Support

The error message you are seeing is displayed by Admin Tools' Web Application Firewall (WAF) when it blocks a request.

Our documentation covers exactly this scenario: Admin Tools' WAF locked you out of your site

Here is a quick summary of how to regain access:

Option 1 — Rescue URL

Important: The Rescue URL works by bypassing WAF rules, but it cannot override an explicit IP deny list entry. Since you added your IP to the blacklist directly, this method will most likely not work in your case. We mention it here only in case the actual cause turns out to be different from what you described — if it fails, proceed straight to Option 2.

Go to:

https://www.feuerwehr-mosbach.de/administrator/index.php?admintools_rescue=YOUR_EMAIL

Replace YOUR_EMAIL with the email address of your Joomla Super User account. Admin Tools will send you a one-time rescue link by email. Open that link within 15 minutes — it must be opened from the same browser and IP address that made the request.

Option 2 — Temporarily disable the firewall via FTP / file manager

Using FTP or your hosting control panel's file manager, navigate to:

plugins/system/admintools/services/

Rename provider.php to provider-disable.php. This disables the Admin Tools system plugin so you can log back in to the Joomla backend. Once you have fixed the IP deny list, rename the file back to provider.php.

After regaining access

Go to Components → Admin Tools → Web Application Firewall and remove your IP address from the Site IP Deny List and/or the Auto IP Blocking Administration page.

A note on manually adding IPs to the deny list

Please only add an IP address to the Site IP Deny List if you are absolutely certain it belongs to a malicious actor. In particular, IPs that appear in the Exceptions Log or the Auto IP Blocking Administration page must not be copied to the deny list manually — Admin Tools already handles those automatically and will clear temporary blocks once the lockout period expires.

The reason this matters: the vast majority of attack traffic originates from residential IP addresses, and those addresses are constantly recycled and reassigned to new households. Permanently blacklisting them means that sooner or later a real visitor — someone with a genuine interest in your site — will be assigned one of those IPs and find themselves locked out through no fault of their own.

Admin Tools is designed to manage the IP blacklist for you in a way that protects the site while minimising collateral damage. It will only ever permanently blacklist an IP when it has observed relentless, sustained malicious traffic from that specific address. Adding entries manually works against that self-maintaining machinery and, in our experience, tends to cause exactly the kind of problem you have run into now.

Behind Load Balancer — should you enable it?

Your hosting at IONOS may route traffic through a load balancer, reverse proxy, or CDN. If that is the case, every request arrives at your server from the same infrastructure IP, which is why adding that IP to the deny list locked everyone out.

Before changing this setting, consider:

• If you are using a CDN or a service like Sucuri in front of your site, enable Behind Load Balancer — it is almost certainly the right call.
• If you are not using a CDN, contact IONOS and ask them explicitly whether your hosting plan routes traffic through a reverse proxy or load balancer (even something like Nginx proxying to Apache counts). Enable the option only if they confirm that it does.
• If you are not behind any proxy or CDN, do not enable it. Enabling Behind Load Balancer on a site that receives direct connections is actually counterproductive to security: it allows anyone to spoof their apparent IP address by injecting a forged X-Forwarded-For header, which is precisely why Joomla ships with this option disabled by default.

To change the setting if appropriate:

1. Go to System → Global Configuration in your Joomla backend.
2. Under the Server tab, set Behind Load Balancer to Yes.
3. Save the configuration.