Support

It's not about how fast it is, it is about the order of operations.

When you try to access a URL like https://www.example.com/foo/bar/baz what happens is this.

The web server first checks if the foo/bar/baz path refers to a directory or file which exists on the server's disk. It sees it does not. This is when the SEF part of the .htaccess kicks in. It tells the web server to instead load Joomla's index.php file.

Joomla does not actually work with this kind of paths. It needs URL parameters, like option=com_foo&view=bar&task=baz. So, at this point, it calls its SEF subsystem to convert the path to URL parameters.

This is the point where your SEF component kicks in. Your SEF component does its magic and figures out it does not, in fact, know how to handle this path. It records a 404 in its database table, and returns an empty result to Joomla.

Joomla! sees the empty results and goes "hm, I guess I can't handle this URL". So it throws an Exception with code 404.

This is the point where Admin Tools kicks in. Admin Tools checks to see if the error code is 404, and whether the path we're handling matches one of the configured paths. If it does, it creates a blocked request log entry and processes the automatic IP blocking rules. Then, it hands execution back to Joomla.

Joomla's error handler sees the 404 and loads the corresponding error page (by default, it's the same error page every time, the error.php of the template). And that's the end of the request. The result is handed back to the browser.

Since Admin Tools kicks in after your SEF component, yes, the 404 is recorded by both components. This is normal. The idea behind 404Shield is to not tip the hand of the attacker by immediately blocking the request to a WordPress URL, but let them show us if they are some poor sod who screwed up and entered the wrong URL to the wrong site (I've done that myself, switching between Joomla and WordPress sites during development…), or if it's an attacker. Only in the latter case we want to block that IP address and show them a message that they should please go away posthaste.

How long will an attacker try random wp addresses before being blocked? I assume that if it tries addresses for a long time, it can load the server. Or am I dealing with it unnecessarily?

The key to answering this question yourself is what I said above:

f it does, it creates a blocked request log entry and processes the automatic IP blocking rules

Now go to Components, Admin Tools for Joomla, Web Application Firewall, Configure WAF, and click on the Auto-ban tab.

If you have enabled the "IP blocking of repeat offenders" option you will see below when someone will get blocked.

As an example, let's say you have selected the following options:

• IP blocking of repeat offenders: Yes
• Block IP after this many blocked requests: 3
• Time period: 1
• Unit of time measurement: Minutes
• Block duration: 15
• Unit of time measurement for block duration: Minutes

If the same IP address causes 3 caught 404s within 1 minute they will be blocked for 15 minutes.

As to resource usage, no, it's not significant in most cases. The thing is that they are annoying and if they are not stopped they might ramp up their requests which does, indeed, waste enough resources to start making an impact on page load for legitimate users – hence this feature.