Support

For starters, this message DOES NOT COME FROM ADMIN TOOLS. Admin Tools does not scan your site automatically (only when you run the PHP File Change Scanner yourself), it does not scan files other than .php and does not send you an email with this content.

This message comes from your host. They are using their own scanner.

The second point to be made is that they are detecting that a static text (XML) file is “malicious” which makes no sense. That's a static file, it is non-executable. It's the extension's manifest file, listing the extension's files and configuration options.

Please contact your host and let them know that their scanner is doing something wrong.

OK, now that ticket starts making sense :) The way I'd read it is that you wanted the stop Admin Tools sending this message. That was the reasonable assumption of what “this” referred to.

So, first, I will have to ask you how did you determine that it was a particular Super User account installing this module. Did you check the Apache access log? Did you check the User Actions Log in Joomla? Or are you just assuming?

Moreover, since you must have gone through that already, have you checked which IP address that login came from? Does it match one of the people who legitimately have access? (Also, why are you using a single Super User account for everyone, preventing attribution of an action, making your life hard and violating the basic operational security tenet that every physical user must have at least one discrete user account?).

How sure are you that it's not one of your users with legitimate access trying to do something potentially stupid without consulting you? If you are absolutely sure about it, have you enabled the administrator secret URL parameter and/or the administrator password protection features in Admin Tools? Is it suitable for your use case to use the IP Exclusive Allow List? Have you considered that it's possible to have Two Step Verification / Two Factor Authentication enabled if you have one user per physical person that has that level of access to the site? If your problem is political rather than technological (VIP user known to do stupid things insists on having Super User access) there's not much you can do.

Without having all these questions answered nobody can answer your question which can be best rephrased as “how long is a “piece of string’?”.

The administrator password protection will also help as it effectively blocks access to the entire administrator application unless you provide the (common for both backend users) username and password.

You can set up two step verification for both of your super users with Akeeba LoginGuard. Set it up to be mandatory for users in the Super Users group, set it to be disallowed for users in the Registered group and remove the Registered group from your super user accounts. As for the authentication method, I very strongly recommend using WebAuthn with hardware security keys e.g. Security Key NFC by Yubico. This method is incredibly secure and unphishable (unlike six digit codes). Being able to use the site upon login requires physical possession of that hardware key. This is what we use for our own user accounts here at Akeeba — both front- and backend, because Joomla's frontend still has editing capabilities which can cause serious damage if compromised by an attacker.

The admin password protection and the secret URL parameter are part of the Quick Setup Wizard in Admin Tools. They are the very first two options you see on that page. Yes, I am trying to herd you towards improved security 😉

Two Factor Authentication / Two Step Verification is something that has prominently featured in all my security presentations from early 2012 onwards. Back then Two Factor Authentication was something implemented in Admin Tools, that code was then contributed to Joomla. Unfortunately soon after (early 2013) there was a stupid decision in the Joomla project not to allow contributions of any feature which required third party service or hardware, effectively banning contributions of security features (it's been lifted since circa 2017, thank $deity). That's why I'd been developing my U2F Two Factor Authentication plugins between 2013 and 2016, replaced with Akeeba LoginGuard since 2016. Joomla 4 includes another contribution of mine, integration with WebAuthn which brings passwordless, unphishable authentication to Joomla — Joomla is the first and only PHP CMS to offer this feature out of the box!

Now, a quick peek into the future.

In the next 2–3 years with ever improving WebAuthn support in browsers and Operating Systems expect to get rid of passwords once and for all. I'm already pushing Joomla towards this direction.

My vision for 2025 / Joomla 5 is that you will log into your site by entering a username and clicking a button. At this point you will either use a secure and/or biometric control feature of your Operating System (Windows PIN, FaceID / TouchID on Apple devices, fingerprint scanner on Windows and Android, face scan on Windows) or a secure hardware key to log in. Your site will not be accepting a password to log in once you set up WebAuthn for authentication. This makes password stuffing and brute forcing attacks completely useless.

Better yet, it gets your site logins as close to unhackable as you can realistically get! Due to the awesome way WebAuthn works it won't even be storing a hash of your password, it will only be storing a public key. Password hashes can be cracked, with some effort. A typical fully random 12 character password takes about a million GPU compute-years to crack from a hash, still in the realm of feasibility but unlikely. A typical user-selected password takes about ten GPU compute-hours, meaning that a data leak (such as a read-only SQL injection attack or a misplaced backup) can indeed be used to realistically hack your site by a non-sophisticated adversary — even a noob can run hashcat on an Amazon GPU-enabled EC2 instance.

WebAuthn instead relies on public key cryptography with the private key remaining safely inside your device's secure hardware (TPM, Secure Enclave, ...) or your FIDO2 hardware authenticator (e.g. a Security Key by Yubico). The only thing your site stores is the public key. Deriving the private key from the public key requires millions to trillions of GPU compute-years which makes it outright impractical. That's why this 1970s encryption technology still protects all your secrets, from your device's storage (e.g. Windows' BitLocker, macOS' FileVault etc) to your web traffic (HTTPS) to your banking information and so on and so forth. The only way to realistically crack it is if there's a practical quantum computer and that's a big maybe as we're talking about thousands of qubits when every practical quantum computer is in the order of a few dozen qubits.

So, an attacker will no longer hope to guess or steal your password, they would no longer be able to crack stored passwords, their only way to hack you would be a complete compromise of your site or server. It becomes extraordinarily hard to subvert a site.

That's where we're headed. I hope you like that direction :)