Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Friday, 17 October 2025 00:16 CDT
Recently, I've been receiving email warnings about "nonewadmins" when I login to my frontend using my Administrator credentials. I'm NOT trying to create a new Super User account just logging into the frontend. Is there some setting in Admin Tools that I may have inadvertently set incorrectly? How can I prevent these nonewadmins messages from being issued when I login to the frontend with administrator credentials?
See emails attached
The "nonewadmins" message, as documented, means the following:
Someone tried to create or edit an administrator user from the backend of your site. In this context "administrator user" means any user who belong in one or more User Groups that gives them backend login privileges. In a default Joomla! installation these are the users belonging to the Manager, Administrator and Super User groups.
Let me elaborate. This is triggered by the feature "Disable editing user properties". When this feature is enabled, trying to modify the settings of an existing or create a new a Manager, Administrator or Super Administrator will fail. Essentially, every time the frontend of the site is trying to change your user's group assignment and the new list of user groups includes one or more groups which give the user backend access this email will be sent.
To be clear, Joomla itself DOES NOT change your user group assignment on login. This is something caused by a third party extension. Whichever extension it is, it should NOT be changing the user group assignment of users with backend access. You can only determine which extension is doing that by disabling third party user and system plugins one by one until you find which one does that.
Regarding the backend login email, I don't know what you want me to help you with. This email is only sent when a user logs into the administrator backend of your site.
If you are receiving this email when you are logging into the frontend of your site and you have enabled the Shared Sessions feature in your site's Global Configuration it's normal. The Shared Sessions core Joomla feature logs you into both the front- and backend of your site at the same time. I consider it a massive security hole (it hugely increases your exposure area to security mishaps), but it's an otherwise legitimate Joomla feature. I have been very vocal about this, and my very strong recommendation is to disable this feature. Other than that, everyone's an adult here, and far be it from me to tell people what to do – they may have a use case where the added security risk is acceptable compared to the ease of use this feature brings.
If you are receiving this email when you are logging into the frontend of your site and you have NOT enabled the Shared Sessions feature in your site's Global Configuration then you should be worried. It would mean that you have a third party extension which logs you into the backend of your site when you log into the frontend of the site and you have no idea about it. This means that you are exposing yourself to much mroe security risk than you understand, so you need to find what's doing it and disable it.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Hi Nicholas:
I'm trying to find out what is causing the nonewadmins email message that I'm receiving. As it turns out, I'm receiving this message every time I log on to the backend of my site, I originally thought I was getting the message from the frontend but on further examination it was the backend logon that was issuing the email. I thought about turning on the switch in my WAF configuration called DEBUG in the Logging and Reporting section. If I understand the documentation correctly, this switch will cause a log file to be created in the \\Public_HTML\loogs folder of my site. Correct? Will this DEBUG feature tell me which extension is trying to modify the Administrator account? Thanks, in advance, for any guidance that you can provide.
James Borders
The log file would not help us as it only records blocked requests. Your request is not blocked, though. You are just receiving an email. That would not get logged.
Even if that was logged, though, it would not tell us which extension is causing this. This feature is essentially a plugin handler for the user save event. Chances that any trace of the originating extension would be in the backtrace are very slim.
My approach to issues like that is to make a copy of the site in a subdomain using Akeeba Backup, make sure I can reproduce the issue, and start disabling plugins until I can no longer reproduce it. At this point I know which plugin caused it.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!