Support

Admin Tools

#37497 Admin tools rejecting administrator login

Posted in ‘Admin Tools for Joomla!’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
3.10
PHP version
7.4
Admin Tools version
6.7

tblueweb

I have several sites with  admin tools that I  am forever having to disable. I flip the ip work around and next  login attempt disabled. As far as I know my sites aren't behind a proxy. I host these sites, I am a host gator reseller.  I am about to hand a new site to the client and they are not FTP or cpanel savvy. 

 

nicholas
Akeeba Staff
Manager

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log blocked requests" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Blocked Requests Log. The latest log entry at the top should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that we can further help you.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tblueweb

Here is the log entry  ..

 

2022-07-21 12:15:27 MDT     104.28.123.73 Admin Query String https://josephfammartino.com/administrator/

nicholas
Akeeba Staff
Manager

You can look up the list of reasons each request has been blocked in https://www.akeeba.com/documentation/admin-tools/waf-log.html#waf-log-reasons

For “Admin Query String” it says: Someone tried to access your site's administrator section but he didn't provide the secret URL parameter. Admin Tools blocked him and prevented him from seeing the login page at all.

So, it has nothing to do with the IP workarounds. It tells you to look at the Administrator Secret URL Parameter feature: https://www.akeeba.com/documentation/admin-tools/web-application-firewall.html#wafconfopt-secret-url-param

Now you know what you need to do.

Go to Admin Tools, Web Application Firewall, Configure WAF, find the “Administrator secret URL parameter”. You need to tell your user to use it. If the secret URL parameter is fooBAR and the URL to your site is https://www.example.com then they need to access the administration interface's login as https://www.example.com/administrator/index.php?fooBAR (note that it's case sensitive).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tblueweb

Thank you,

 

I must  have missed somewhere along the way that that parameter was used by default. I had never set the secret url before.

 

Have a great weekend.

nicholas
Akeeba Staff
Manager

I think I know what you missed. When running the Quick Setup Wizard it gives you the option to set it. You may have been using a password manager (your browser's or something integrated with your browser) which "helpfully" auto-filled a password it thought was relevant without you realising it. There used to be a way to prevent that using autocomplete="off" in password fields. It was abused in login forms so now browsers no longer take it into account, leaving us with no realistic way of preventing this problem.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tblueweb

Thanks, makes sense, its a handy feature and I am glad I know how now :-) 

 

Tc and have a great week .

 

nicholas
Akeeba Staff
Manager

You're welcome! Have a great day :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Summer vacations: Our support will be closed for replies and new tickets from August 6th to August 21st, 2022 due to summer vacations.