You are looking for the “Browser cookie override for the administrator secret URL parameter” option in the “Basic Features” tab of the Configure WAF page.
Per the documentation (https://www.akeeba.com/documentation/admin-tools-joomla/web-application-firewall.html#waf-configure-basic-protection) the options are:
-
Disabled. This feature is disabled. No new cookies will be set and existing ones are ignored.
-
Enabled. This feature is enabled. New cookies are set when you log into your site, removed when you log out and used instead of the Administrator Secret URL Parameter when it is missing from the administrator login URL or the wrong secret URL parameter is used.
-
Enabled, notify when used. Same as “Enabled”, additionally prints a reminder message in the login page when this feature is used instead of the Administrator Secret URL Parameter.
-
Enabled, remind to use the full URL. Same as “Enabled, notify when used”, additionally prints a message reminding you to use the correct administrator login URL, not to have multiple browser tabs open in the background and log out when you are not going to be using the site's administrator pages for the next few minutes. Furthermore, if the last user who had logged into the site with the current browser was a Super User it will additionally print a reminder that you may need to adjust your Session Length and that this feature can be controlled from the Components, Admin Tools, Web Application Firewall, Configure WAF page.
The default setting is “Enabled, remind to use the full URL” which is more or less the ‘training wheels’ setting; very verbose on purpose to help you understand what just happened.
If you want to leave this feature enabled — which apparently you need, considering that you ended up not getting blocked on your site exactly because it kicked in and saved you — you should use the “Enabled” setting. It does its magic without showing anything in the login page. The only downside? You don't know when it's kicked in which might mislead you into thinking that the Secret URL Parameter feature is not working.
The “Enabled, notify when used” is the solution to the downside I mentioned. It only prints a very short message when you are given access to the login page thanks to the cookie. This will help you understand that the Secret URL Parameter feature does work indeed but the browser cookie override kicked in to prevent you from getting your IP address accidentally blocked from your own site.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!