Support

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log blocked requests" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Blocked Requests Log. The latest log entry at the top should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that we can further help you.

You can look up the list of reasons each request has been blocked in https://www.akeeba.com/documentation/admin-tools/waf-log.html#waf-log-reasons

For “Admin Query String” it says: Someone tried to access your site's administrator section but he didn't provide the secret URL parameter. Admin Tools blocked him and prevented him from seeing the login page at all.

So, it has nothing to do with the IP workarounds. It tells you to look at the Administrator Secret URL Parameter feature: https://www.akeeba.com/documentation/admin-tools/web-application-firewall.html#wafconfopt-secret-url-param

Now you know what you need to do.

Go to Admin Tools, Web Application Firewall, Configure WAF, find the “Administrator secret URL parameter”. You need to tell your user to use it. If the secret URL parameter is fooBAR and the URL to your site is https://www.example.com then they need to access the administration interface's login as https://www.example.com/administrator/index.php?fooBAR (note that it's case sensitive).

I think I know what you missed. When running the Quick Setup Wizard it gives you the option to set it. You may have been using a password manager (your browser's or something integrated with your browser) which "helpfully" auto-filled a password it thought was relevant without you realising it. There used to be a way to prevent that using autocomplete="off" in password fields. It was abused in login forms so now browsers no longer take it into account, leaving us with no realistic way of preventing this problem.

You're welcome! Have a great day :)