Hello, I am experiencing an issue with Admin Tools repeatedly blocking my IP address. This happens frequently while I am working in the administration panel, and I cannot figure out which specific action triggers the block.
#42456 Repeated IP blocking while working in backend
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
5.4
PHP version
8.3
Admin Tools version
7.8.3
Latest post by nicholas on Sunday, 23 November 2025 15:04 CST
Sunday, 23 November 2025 15:04 CST
nicholas
Akeeba Staff
Manager
It tells you that it's the block reason is the Admin Query Parameter.
Go to Components, Admin Tools, Web Application Firewall, Configure WAF, Basic Features. You will see the "Administrator secret URL parameter", "Invalid administrator secret URL parameter action" and "Browser cookie override for the administrator secret URL parameter" options. You can read about them in the documentation.
My suggestion would be the following.
Go to Components, Admin Tools, Web Application Firewall, Configure WAF, Basic Features. Set "Browser cookie override for the administrator secret URL parameter" to Enabled.
Then go to Joomla's System, Global Configuration page, System, and increase the "Session Lifetime (minutes)" to something more reasonable. I have found that settings between 60 and 240 (that's one to four hours) work better than the default 15 minutes for most users.
Further to that, get into the habit of NOT leaving an open tab to an admin page of your site in your browser. When you go back to that tab, your session has probably already expired. As explained in the documentation, this clears the session flag used by Admin Tools to note that you have provided the secret URL parameter already. As a result, when Joomla tries to take you back to the login page it won't have the secret URL parameter, which will trigger the Admin Query Parameter block reason unless you have "Browser cookie override for the administrator secret URL parameter" set to one of the Enabled options and your browser presents a valid cookie. Best avoid this entire uncertainty by getting into the habit of closing the tabs of your backend sessions, and always access your site using the URL which includes the secret URL parameter.
Finally, I would like to remind you that I had told you about your other browsers (on the same or other devices) contributing to this problem in ticket 41047 from August 2024. You really do need to methodically go through all of them and make sure they are not trying to create thumbnails for any of your admin page on your site.
Even better, I would suggest NOT using the secret URL parameter feature at all. Instead, use the administrator password protection feature and Multi-factor Authentication for all backend users. This is a far more effective solution. The secret URL parameter was a temporary solution added to Admin Tools back in the Joomla 1.5 days when some extensions used to place public files in the administrator folder, making the admin directory password protection feature not work very well with them. The location of public files was standardised as a recommendation in Joomla 3, formalised as a requirement in Joomla 4, and enforced in many ways in Joomla 5.4 and 6.0. There is no reason to use the secret URL parameter feature when you can now use the admin directory password protection; it protects you against bots just as well, using less server resources, and without ending up blocking your IP address when you or your browser try to access your admin pages without providing the password.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!