This section applies only to Admin Tools Professional and refers only to its security features
You can quickly apply all of the following settings by using the Quick Setup Wizard page of Admin Tools. A prominent link to that page will appear at the top of your site's administrator section (as a standard Joomla! error message) until you run the wizard or manually configure Admin Tools through the Configure WAF and .htaccess Maker / NginX Conf Maker / web.config Maker pages or import a configuration from the Import Settings page.
If you have already configured Admin Tools you will NOT see the Quick Setup Wizard button any more.
While the Quick Setup documentation section and the Quick Setup Wizard feature will help you to get started with basic protection for your site it is very strongly advisable that you read the documentation in its entirety. It will help you understand the different ways Admin Tools protects your site and the impact each option may have to your site's operation.
If you have already configured Admin Tools and wish to change its configuration you are NOT supposed to use the Quick Setup Wizard. In fact, this is not supported and will provide no support if you choose to do that. Instead go to Admin Tools, Web Application Firewall, Configure WAF to configure the Joomla! system plugin protection settings or Admin Tools and .htaccess Maker (or Nginx Conf Maker; or web.config Maker depending on your web server) to configure the server-level protection settings.
The fundamental functionality of Admin Tools Professional is to allow you to secure your site. However, setting up your site's security does require some tweaking, as each site is has different structure and needs than the next. When you first install Admin Tools Professional you may feel a bit overwhelmed by the abundance of security options. Well, the good news is that setting it up is not even half as hard as it looks! In this tutorial we will go through the basic security configuration and point you to what you want to do next.
Go to the back-end of your site and click on, , , and set the following optional settings:
Administrator secret URL parameter If you
enter "foobar" (without the quotes) in here, then you must access
your site's backend as
http://www.example.com/administrator?foobar i.e. append a
questionmark and the secret word. If you skip the ?foobar part, you
can't even see the login page. If you do not want to enable this
feature please delete its contents and leave this field
Important notes: This field will contain either your existing Administrator secret URL parameter (if you have already configured one) or a new, random one if there is no Administrator secret URL parameter already set up on your site. Do keep in mind that if you have disabled the Administrator secret URL parameter and you run the Quick Setup Wizard again (NOT RECOMMENDED AND NOT SUPPORTED!) a NEW, COMPLETELY RANDOM value will be shown in this field.
Enter your email address in Email this address on successful back-end login and Email this address on failed back-end login. Admin Tools will be sending you an email whenever anyone tries to log in to your site's back-end as a Super Administrator. The minute you receive an email which wasn't triggered by a trusted person, you know you have to get your site off-line a.s.a.p. Do note that this is a very useful feature! It will send you an email even in the unlikely case that someone, for example, hacks your Wi-Fi, steals your login cookie and then uses your own Wi-Fi connection and login cookie to log in to your site.
Set Hide/customise generator meta tag to
Yes and enter something obscure in the
Generator tag. I usually jokingly set
"Drumlapress" in there, mudding the waters as to which CMS I'm
really using. Be creative! This is a low-priority thing to do, but
stops "dork scanning" attacks. What I mean is that normally Joomla!
spits out its name in the (hidden) generator meta tag on every HTML
page on your site. An attacker looks for "dorks" (sites to exploit)
by searching for "Joomla! 1.5" on Google. This feature removes that
generator tag and you're not susceptible to this kind of
Optional but highly recommended, go to http://www.projecthoneypot.org/httpbl_configure.php and open yourself a Project Honeypot account. After your registration, visit that URL again and you'll see something called "HTTP:BL key". Copy it and paste it into Admin Tools' Project Honeypot HTTP:BL Key field. Also set Enable HTTP:BL filtering to Yes. Why? Project Honeypot analyses data from a vast number of sites and positively identifies IPs currently used by hackers and spammers. This Admin Tools feature integrates with Project Honeypot, examining your visitors' IP addresses. If they are in the black list (known hacker or spammer) they will be blocked from accessing Joomla!.
Optional, but highly recommended, enable the IP blocking of repeat offenders. This feature blocks IPs raising repeated security exceptions on your site, i.e. we have strong reasons to suspect they are hackers. Please note that you may not want to enable this feature until you are sure everything is working smoothly, so that you don't accidentally block yourself out of your site. If that does happen, please take a look at https://www.akeebabackup.com/documentation/troubleshooter/atwafissues.html
There are a couple of potentially annoying features in Admin Tools Professional's Web Application Firewall. These features have a strong tendency to throw false positives, i.e. mark legitimate requests as attacks. These features are:
CSRF/Anti-spam form protection (CSRFShield)
If you are not a very advanced user we strongly recommend turning them off; all of them are considered "paranoid security" features and do need you to be on the lookout for false positives and apply workarounds (WAF Exceptions, adding IPs to the "Never block these IPs" list, etc). Problems are especially common on sites with a forum or a payment system, as this is what triggers most of the false positives. We'd like to note that most sites do not need them to be enabled and, in fact, we even disable them on most of our own sites.
If you are using the Apache web server another thing to do is to
.htaccess file (if it's not visible,
just upload an empty text file named
back to .htaccess Maker, try disabling some option and repeat the whole
process until your site loads correctly. For more information, take a
look at https://www.akeebabackup.com/documentation/troubleshooter/athtaccess500.html
If you are using the NginX web server you should go to to, , and follow the instructions on the page to create a security and performance optimised site configuration file.
If you are using the Microsoft IIS web server you should go to to, , and follow the instructions on the page to create a security and performance optimised site configuration (web.config) file.
After applying all of the above protections, it is very likely that some of your site's functionality is no longer working. This is normal. The default settings are very restrictive by design. On each page with a problem, first try applying the step by step process outlined in https://www.akeebabackup.com/documentation/troubleshooter/athtaccessexceptions.html
If you get stuck somewhere, feel free to file a support ticket (if you are a subscriber). We are here to help!