Support

Admin Tools

#43126 intermittent 403 error

Posted in ‘Admin Tools for Joomla!’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
6.1.1
PHP version
8.4.23
Admin Tools version
7.8.9

Latest post by nicholas on Tuesday, 07 July 2026 01:42 CDT

paulcu
When I visit my clients website I have no difficulty and it loads up just fine. The public side loads up, I can log in to the admin, etc. without any issue.

However some other people (members) get the following message:

— 403 We detected that your latest request may have been part of suspicious activity and has been blocked. (see screenshot - our default 403 error page)

We do have the current version of Admin Tools on a Joomla 6.1.1 website and haven't really customized the application

Any ideas or thoughts on whats causing this?

nicholas
Akeeba Staff
Manager

Ask them for their IP address at the time they receive this message. Look it up in Admin Tools, Web Application Firewall, Blocked Requests Log. What is the Target URL and Reason listed there? That's the only way you can possibly troubleshoot it. Otherwise, all you know is that something they did was very likely blocked by Admin Tools' WAF because of one of the features you have enabled but you have no idea what they did, or which feature it was blocked by.

If I were to blindly guess, I would say the most common cause is that they are entering the wrong username or password and you've enabled the option to treat failed logins as blocked requests. However, that's a wild guess. I really need the Target URL and Reason to be able to tell you if my guess is right.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

paulcu
Looking at the Blocked Request Log I'm seeing two different failures:

1) The first is obvious and easily explained:
— {website}/login
— Login failure

2) The second one is a bit more obscure:
— {website}//component/users/login?Itemid=101&task=user.login
— Login failure
* I cannot find anything related to this URL and 101 point to the home page ID

3) The bigger concern is that we have people simply trying to visit the sites landing page/home page and they get the 403 error instead. As I mentioned this is intermittent. One user told me that "after about 10 page refreshes, athe 403 error was gone and hte site loaded properly"

nicholas
Akeeba Staff
Manager

1 & 2 are the same. The former is your login page menu item. The latter is where the login module form POSTs the login information to. Same issue, same fix. Go to Admin Tools, Web Application Firewall, Configure WAF, Hardening Options, set "Treat failed logins as a reason for blocking the request" to No.

3. They got blocked by trying to log in. They tried again and again, still got blocked. Then they tried going to the home page, but their IP address was now temporarily blocked from accessing any page of the site. Since this is a TEMPORARY IP block, it expires after a while. Therefore, they were able to access the site just fine.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

paulcu
#3) Nobody was trying to log in, they were simply visiting the website landing page. Or are you saying that you think they were trying to reload the site after a failed log in and then get the 403?

My understanding is that people were getting the 403 when simply visiting the site before attempting to log in.

nicholas
Akeeba Staff
Manager

I am saying that they were already blocked when they visited the home page.

Have you or have you not matched log entries to their IP addresses?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

paulcu
I understand but I believe in this case this was occurring to individuals who hadn't tried logging in yet.

No we're waiting for another instance of an error to document time and IP — as soon as that happens I'll be in touch.

nicholas
Akeeba Staff
Manager

There is a reason I have been asking you to check the IPs and tell me if there are log entries and, if there are, what is the Target URL and Reason. This information dramatically changes the context of my response to you.

If you get no log entries for these IPs, my next step is to ask you if you see any log entries, and whether they all have the same IP, or an IP from a small set of 3–10 IPs. In the former case it's not Admin Tools, end of troubleshooting on my end. In the latter case I tell you to set Behind Load Balancer in Joomla which I cannot tell you to do if this is not the case as enabling it when it's not necessary creates a security issue (this option is only valid without causing a security issue – instead fixing one – when your site is behind a CDN, load balancer, reverse proxy, TLS terminator, or similar infrastructure).

If you do get log entries the Target URL and Reason will tell me why your users are getting blocked. There are too many decision branches going off from there to even write down.

When you told me in your previous reply that you see a Login Failure reason and gave me the two Target URLs I understood that you had done all of that, we are in the "log entries exist for these IPs, here's what they have to say" decision branch of this troubleshooting process and gave you an answer based on that. Since that's not the case, I am now starting this troubleshooting afresh, throwing away your previous response.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!