midway through changing the options click on the button to return to the Web Application Firewall control panel page.
Important
If you do something wrong and you inadvertently lock yourself out of the administrator area of your site, do not panic! Read this section about regaining entrance.
The Configure WAF page is split into several tabs to make it easier for you to locate the correct option. The documentation of this page is organized as one section per tab to help you locate the option you are looking for.
 |
The Basic Features section contains the very basic options which allow you to control who can access your site.
- Allow administrator access only to IPs in the Exclusive Allow IP List
When enabled, only IPs in the Exclusive Allow IP List (see the following sections of this documentation about configuring it) will be allowed to access the administrator area of the site. All other attempts to access the administrator pages will be redirected to the site's home page. Be careful when using this feature! If you haven't added your own IP to the Exclusive Allow IP List you will get locked out of your administrator area!
Please look into the Exclusive Allow IP List documentation section for more information.
Important
IPs added to the Administrator Exclusive Allow IP List are fully vetted as far as Admin Tools is concerned. This means that no security measure will be applied against them. Please place only very well trusted IPs in this list! If an attack is launched from this IP, it will not be blocked by Admin Tools!
- Disallow site access to IPs in the IP Disallow List
When enabled, if the visitor's IP is in the IP Disallow List (see the following sections of this documentation about configuring it) they will immediately get a 403 Forbidden error message upon trying to access your site.
- Administrator secret URL parameter
Normally, you can access your site's administrator area using a URL similar to
http://www.example.com/administrator. Potential hackers already know that and will try to access your site's administrator area the same way. From that point they can try to brute force their way in (guess your username and password) or simply use the fact that an administrator area exists to deduce that your site is running Joomla! and attack it. By entering a word here, you are required to include it as a URL parameter in order to access your administrator area. For instance, if you enter the word test here you will only be able to access your site's administrator area with a URL similar tohttp://www.example.com/administrator?test. All other attempts to access the administrator area will be redirected to the site's home page, or blocked – depending on the setting of the Invalid administrator secret URL parameter action parameter. If you do not wish to use this feature, leave this field blank.The secret URL parameter must start with a letter. If it starts with a number, you will immediately get a "Illegal variable _files or _env or _get or _post or _cookie or _server or _session or globals passed to script" error when trying to access your site's administrator back-end. It should also contain only lowercase and uppercase ASCII characters and numbers (a-z, A-Z, 0-9), dashes and underscores in order to ensure the widest compatibility with all possible browser and server combinations.
Any other characters you use (such as: punctuation; special characters; Latin letters with accents or diacritics; Greek, Cyrillic, Chinese, Japanese and other ethnic script characters) will have to be URL-encoded. This makes it difficult and tricky to use, hence our recommendation not to use it.
Moreover note that some extended Unicode characters such as certain Traditional Chinese characters and Emoji cannot be used. They will be either rejected by the server or trigger a server protection which will lock you out from your site at the hosting level (you'll have to contact your host to unblock you).
Finally note that on most servers this is case sensitive, i.e. abc, ABC and Abc are three different secret words.
Tip
Some servers do not work with
http://www.example.com/administrator?testdue to their configuration. You may want to try usinghttp://www.example.com/administrator/?test(add a slash right before the question mark) orhttp://www.example.com/administrator/index.php?test(add /index.php right before the question mark). One of them is bound to work on your server. Unfortunately, there is no way to know which ones will work on your server except for trying them out. The first one (http://www.example.com/administrator?test) works on 95% of servers and that's what we recommend trying out first.Please be aware of some pitfalls with this feature:
This feature works by checking whether the URL used to log into your site has the secret URL parameter present in it. If your session expires and you try to access any backend page Joomla will redirect you to the site's administrator login page without the secret URL parameter. As a result you will be redirected to the frontend of the site and a Blocked Request will be logged against your IP with the reason “Admin Query String”.
If this happens too many times, e.g. because you have multiple background tabs opened to different administrator pages which get silently reloaded by your browser, or because your browser's “Frequently Used” / ”Top Sites” / similar feature tries to silently load an administrator page you are using frequently you may find that your IP is temporarily blocked.
The best way to prevent that from happening is to a. not have multiple administrator pages open in different tabs / browser windows at the same time; b. close all administrator page tabs when you are going to not be interacting with them for more than a minute or two; c. use Joomla's Logout feature when you are not going to be using your site's administrator for a few minutes; and d. set the session expiration time in your site's Global Configuration to a higher value which is representative of your workflow (e.g. 300 minutes if you are likely to leave an admin page open for up to 5 hours before coming back to it).
Alternatively, set the “Browser cookie override for the administrator secret URL parameter” to a setting other than Disabled.
As alluded to above, sometimes you may see that your IP is blocked even though you haven't tried visiting your site's administrator, with Blocked Requests recorded from your IP address with the reason “Admin Query String”. This is NOT a bug in Admin Tools. It's how your browser works. Most modern browsers have a pinned sites, reading list and/or frequently visited sites feature which is updated every time you open a new browser window or tab and sometimes also updated in the background, without further interaction from you. This means that your browser is accessing an administrator URL on your site because it appears in one of these features. If this URL does not contain the secret URL parameter and your session has expires a Blocked Request from your IP address is recorded.
There is no way for Admin Tools (or anything on your server, really) to know that these requests are automated background requests from your browser. As far as your browser is concerned, these are legitimate requests coming from a real browser. Since the Joomla session does not have the administrator secret URL parameter set when this happens they will be treated as requests to be blocked.
The only thing you can do is either disable these features on your browser (or at least remove any administrator URLs to your site from these features); OR set the “Browser cookie override for the administrator secret URL parameter” to a setting other thanDisabled; OR not use the administrator secret URL parameter.
In fact, we recommend using the Administrator Password Protection feature instead ofthe administrator secret URL parameter: it is more secure, more reliable, more resistant to Denial of Service attacks and does not suffer from the accidental locking out of your IP address . The downside is that the Administrator Password Protection feature only works on Apache and Litespeed, the two servers which support .htaccess files.
If you are sharing your public (Internet-facing) IP address with other people, e.g. in an IPv4 network using NAT to access the Internet, if one person gets the IP address blocked then all people behind the same IP address are blocked as well. This is very important if you are working in an office / company with other developers, site integrators and site administrators on a public site. One member of the team gets blocked, everyone is blocked. This is not a bug; as far as the site's server knows, it receives requests from the same IP address regardless of the person, machine or browser being used. This problem is mostly resolved if both you and the server are using IPv6. In this case each machine has a different IP address, even when using the equivalent of NAT under IPv6.
- Invalid administrator secret URL parameter action
Choose the action to take if an attempt was made to access the administrator without a valid secret URL parameter. The default action is
Redirectwhich redirects the user to the frontend of the site. The other option isBlockwhich will instead show the blocked request message, and stop execution.In both cases a blocked request is logged for the user's IP address. This option does not affect whether a blocked request log entry will be created; it only affects what happens after the blocked request entry is created. Most people prefer the subtle "maybe you shouldn't be here" subtext of redirecting to the site's frontend. Some people want to be more affirmative with a message that notifies the other end they are caught doing something they shouldn't. That's all there is to this option.
- Browser cookie override for the administrator secret URL parameter
As noted above, when your login session expires and you try to access an administrator page you will get redirected to the site's frontend and a Blocked Request will be logged against your IP with the reason “Admin Query String”. If that happens enough times — for example because your browser is trying to silently access administrator pages without your interaction such as when you have multiple background tabs open or because of its Frequently Visited / Top Sites / similar feature — you might have your own IP temporarily blocked, preventing you from accessing your site.
When this option is set to a value other than Disabled, Admin Tools will set a secure browser cookie when you log into your site's administrator. If this cookie is present and valid Admin Tools will allow you access to Joomla's administrator login page even if the URL does not include the Administrator Secret URL Parameter — like, for example, when your session expires. This allows you to log back into your site's administrator without a Blocked Request being logged for your IP address therefore without risking getting blocked off your site.
The cookie is removed from your browser and made invalid in the database when you a. log out of the site's backend (see caveat below); b. when you change the user's password (if Joomla's Remember Me plugin is published); and c. when a possible attack against this feature is detected.
Caveat: if you have enabled Linked Sessions on your site the cookie will be removed when you log out from either the backend of the frontend of your site. That's how Joomla works, it's not an Admin Tools bug. Joomla's Linked Sessions feature issues a logout on both the frontend and backend application in such a way that the backend application cannot discern whether it's a real backend logout or a Linked Sessions logout.
There are four settings for this option:
Disabled. This feature is disabled. No new cookies will be set and existing ones are ignored.
Enabled. This feature is enabled. New cookies are set when you log into your site, removed when you log out and used instead of the Administrator Secret URL Parameter when it is missing from the administrator login URL or the wrong secret URL parameter is used.
Enabled, notify when used. Same as “Enabled”, additionally prints a reminder message in the login page when this feature is used instead of the Administrator Secret URL Parameter.
Enabled, remind to use the full URL. Same as “Enabled, notify when used”, additionally prints a message reminding you to use the correct administrator login URL, not to have multiple browser tabs open in the background and log out when you are not going to be using the site's administrator pages for the next few minutes. Furthermore, if the last user who had logged into the site with the current browser was a Super User it will additionally print a reminder that you may need to adjust your Session Length and that this feature can be controlled from the Components, Admin Tools, Web Application Firewall, Configure WAF page.
We recommend setting this feature to “Enabled, notify when used” or “Enabled” on most sites. The “Enabled, remind to use the full URL” is normally only necessary as a default, to remind Super Users that this feature exists and how to control it.
If you want to customise the message displayed when this is set to “Enabled, notify when used” and the first part of the message displayed when this is set to “Enabled, remind to use the full URL” you can do a language override for the language key
PLG_ADMINTOOLS_MSG_ADMINPW_COOKIE.If you would like to customise the second half of the messages printed to regular backend users and Super Users when this is set to “Enabled, remind to use the full URL” you can do a language override for the language keys
PLG_ADMINTOOLS_MSG_ADMINPW_COOKIE_NONSUPERUSERandPLG_ADMINTOOLS_MSG_ADMINPW_COOKIE_SUPERUSERrespectively.The cookies for this feature are stored in Joomla's #__user_keys database table, along with Joomla's Remember Me secure cookie settings and possibly other third party extensions' secure cookie settings, as per Joomla's best practices for implementing any feature requiring the use of secure cookies. Joomla's Remember Me may remove ALL cookie settings for a user when the user logs out, their password changes or it detects a possible attack — this includes the secure cookie settings for Admin Tools itself. Third party extensions may remove secure cookie settings for a user under other circumstances as well. Before assuming this feature does not work please make sure that neither Joomla's Remember Me nor a third party extension are removing records from that table.
- Defend against plugin deactivation
When enabled, Admin Tools will prevent back-end users from trying to disable (unpublish) the plugin. This means that you will also be unable to unpublish the plugin until you disable this option!
- Away Schedule
By default, Joomla! allows users with back-end access to log in to the site any time of the day. On smaller sites which have only a handful, or even just one, administrators on the same zone this means that someone can try to log in with a stolen username / password while you are fast asleep and unable to respond to the unexpected login. This where the Away Schedule comes into play. If a user with back-end login privileges tries to log in to the front- or back-end of your sute between the "from" and "to" hour of the day they will be denied login. Moreover, if someone tries to access the administrator login page during that time they will be redirected to the front-end of the site – even if the have used the correct Administrator secret URL parameter.
Please note that this feature does not affect your regular users logging in to the front-end of your site. It only prevents users belonging to a group with the
Admin Loginprivilege. You can check which groups have that privilege by clicking on the , menu of your site and visiting the Permissions tab.The From and To time has to to be entered in 24-hour format with trailing zeros, e.g. 09:15 for a quarter past 9 a.m. and 21:30 for half past 9 p.m. The time is entered in your server's timezone which may be different than the timezone you live in. For your convenience, the server's time at the time of the page load (in 24 hour format) is shown to you right below the Away Schedule.
- Change administrator login directory to
Warning
This feature is provided WITHOUT SUPPORT.
This feature allows you to “mask” your site's
administratordirectory, in the same spirit as the “Administrator secret URL parameter” does.Let's say you set this parameter to
foobarand that your site's URL ishttps://www.example.com.If someone tried to access
https://www.example.com/administratordirectly they would be sent back to your site's homepage, and a blocked request would be recorded against their IP address.If someone tries to access
https://www.example.com/foobarthey will be redirected tohttps://www.example.com/administratorand they will see the admin login page.Essentially, what you set here creates a SEF URL which “unlocks” access to Joomla's
administratordirectory.There are some caveats:
You cannot use this feature if there is a Joomla menu item with the same Alias as what you enter in this option; this would prevent you from accessing your site's administrator.
If there is any kind of server-side configuration which prevents access to the SEF URL it will prevent you from accessing your site's administrator.
If a third party SEF or cookie blocker extension on your site blocks the SEF URL or the cookies set up by this feature it will prevent you from accessing your site's administrator.
This feature is incompatible with the Administrator Secret URL Parameter feature.
This feature requires cookies. Third party Joomla plugins and / or browser extensions may interfere with setting or reading these cookies, preventing you from accessing your site's administrator.
This feature checks your IP address. If you are on a mobile connection – or any other connection where the IP address constantly changes – you may get locked out of your site's administrator. If your IP address changes while you are logged into your site's administrator, you may get locked out of your site's administrator. If your browser tries to access your site's administrator to take screenshots for its most frequently visited feature's thumbnails (default in virtually all modern browsers) you may get locked out of your site's administrator.
This feature checks the User-Agent string of your browser. If it changes while you are logged into your site's administrator (e.g. browser or Operating System update, using a third party extension, using your browser's developer tools etc) you may get locked out of your site's administrator.
There is a maximum allowed time of 180 seconds between accessing the SEF URL and accessing administrator. If that time is exceeded (slow connection, networking issues etc) you may get locked out of your site's administrator.
As you understand, there are pretty significant failure modes for this feature. At the same time, it does not offer any substantial security benefits. You are much better off using the Administrator Password Protection feature, or simply setting up Joomla's built-in Multi-factor Authentication (MFA) for all back-end user accounts; we can tell you Joomla's MFA is very solid, it is just a renamed copy of our Akeeba LoginGuard extensions we maintained between 2016 and 2022 (we contributed it back to Joomla).
Though we know that the custom administrator folder feature is not a very good idea anymore, there are some folks who were irrationally angry when we announced we'd need to remove it. To satisfy this very vocal, but stark, minority we are keeping this feature in Admin Tools but WITHOUT SUPPORT. We strongly advise against using it.