Released on: Friday, 16 November 2018 14:47
Rescue URL will tell you if you are using the wrong email address. Previously trying to use a wrong email address would display the message to check your email but no email was being sent. This led too many people to wrongly conclude that Rescue URL does not work when, in fact, they were simply entering their personal email address instead of the one associated with a Super User account on the site.
Administrator IP whitelist, Never Block these IPs: you can now add dynamic IP domain names instead of IPs by prefixing them with @. Let's say that you are using DynDNS and you've set up your Internet router to assign your IP address to the the DynDNS domain example.dyndns.info. You can now add @example.dyndns.info in the administrator IP whitelist or never block these IPs features to prevent your IP (as synchronized to example.dyndns.info) from being blocked from your site. This feature works with any kind of dynamic DNS provider; we are simply getting the IP address of the domain name you put after the at-sign. Also note that you shouldn't overdo it; each at-entry you add has a small but measurable performance impact whenever a security exception occurs on your site.
Joomla! 3.9 support. "Disable editing backend users' properties" and "Forbid frontend Super Administrator login" features now allow Joomla 3.9's privacy consent to go through.
Detect if the GeoIP Provider plugin was installed and then deleted but not uninstalled.. Previously, if you installed the plugin but deleted it without uninstalling it first would allow Admin Tools to display buttons to update the GeoIP database. However, since the plugin files were missing that was impossible and led to a PHP Fatal Error (white page). Now we detect this anomaly and behave identically to when the plugin is not installed at all.
Cosmetic improvements to the PHP File Change Scanner progress modal. It now looks consistent with the rest of the application.
Referrer Policy option for web.config Maker and NginX Conf Maker. This feature has been ported from the .htaccess Maker to the web.config and NginX Conf Maker.
Bug fixes. We have addressed some known issues with our software. Please consult the CHANGELOG.
We only support Joomla! 3.4 or later, including 3.5, 3.6, 3.7, 3.8 and 3.9. We strongly advise you to run the latest available version of Joomla! for security reasons. Older versions of Joomla! have known major security issues which are being actively exploited to hack sites.
HEADS UP! We only test our software with the last two released Joomla! version branches.
Support for PHP 5.3 has been discontinued. PHP 5.3 has been end of life since August 2014 and widely considered a security risk, unfit for production sites. Our software requires PHP 5.4 or later and is compatible with PHP 5.4, 5.5, 5.6, 7.0, 7.1 and 7.2. We currently offer preliminary support for PHP 7.3 which at the time of this writing is still in Release Candidate (testing) phase. We strongly recommend using PHP 5.6 or 7.2.
We'd like to remind you that Joomla! 3.4 does NOT support PHP 7. PHP 7 is only supported by Joomla! 3.5.0 and later versions.
HEADS UP! We will be dropping official support for PHP 5.4, 5.5 and 7.0 starting January 2019.
Disclaimer: this is not a legal advisory. Please consult your lawyer if you are unsure.
On May 25th, 2018 the European Union's General Data Protection Regulation (GDPR) comes into effect. We have been asked about how Admin Tools complies with it a few times. The following is our understanding of it but it does not constitute legal advice of any kind.
While storing IP information may be considered personally identifiable information, the GDPR makes an exception for IP information stored in the context of security. As such the Admin Tools' security exceptions log and related IP whitelist, IP blacklist, automatic IP blocks and automatic IP blocks history is outside the scope of personal data protection.
Text log files may, however, contain privileged information as they capture the entirety of the request sent by the user to your site. We therefore recommend that you DISABLE the "Keep a debug log file" option in the Configure WAF page. Please note that if your logs directory is under your web root and you have not used Admin Tools' features, such as the .htaccess Maker, to secure these directories all your logs may be publicly accessible. We recommend that you always make your logs and temporary directories inaccessible to the web for security reasons.
Furthermore, the GDPR calls for data minimization. To comply with this requirement we urge you to set the "Maximum security exceptions log entries" option to a non-zero value in the System - Admin Tools plugin. Typically, a value of 1000 to 10000 provides a good balance between data minimization and security.
The Project Honeypot and "Warn about use of well-known passwords" features do transmit information to third parties. However, this information is anonymous and should, therefore, fall outside the scope of the GDPR.
Finally, it is possible that in the past you may have enabled the feature to log failed login passwords. This might be a security concern or a violation of the GDPR. We have now removed that feature but you may still have information stored in your database. We recommend that you go to the Security Exceptions Log page, filter by reason "Login failure" and delete all records presented to you.