Support

If you only have the HTTP 400 error when accessing administrator, but not the fronted, and you have used the Administrator Password Protection feature please delete the files administrator/.htaccess and administrator/.htpasswd. Remember these are hidden files, you will need to tell your (S)FTP client or your hosting control panel to show hidden files to see them and delete them.

Otherwise, follow the instructions in https://www.akeeba.com/documentation/admin-tools-joomla/atwafissues.html to regain access (these are the J4 instructions; the video is indeed from J3), then fix the Allowed Domains and/or Exclusive Allow IP Lists feature you suspect you got wrong.

OK, deep breath, we need to combine the first action I described in my previous reply and the second recommendation of the troubleshooting page I linked you to.

First, use FTP, SFTP, or your hosting control panel's file manager to go into the administrator folder (important!) and delete the .htaccess and .htpasswd files you see there. This removes the “Unauthorised” page and the login box. In fact, this is the Administrator Password Protection feature which I had already guessed you have enabled on accident, without noting down the username and password you used in it.

Now go back to your site's root and navigate into plugins/system/admintools/services. You will see a file named provider.php. Rename it to provider-disable.php. This will turn disable the Web Application Firewall from executing and you can access your site's back-end again.

Now you can log into your site's backend.

Go to Components, Admin Tools for Joomla!, Web Application Firewall, Configure WAF and adjust the settings you said you worked with last.

About the Allowed Domains feature. You have not told me what's your site's URL, otherwise I'd have told you exactly what to do here — and the reason we are asking for this information in the ticket. If your site is example.com or www.example.com you need to enter example.com in the Allowed Domains. If your site is something like whatever.example.com you need to enter whatever.example.com in the Allowed Domains. If your site can be accessed from multiple domains you need to enter all domains there following the examples I mentioned before (bare domain or www -> you enter the bare domain; subdomain other than www, you enter the full domain with subdomain).

Once you are ready to test if your changes made a difference go to Components, Admin Tools for Joomla!. There's a message about the plugin being disabled with an action button to re-enable it. Admin Tools detects that the provider.php file was renamed to provider-disable.php (and only that name, that's why I told you to use that name); the action button renamed that file back to provider.php, re-enabling Admin Tools' system plugin.

If this didn't work, it's basically rinse and repeat. Rename the file again and reconfigure WAF.