Support

Admin Tools

#42968 Deactivate users on failed login when user registration is disabled

Posted in ‘Admin Tools for Joomla!’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
6.1.0
PHP version
8.5.3
Admin Tools version
7.8.7

Latest post by forrestkirby on Friday, 22 May 2026 17:44 CDT

Friday, 22 May 2026 04:36 CDT

forrestkirby

Dear Akeeba team,

I would like to enable the feature “Deactivate users on failed login” in Akeeba Admin Tools for my Joomla website. I understand from the warning and the documentation that it does not do anything if “Allow User Regstration” is set to `No`. I don’t need user registration on my website. However, I am not sure which is better – if one can even clearly say this: (1) No user registration and no deactivation on failed logins or (2) user registration and deactivation on failed logins. Do you have any advise on which option should be preferred? Thank you.

Kind regards
Thomas

Friday, 22 May 2026 06:05 CDT

nicholas

There's a reason this is not allowed: an attacker could log you out of your site :) If someone knows your username they could keep trying to log into your site with it and with the same obviously wrong password, triggering this feature. This would block your user account, essentially locking you out of your site. The user registration is required so that Joomla can send you a user account activation link which you can use to re-enable your user account.

Frankly, if you have user registration turned off you are better off NOT using this feature. It is for a completely different use case than yours. What I would recommend is turning on MFA in Joomla itself – this used to be a separate product of ours (Akeeba LoginGuard) before I contributed it into Joomla itself a few years ago.

The next version of Admin Tools also has an interesting feature which treats logins to "forbidden" usernames (commonly used for credentials stuffing) as blocked requests. This would work wonders in what I assume is the problem you are trying to solve: lots of requests trying to guess login information to your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 22 May 2026 17:44 CDT

forrestkirby

Great, this makes sense. Thank you very much!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!