It's easy to be overzealous and apply very strict security settings for the Web Application Firewall of Admin Tools. An overzealous configuration, a misbehaving third party extension or a misconfigured server can cause you to be accidentally locked out of your own site. Here we'll see how to fix that.
There are two ways to regain access to your site, Rescue Mode and FTP.
Note that if you are not the only Super User on your site, or if you used another company / freelancer to build your site, it's possible that they have turned off Rescue Mode. If these instructions don't work you should assume Rescue Mode is not available or disabled on your site.
Assuming that your site's URL is
http://www.example.com and your Super User
email address is
to visit the following URL to request a Rescue URL to be sent to
You will see the message "Check your email for Rescue URL information" printed on your screen.
Check your email. You will receive an email from your site with a Rescue URL. The Rescue URL looks like this:
Do note that the part after admintools_rescue_token is very long and completely random. Also note that it's only valid for use from the SAME browser and IP address that you requested a Rescue URL to be sent to you. The link is only valid for a short period of time (default: 15 minutes). All of that is done for security reasons!
Visit the Rescue URL either by clicking on it or by copying it and pasting it to your browser's address bar. If all goes well you will see your site's administrator backend login page or the Joomla! administrator control panel. If you see the login page just log in with the Super User account which corresponds to the email you used when requesting a Rescue URL to be sent to you.
If you were logged in as a different Super User account you will still be blocked. You will need to repeat this process using the email address of the Super User account you were logged in with on your site. Alternatively, use your browser's Private Browsing mode to request and visit the Rescue URL.
Now you can go to Components, Admin Tools and unblock yourself. Remember that you have a limited period of time (default: 15 minutes) for security reasons!
The failsafe way to regain access to your site's administrator backend is using an FTP application or your hosting control panel's File Manager to rename a file.
Go inside the
plugins/system/admintools/admintools directory on
your site (on older versions of Admin Tools:
plugins/system/admintools). You will see a file
main.php. Rename it to
main-disable.php. This will turn disable the Web
Application Firewall from executing and you can access your site's
After you have fixed the cause of your issue remember to rename
main-disable.php back to
main.php, otherwise your site will remain
There are two cases where the Rescue URL feature, or renaming the Admin Tools system plugin's file, will not help you. These are the two cases where Admin Tools has created a server configuration file, meaning that you are blocked by your server, not Admin Tools.
The first case is the
The other case is when you've used the .htaccess
Maker feature of Admin Tools. In this case there's a
.htaccess file in your site's root. You may want
to replace its contents with the default
Joomla! .htaccess file content.
In both cases you should not that the files have names beginning with a dot. That makes them hidden. You will need to enable the display of hidden files to edit / delete those files. If you are unsure how to do that please ask your host and tell them that you need to edit/delete hidden files. Usually they will point out an option in their hosting control panel's file manager.
If you are still blocked your issue is unfortunately unrelated to Admin Tools. Do you have another security plugin on your site? If you do, check its settings. If not, check with your host. More often than not, hosts have their own server security systems which can block you out of your site. If you are unconvinced follow the the instructions under "Using FTP..." above. Doing that you prevent Joomla! from loading Admin Tools' code at all. If you can reproduce your issue when Joomla! cannot load Admin Tools' code you can be certain that your issue is completely unrelated to Admin Tools. Code which isn't loaded cannot run. Code which doesn't run cannot affect your site.
In most cases the easiest way to unblock yourself is simply going to, and click the big Unblock My IP button. If this doesn't work, or the button is not visible, follow the instructions below.
Do remember to end the Rescue Mode or renamed back main.php after you're done unblocking yourself!
Go toand click the button. Delete all records with your own IP address. Then, go back to Web Application Firewall and click on the button. Select the record showing your IP address and click on the button to delete the block.
Don't know what your IP address is? Just visit whatismyipaddress.com to find out!
If this problem keeps happening without you doing anything and the IP blocked is NOT the same as the one reported by whatismyipaddress.com you will have to do one more thing. Go to , , and click on the button. In the first tab set Enable IP workarounds to Yes, no matter what the automatically detected recommendation is.
If that was not the case, you have two options. The first is to troubleshoot the reason of the ban. Go to Reason and Target URL for the entries which have your IP address in the IP address field. Find the reason in the "List of blocking reasons" documentation page to find out why you're being blocked. If you are not sure what that means, please file a support ticket remembering to copy the information from the Security Exceptions Log. Kindly note that you need to have an active subscription to receive support., , , and check the
The second option at your disposal is adding your IP address to either of the IP whitelists, as follows.
The first approach is to add your IP address to the Administrator IP Whitelist. Using this option will limit access to the administrator section of your site only to the IPs listed in the whitelist. We strongly recommend you to not use it unless you and all of your back-end users have static IP addresses. In all other cases you may get blocked out of your site. Go to, , and click the button. Add your own IP address.
The second approach is to use the Safe IP List. All IPs in that list will not be automatically banned. In order to do that, go to Auto-ban Repeat Offenders area find the Never block these IPs field. This is a comma-separated list. Add the IPs you want to never be automatically blocked separated by commas on that list., , and click on the button. Inside the
If you have enabled the administrator exclusive allow IP list you have to make sure that your IP address is included in the exclusive allow list to be able to access your site. Go to, , and click the button. Add your own IP address.
Don't use the Administrator IP Exclusive Allow List if your ISP assigns an IP address dynamically. This is the default unless you are paying them extra for a "static IP".
If you have enabled the IP Deny List you have to make sure that your IP address is not included in the blacklist in order to be able to access your site. Go to, , and click the button. Remove your own IP address.
If you have forgotten your Administrator Secret URL parameter go to Components, Admin Tools, Web Application Firewall, Configure WAF, click on the Basic Protection Features tab and find the Administrator secret URL parameter option. Change or remove all of the text in that box to reset or unset, respectively, this feature.