Released on: Monday, 26 July 2021 07:05
We went through the entire Admin Tools feature set with a fine comb, questioning every default and every feature implementation, identifying issues and resolving them. This new version has a substantial amount of improvements to help you run a safer, more efficient site with less effort.
Added default rules to not block DuckDuckGo, Baidu, Yahoo and Yandex indexers. The default settings for not blocking IPs and domain names now include GoogleBot, MSN Bot (used by Bing) and the bots used by DuckDuckGo, Baidu, Yahoo and Yandex.
Repair and Optimize tables is now possible again on Joomla 4. This feature was temporarily removed from Joomla 4 because the MySQLi driver in Joomla 4 does not support the database commands necessary for this feature. In this version we are applying a workaround which allows us to execute the required database commands, allowing us to reintroduce these features for Joomla 4.
You can now choose the protection mode for the Administrator password protection. The administrator password protection used to be an all or nothing affair. With the changes we are introducing in this version you can choose if you want to block everything (like it used to be, default option), just the .php files or only Joomla's index.php file. This allows you to easily customise your protection level in case you are using third party extensions which require frontend accessible files in their backend directory. While that practice is bad, you now have at least an option to allow these extensions to function without completely removing the protection of your administrator login.
.htaccess Maker: Disable client-side risky behavior in static content. With this option you can send a specially crafted Content-Security-Policy HTTP header for the allowed static files which instructs the browser to not allow them to run any embedded or externally referenced script content. This is a step up from the protection effected by the Neutralise SVG script execution option we introduced several months ago. This protection applies to all files, including .html files, making your site safer than before.
Explicitly allowed domain names.
You can now tell Admin Tools the domain names your site is allowed to be accessed on. This effectively and elegantly
mitigates HTTP Host header spoofing attacks. We very strongly recommend using this feature instead of
$live_sitecode> parameter in your site's configuration.php file. Furthermore, this
option is designed to bring as little maintenance headache upon you as possible. You only need to provide either the
non-www or www version of your domain name; the other version (www or non-www respectively) will be added
automatically. This means you can't accidentally lock yourself out of your site due to a endless redirection loop,
unlike what happens with the $live_site in configuration.php. You do not need to add any domain name which resolves
to an internal network address; these are automatically allowed, unlike what happens with the $live_site in
Updated the default offline.html file contents with modern CSS. When you use the Emergency Off-Line Mode your site visitors will no longer be seeing a page that looks like it was designed in the late 1990s. It's also smaller and easier to understand when you try to customise it.
Admin password protection will now reset error pages using an even more aggressive method. A few months ago we added an option to reset the custom error pages when setting up the Administrator Password Protection. What we did is tell the web server to use its default error pages. However, it transpired that some hosts really have no brains whatsoever and set the default error pages to non-existent files! This meant that the problem we were trying to solve was still unsolved on some — thankfully very few — badly configured servers. This time around we will reset them to a hardcoded short message. Regardless of how bad the server setup is this will solve the problem with the Administrator Password Protection leading to Joomla's 404 page instead of your browser asking you for a username and a password.
Clean temp folder: only files and folders over 60 seconds old will be deleted. Joomla uses the temporary directory to install updates to itself and extensions. Its extensions use the temporary folder to handle and make transformations on bigger files. If one of these operations is in progress when the Clean Temp Folder code kicks in (for example if another administrator logged into the site runs the feature or if it runs automatically because you've asked the plugin to automate this) it's conceivable that the undergoing process, e.g. updating your site or an extension, would fail. Admin Tools will only delete files and folders created more than 60 seconds ago to prevent this kind of issue. 60 seconds is typically longer than how much time is required for an update process to run to completion on most sites.
Bug fixes and minor improvements. Please take a look at the CHANGELOG below.
Please consult our Compatibility page. It explains our version support policy and lists which versions of our software are compatible with which versions of Joomla and PHP.