Support

Documentation

Admin Tools' Web Application Firewall (WAF) locked you out of your site

It's easy to be overzealous and apply very strict security settings for the Web Application Firewall of Admin Tools. An overzealous configuration, a misbehaving third party extension or a misconfigured server can cause you to be accidentally locked out of your own site. Here we'll see how to fix that.

Step 1. Regain access to your site's administrator

There are two ways to regain access to your site, Rescue Mode and FTP.

Using the Rescue Mode to regain access to your site's administrator
[Important]Important

Note that if you are not the only Super User on your site, or if you used another company / freelancer to build your site, it's possible that they have turned off Rescue Mode. If these instructions don't work you should assume Rescue Mode is not available or disabled on your site.

Assuming that your site's URL is http://www.example.com and your Super User email address is This email address is being protected from spambots. You need JavaScript enabled to view it. you need to visit the following URL to request a Rescue URL to be sent to you:

http://www.example.com/administrator/index.php?admintools_rescue=This email address is being protected from spambots. You need JavaScript enabled to view it.

You will see the message "Check your email for Rescue URL information" printed on your screen.

Check your email. You will receive an email from your site with a Rescue URL. The Rescue URL looks like this:

http://www.example.com/administrator/index.php?admintools_rescue_token=4vJPFH8pkpFdVkjz0Ej7VUi6gUt39lmkMS36sjmQV6hCTZZ36b2snqWVY6PrxqHdvyb4B3DI8VSUyLbMuYcgNrrZ0WPgDDPB

Do note that the part after admintools_rescue_token is very long and completely random. Also note that it's only valid for use from the SAME browser and IP address that you requested a Rescue URL to be sent to you. The link is only valid for a short period of time (default: 15 minutes). All of that is done for security reasons!

Visit the Rescue URL either by clicking on it or by copying it and pasting it to your browser's address bar. If all goes well you will see your site's administrator backend login page or the Joomla! administrator control panel. If you see the login page just log in with the Super User account which corresponds to the email you used when requesting a Rescue URL to be sent to you.

[Tip]Tip

If you were logged in as a different Super User account you will still be blocked. You will need to repeat this process using the email address of the Super User account you were logged in with on your site. Alternatively, use your browser's Private Browsing mode to request and visit the Rescue URL.

Now you can go to Components, Admin Tools and unblock yourself. Remember that you have a limited period of time (default: 15 minutes) for security reasons!

Using FTP to regain access to your site's administrator

The failsafe way to regain access to your site's administrator backend is using an FTP application or your hosting control panel's File Manager to rename a file.

Go inside the plugins/system/admintools/admintools directory on your site (on older versions of Admin Tools: plugins/system/admintools). You will see a file named main.php. Rename it to main-disable.php. This will turn disable the Web Application Firewall from executing and you can access your site's back-end again.

After you have fixed the cause of your issue remember to rename main-disable.php back to main.php, otherwise your site will remain unprotected!

If you are still blocked

There are two cases where the Rescue URL feature, or renaming the Admin Tools system plugin's file, will not help you. These are the two cases where Admin Tools has created a server configuration file, meaning that you are blocked by your server, not Admin Tools.

The first case is the Administrator password protection feature. Please delete the files named .htaccess and .htpasswd from your site's administrator directory.

The other case is when you've used the .htaccess Maker feature of Admin Tools. In this case there's a .htaccess file in your site's root. You may want to replace its contents with the default Joomla! .htaccess file content.

In both cases you should not that the files have names beginning with a dot. That makes them hidden. You will need to enable the display of hidden files to edit / delete those files. If you are unsure how to do that please ask your host and tell them that you need to edit/delete hidden files. Usually they will point out an option in their hosting control panel's file manager.

If you are still blocked your issue is unfortunately unrelated to Admin Tools. Do you have another security plugin on your site? If you do, check its settings. If not, check with your host. More often than not, hosts have their own server security systems which can block you out of your site. If you are unconvinced follow the the instructions under "Using FTP..." above. Doing that you prevent Joomla! from loading Admin Tools' code at all. If you can reproduce your issue when Joomla! cannot load Admin Tools' code you can be certain that your issue is completely unrelated to Admin Tools. Code which isn't loaded cannot run. Code which doesn't run cannot affect your site.

Step 2. Unblock yourself

In most cases the easiest way to unblock yourself is simply going to Components, Admin Tools and click the big Unblock My IP button. If this doesn't work, or the button is not visible, follow the instructions below.

Do remember to end the Rescue Mode or renamed back main.php after you're done unblocking yourself!

Automatically banned IP address

Go to Web Application Firewall and click the Exceptions Log button. Delete all records with your own IP address. Then, go back to Web Application Firewall and click on the Auto IP Blocking Administration button. Select the record showing your IP address and click on the Delete button to delete the block.

[Tip]Tip

Don't know what your IP address is? Just visit whatismyipaddress.com to find out!

If this problem keeps happening without you doing anything and the IP blocked is NOT the same as the one reported by whatismyipaddress.com you will have to do one more thing. Go to Components, Admin Tools, Web Application Firewall and click on the WAF Configuration button. In the first tab set Enable IP workarounds to Yes, no matter what the automatically detected recommendation is.

If that was not the case, you have two options. The first is to troubleshoot the reason of the ban. Go to Components, Admin Tools, Web Application Firewall, Security Exceptions Log and check the Reason and Target URL for the entries which have your IP address in the IP address field. Find the reason in the "List of blocking reasons" documentation page to find out why you're being blocked. If you are not sure what that means, please file a support ticket remembering to copy the information from the Security Exceptions Log. Kindly note that you need to have an active subscription to receive support.

The second option at your disposal is adding your IP address to either of the IP whitelists, as follows.

The first approach is to add your IP address to the Administrator IP Whitelist. Using this option will limit access to the administrator section of your site only to the IPs listed in the whitelist. We strongly recommend you to not use it unless you and all of your back-end users have static IP addresses. In all other cases you may get blocked out of your site. Go to Components, Admin Tools, Web Application Firewall and click the Administrator IP Whitelist button. Add your own IP address.

The second approach is to use the Safe IP List. All IPs in that list will not be automatically banned. In order to do that, go to Components, Admin Tools, Web Application Firewall and click on the WAF Configuration button. Inside the Auto-ban Repeat Offenders area find the Never block these IPs field. This is a comma-separated list. Add the IPs you want to never be automatically blocked separated by commas on that list.

Administrator IP Exclusive Allow List

If you have enabled the administrator exclusive allow IP list you have to make sure that your IP address is included in the exclusive allow list to be able to access your site. Go to Components, Admin Tools, Web Application Firewall and click the Administrator IP Exclusive Allow List button. Add your own IP address.

[Warning]Warning

Don't use the Administrator IP Exclusive Allow List if your ISP assigns an IP address dynamically. This is the default unless you are paying them extra for a "static IP".

IP Deny List

If you have enabled the IP Deny List you have to make sure that your IP address is not included in the blacklist in order to be able to access your site. Go to Components, Admin Tools, Web Application Firewall and click the Site IP Deny List button. Remove your own IP address.

Administrator Secret URL parameter

If you have forgotten your Administrator Secret URL parameter go to Components, Admin Tools, Web Application Firewall, Configure WAF, click on the Basic Protection Features tab and find the Administrator secret URL parameter option. Change or remove all of the text in that box to reset or unset, respectively, this feature.