Support

First let's see if you are getting attacked.

People are trying to use the Email button in the articles to send a copy. This core Joomla feature adds the current template's name in the URL which is why it's being blocked. To work around that we have the option “Allow site templates” which allows this kind of behaviour.

However, are you sure you want to use the Email button in your articles? It's known to be possible to use to send spam since there's no check possible about the email address being used. Essentially, it lets anyone send an email from your site with any message they want (plus a link to the article). In other words, anyone can spam anyone else with the sender appearing to be your own site. This is a big problem and the reason we do have this option disabled by default.

If you do not intend to use the Email feature in Joomla, change your article options to NOT show the Email button. This can be set site-wide in Content, Articles, Options, Articles tab, set “Show Email” to Hide. Doing that means that the only hits you get for the mailto component are spammers trying to use a direct URL instead of stray users clicking the wrong button. So now go to Components, Admin Tools, Web Application Firewall, WAF Deny List and click on the green New button in the toolbar. Change the following settings in the form:

• Published: Yes
• Application: Frontend
• Component: com_mailto

Click on Save & Close. Any attempt to use Joomla's Mailto component (the internal component which handles the Email button) will be immediately blocked and recorded as a blocked request. Nothing further to do, let spammers hit their head on a brick wall until they get a concussion ;)

No, the problem is not what you have in your screenshot, this comes from a different plugin or module on your site.

Look to the right of the red rectangle area in your screenshot. See the blue button with the cog wheel? Click on it. These are the Joomla article icons. See the email one? That's the problem. You can solve that problem in the way I told you in my previous reply.

Also note that Joomla's Email button won't lead to your site getting hacked BUT it can be used to send spam. This is a problem in and of itself because if your site sends a lot of spam it gets blacklisted and you can no longer deliver any email messages to your clients.

I really do understand Joomla security. You are apparently using LoginGuard to protect your login with a hardware key; I've written that too. I have contributed many security features and fixes to Joomla itself over the years and will continue doing that.

Let me tell you why I care about site security. I am a democrat. I believe in the cornerstone of democracy which is everyone has the intrinsic and inalienable right to an opinion and to express it in public even if — or should I best say: especially when — I personally don't agree with it. My engagement with website security comes from my deep sense of democratic duty. I will always give you my honest security advice regardless of who you are and whether I agree with what you're saying.

I am telling in perfect honesty that your site is NOT going to be hacked by these spam attacks. What you see is a very simple attempt to send spam using run of the mill spam bots operated by garden variety gangsters trying to make a quick buck off people's misery. I recommend reading Spam Nation by Brian Krebs to understand how spam works.

About your comment regarding the number of blocked requests. The goal is NOT to have zero logged blocked requests. That would mean that either Admin Tools does not protect you OR that you have restricted your site so much as to get no traffic. Neither is good. There's actually a section in our documentation explaining that and why the number of blocked requests is NOT a metric about the security status of your site. So just let Admin Tools do its thing and block these spam bots. That's all there is to it, really.

> I’m not sure if we are talking about the same thing here, I’m using Joomla general option to use physical security key during login with a Yubico key.

Yes, I am the developer who made and contributed Joomla's Two Factor Authentication. The YubiKey authentication is indeed something I wrote.

Joomla's Two Factor Authentication was meant to be a temporary solution which should've lasted 12-18 months. That was 10 years ago. Back then the plan was to go from Joomla 3.2 (when it was contributed) to Joomla 3.5 in six months, and another six months after that to 4.0 where we could implement the real Two Factor Authentication. The plan changed, the temporary solution was left in the core for ten years and now we have reached the point where it's well past the point it is showing its limitations. Akeeba LoginGuard addresses these limitations. A future version of Joomla will actually include the code we've written for LoginGuard. Whether this will be 4.2 or 5.0 I can't tell you yet, it's not up to me — it's up to the production leadership.

> I’m not sure which is better but as Joomla gave the possibility to use key at login I thought I’m not going to use some additional module.

> Or that is not good?

It is good, but a very old method which can be conceivably phished.

The best method in terms of security right now is Web Authentication (WebAuthn). LoginGuard supports it as a two factor authentication method. Joomla 4 supports it as a primary login method — it is strong enough that it does not require a second authentication factor.

Since you are stuck on Joomla 3 it would make sense for you to use LoginGuard with WebAuthn as the second authentication factor. If you have a YubiKey 4 or later you don't even have to upgrade your hardware.

> I’m also monitoring my physical server and saw tons of SSH and brute force attacks there. Lets hope the firewall will do its job there.

> What a pity that you don’t have a solution for servers.

Why reinvent a perfectly round wheel? Use certificate authentication for SSH and disable interactive (password) login.