Forgot your username?             Forgot your password?

Web Application Firewall

[Note]Note

This feature is only available in the Professional release

The Web Application Firewall feature of Admin Tools is designed to offer real-time protection against the most common fingerprinting attacks, used by attackers to deduce information about your site in order to tailor an attack to it, and the most common attacks. The real-time protection is performed by the "System - Admin Tools" plugin (plg_admintools). Before configuring Admin Tools' WAF you have to make sure that the plugin is published and it's the first to run, i.e. it should appear first in the ordering menu. These conditions are automatically applied when you install the Admin Tools bundle. However, if you have installed more system plugins make sure that plg_admintools is published before all other system plugins. If not, the protection offered will not be thorough.

When you launch the Web Application Firewall feature of Admin Tools you are presented with its panel page:

Clicking on any icon will launch the respective sub-tool. The Back button on the upper right-hand corner will get you back to the Control Panel page.

Configure

This sub-tool is where all the configuration fine-tuning of the firewall takes place. By default, none of these options are enabled during installation. You will have to enable them manually. Once you are content with your options click on Save to save the changes and return to the WAF panel page, or Back to return without saving.

[Important]Important

If you do something wrong and you inadvertently lock yourself out of the administrator area of your site, do not panic! Read this section about regaining entrance.

Since Admin Tools 2.3.0 the Configure WAF page is split into several option groups to make it easier for you to locate the correct option.

The Basic Protection Features section contains the very basic options which allow you to control who can access your site.

Allow administrator access only to IPs in Whitelist

When enabled, only IPs in the Whitelist (see the following sections of this documentation about configuring it) will be allowed to access the administrator area of the site. All other attempts to access the administrator pages will be redirected to the site's home page. Be careful when using this feature! If you haven't added your own IP to the Whitelist you will get locked out of your administrator area!

[Important]Important

Since Admin Tools 2.1.7, irrespective of whether this option is enabled, IPs added to the administrator IP whitelist are fully white-listed as far as Admin Tools is concerned. This means that no security measure will be applied against them. Please place only very well trusted IPs in this list! If an attack is launched from this IP, it will not be blocked by Admin Tools!

Disallow site access to IPs in Blacklist

When enabled, if the visitor's IP is in the Blacklist (see the following sections of this documentation about configuring it) they will immediately get a 403 Forbidden error message upon trying to access your site.

Administrator secret URL parameter

Normally, you can access your site's administrator area using a URL similar to http://www.example.com/administrator. Potential hackers already know that and will try to access your site's administrator area the same way. From that point they can try to brute force their way in (guess your username and password) or simply use the fact that an administrator area exists to deduce that your site is running Joomla! and attack it. By entering a word here, you are required to include it as a URL parameter in order to access your administrator area. For instance, if you enter the word test here you will only be able to access your site's administrator area with a URL similar to http://www.example.com/administrator?test . All other attempts to access the administrator area will be redirected to the site's home page. If you do not wish to use this feature, leave this field blank.

[Important]Important

The secret URL parameter must start with a letter. If it starts with a number, you will immediately get a "Illegal variable _files or _env or _get or _post or _cookie or _server or _session or globals passed to script" error when trying to access your site's administrator back-end. It should also contain only lowercase and uppercase ASCII characters and numbers (a-z, A-Z, 0-9) in order to ensure the widest compatibility with all possible browser and server combinations.

The Active Request Filtering section contains the options which are the heart and soul of the Web Application Firewall. Admin Tools will monitor incoming requests and their variables, filter them using these options and decide which requests seem to be nefarious, blocking them.

SQLiShield protection against SQL injection attacks

When enabled, Admin Tools will try to detect common SQL injection attacks against your site and block them. Do note that this is not a watertight solution. Some attacks may still pass through and there is a very low chance of false positives, i.e. legitimate requests being identified as SQLi attacks.

Cross Site Scripting block (XSSShield)

When enabled, Admin tools will try to detect common cross-site scripting (XSS) attacks and block them. The filtering is able to detect many such attacks, comprising of malicious Javascript and PHP code, but it can not be exhaustive. Hackers find new types of attack every day. You are advised to follow sane security practices (like updating all of your extensions and templates to their latest releases immediately) on top of using this feature.

[Warning]Warning

This feature uses heuristics in order to determine if the incoming request is a Cross Site Scripting (XSS) attack. Due to the tricky nature of XSS attacks, the algorithm is not fool-proof. In fact, this feature has a high tendency of marking legitimate requests –especially forum posts with lots of links, smilies and uncommon use of punctuation– as attacks (false positives). You can either try to use the WAF Exceptions feature to work around this issue, or disable this feature. We consider this feature a "paranoid security" feature and usually don't use it on our own sites.

Allow PHP tags in request

This option affects how Cross Site Scripting block (XSSShield) will work.

When this option is set to No (default) the XSSShield filter will be triggered if any request parameter passed to the page contains a PHP open tag, namely an left angular quote immediately followed by a question mark: <?

When this option is set to Yes the XSSShield filter will NOT be triggered by request parameters containing open PHP tags. THIS IS DANGEROUS and you should only use it if you have a particular need to allow open PHP tags in request parameters sent to the front-end of your site. We STRONGLY advise you against enabling this option.

XSS-safe request parameters

This option affects how Cross Site Scripting block (XSSShield) will work.

Some request parameters may be in need of accepting information that is very complex and looks like a Cross Site Scripting attack but really isn't. Such parameters are usually password and session token fields. You can enter a comma-separated list of the names of such request parameters that should never trigger the XSSShield protection. Do not modify this unless you are fully aware of the risks involved.

Default: password, passwd, token, _token, password1, password2, text

Malicious User Agent block (MUAShield)

Many hackers will try to access your site using a browser configured to send malicious PHP code in its user agent string (a small piece of text used to describe the browser to your server). The idea is that buggy log processing software will parse it and allow the hacker to gain control of your website. When enabled, this feature allows Admin Tools to detect such attacks and block the request.

CSRF/Anti-spam form protection (CSRFShield)

One of the major concerns regarding web forms –like login forms, contact forms, etc– is that they can be exploited by automated scripts (bots). This is usually performed to send spam messages or brute-force passwords. Admin Tools has two methods to prevent such abuse, depending on the setting of this option:

  • No. Turns off this feature.

  • Basic. Performs basic referer filtering. If the browser of the visitor reports that the previous page was not one belonging to your site, Admin Tools will block processing of the form. This is enough to thwart script kiddies and unsophisticated spam bots, but will do nothing for more serious attacks.

  • Advanced. On top of the basic protection, Admin Tools will automatically inject a hidden field on all forms. Spambots will usually try to fill all fields on a form, including the hidden one. WHen this happens, Admin Tools will block the request. This is a better method, but it's much slower and not recommended for high-traffic (several dozen of thousands of visitors per day) websites.

[Warning]Warning

If you expect external sites to be performing POST requests to your site, e.g. PayPal posting back IPN notifications, please DISABLE this feature or use the WAF Exceptions to work around it, otherwise all such requests will be marked as security exceptions. Alternatively, if you expect such requests to come only from specific IP addresses (e.g. PayPal), then please add these IPs in the Never block this IPs whitelist.

Remote File Inclusion block (RFIShield)

Some hackers will try to force a vulnerable extension into loading PHP code directly from their server. This is done by passing an http(s):// or ftp:// URL in their request, pointing to their malicious site. When this option is enabled, Admin Tools will look for such cases, try to fetch the remote URL and scan its contents. If it is found to contain PHP code, it will block the request.

[Important]Important

If your site starts throwing white pages when submitting a URL in your site's front-end, please disable this option. The white page means that your server is not susceptible to this kind of attack and doesn't properly advertise this to Admin Tools when requested. In this case, Admin Tools crashes while trying to scan the contents of the remote location, causing the white page error. Disabling this option is such a case poses no security risk.

Direct File Inclusion shield (DFIShield)

Some hackers try to trick vulnerable components into loading arbitrary files. Depending on the vulnerable component, the file will either be output verbatim or parsed as a PHP file. This allows attackers to disclose sensitive information about your site or run malicious code uploaded to your site through another vulnerable vector, e.g. an unfiltered upload of executable PHP code. When this option is enabled, Admin Tools will search the request parameters for anything which looks like a file path. If one is found, it will be scanned. If it is found to contain PHP code, the request will be rejected.

Uploads scanner (UploadShield)

When this option is enabled, Admin Tools will proactively scan all files which are uploaded through Joomla!. If any of these files is found to contain even a single line of PHP code, the request is blocked. This can prevent some kinds of very tricky attacks, like uploading malicious PHP code wrapped inside avatar images. Do note that not all servers support this feature. If the uploaded files directory is blocked by open_basedir restrictions, no scanning will take place. If unsure, ask your host if they have put open_basedir restrictions which block access to the PHP uploads directory. If they answer affirmatively, this Admin Tools feature will not work unless this restriction is lifted.

[Warning]Warning

NOT ALL COMPONENTS ALLOW ADMIN TOOLS TO SCAN THEIR UPLOADS! Some components do not use Joomla!'s index.php entry point file. Instead, they use their own. Since these uploads do not pass through the Joomla! application, Admin Tools' code doesn't run and these uploaded files are not scanned. In this case, if that component is found vulnerable, your site will still be at risk. We suggest avoiding such components. How can you tell? It's simple. If you use the front-end protection feature of .htaccess Maker and you had to add an exception for a component, it doesn't use Joomla!'s index.php and is potentially vulnerable to this kind of code upload attacks.

Anti-spam filtering based on Bad Words list

When enabled, all requests containing at least one word in the Bad Words list (configured separately, see the next sessions) will be blocked. By default the Bad Words list is empty; you have to configure it to match your site's needs. One good idea is to include pharmaceutical, luxury watches and shoes brand names, as this makes up the majority of comment and contact spam received on web sites.

With the Joomla! Feature Hardening Options section you are able to harden the way some basic Joomla! features work. These are advanced settings, so please make sure you understand what each option does before you enable it.

Allow access to Joomla! extensions installer

This options determines who has access to Joomla!'s extensions installer. If you are not aware of this yet, both Super Administrators and regular Administrators have access to it. Given the fact that the extensions installer can be used to insert executable code and run database SQL commands on your site, it can be exploited for insider attacks. In fact, a potential attacker only needs to compromise an Administrator account to "own" (wreck havoc on) your site. The Joomla! security team is aware of this claim, complete with detailed instructions demonstrating this technique, yet they have decided to dismiss it as a "non issue". I'd rather be safe than sorry and I bet you do too. This is why this option exists and has the following possible settings:

  • Administrator and above (default). Both Administrators and Super Administrators have access to Joomla!'s Extensions Installer. This is the default, insecure, Joomla! behaviour.

  • Only Super Administrator. Administrators do not have access to the extensions installer, only Super Administrators can access it. This is the recommended setting.

  • Nobody. Complete lock down of the extensions installer, nobody can access it, unless this option is changed to a lower setting.

Disable editing backend users' properties

When enabled, trying to modify the settings of an existing or create a new a Manager, Administrator or Super Administrator will fail.

Forbid front-end Super Administrator login

When enabled, it will not be possible for Super Administrators to log in to your site's front-end. This is a security precaution against password brute forcing. One common method is an attacker trying to login to the front-end of your site as a Super Administrator, trying different password until he finds the correct one. When this option is enabled, he will not be able to log in as a Super Administrator in the front-end of the site, crippling this brute forcing method of determining the Super Administrator password.

Treat failed logins as security exceptions

When enabled, failed login attempts of any kind of user (even simple registered users) count as security exceptions and are being logged in Admin Tools' Security Exceptions Log. There is a very useful implication to that. Since they count as security exceptions, they count towards the exceptions limit you set up in the automatic IP blocking. Therefore, after a number of failed login attempts, the user's IP will be automatically blocked for the duration you have set up.

The next section is called Visual Fingerprinting Protection and contains options to allow you to modify the way several features in Joomla! which are frequently exploited by attackers to locate Joomla! sites work. The idea is that potential attackers use automated tools to scan thousands of sites, trying to identify which of them run Joomla! in order to attack them. Using these options will allow you to "cloak" your site against such fingerprinting (scanning) attacks.

Hide/customise generator meta tag

All Joomla! installations set the meta generator tag, a piece of HTML in the header of all pages, to advertise the fact that your site is running on Joomla!. This information is cached by search engines and is exploited by attackers to deduce that your site is running Joomla! when looking for potential targets. Disabling the generator tag normally requires modifying Joomla! core files. Instead, you can enable this option and enter a custom value for the generator tag in the next option. Be inventive! Use something silly, like "A million monkeys with typewriters" or cloud the water by assigning the name of another CMS, like "Drupal" or "WordPress".

Generator tag

When the previous option is enabled, this is what the generator meta tag's value will be.

Block tmpl=foo system template switch

One of the lesser known Joomla! features are its system templates. Whenever an error occurs or you put your site offline, Joomla! loads the respective system template. Passing the name of the template in the URL by appending, say, ?tmpl=offline allows you to test those templates without having to actually produce an error or put your site off-line. For a live example, have fun with http://www.joomla.org/?tmpl=offline. Enabling this option will turn off this hidden Joomla! feature. Do note that tmpl=system and tmpl=component must be permitted (see next option), as they are required by some extensions to work.

List of allowed tmpl= keywords

The list of tmpl keywords which should be allowed of your site, as a comma separated list. At the very least you MUST include system and component, otherwise Joomla! will not work properly. Default value: component,system

[Tip]Tip

On many sites you have to set this to component,system,raw for your third party components to work.

Block template=foo site template switch

Another Joomla! hidden feature is the ability to switch between installed templates by passing a special URL parameter. For instance, if you want to apply the JA Purity template, just pass the parameter ?template=ja_purity. For a live example, have fun with http://www.joomla.org/?template=ja_purity. Enabling this option will turn off this hidden Joomla! feature.

Allow site templates

Enabling this option partially overrides the previous option (the blocking of template=foo in the URL). If the template= URL query parameter specifies the name of a template which exists in your template directory, then it will be allowed without raising a security exception. This is required only on sites which are using more than one template at the same time. What we mean by that is that you can go to Joomla!'s back-end, go to Extensions, Templates and assign any of the installed templates to any number of menu items. When you do that, several core components –including com_mailto, powering the "send this page by email" icon in your articles– have to append template=yourDefaultTemplateName to the URL. This would cause your site to throw security exceptions whenever a legitimate visitor would, for example, try to send an article by email to a friend of his. By enabling this option you prevent this security exception from being raised.

[Important]Important

If you are using multiple templates on your site, you MUST enable this option.

Project Honeypot integration allows you to integrate with Project Honeypot's spam fighting services. Project Honeypot is a collective effort to detect spammers, email harversters and crackers. Its HTTP:BL service allows participants to query the IP addresses of their visitors and figure out if it is a malicious user behind it. If you enable this feature, Admin Tools will check the IP address of each visitor and, if it is a malicious user, it will block him. You have the following options:

Enable HTTP:BL filtering

Turns the entire feature on and off

Project Honeypot HTTP:BL key

Enter your HTTP:BL key. You can sign up for Project Honeypot and get your key at http://www.projecthoneypot.org/httpbl_configure.php.

Minimum Threat Rating to block (0-255, default 25)

Project Honeypot uses a logarithmic "threat rating" to rank the possibility of a specific IP being a spammer. This options defines the minimum threat level an IP must have before it's blocked. A value of 25 means that this IP has submitted 100 spam messages on Project Honeypot's spam catching honeypots and is usually a safe indication that it belongs to a spammer. Do note that the rating is logarithmic. A value of 50 means 1,000 spam messages and a value of 75 means one million spam messages. Do not set it to values over 50, as you will most likely never block any spammer at all.

Maximum age of accepted HTTP:BL results

Project Honeypot reports when was the last time this IP was caught sending spam messages. The older this is (the higher the age is), the less likely is that this IP is still used by a spammer. You can chose here what will be the maximum reported age that will be blocked. The default value of 30 means that IPs which have submitted a spam message in the last 30 days will be blocked.

Also block suspicious IPs, not just confirmed spammers

Sometimes Project Honeypot is not sure if an IP belongs to a spammer or it's a hapless chap who clicked on the wrong link. In this case the IP is marked as "suspicious". The default behaviour is to not block these IPs. However, if you are receiving a lot of spam it's a good idea to enable this feature and block even "suspicious" IPs. Ultimately, some unfortunate users will be inadvertently blocked, so use this option with caution!

Sometimes you do not want to block certain IPs or domain names. For example, you don't want to block Google Bot, MSN (Bing) Bot and so on. You can easily add Exceptions from blocking. You can set the following options to prevent Admin Tools from blocking certain IPs and domain names:

Never block these IPs

Enter a comma-separated list of IPs which should never be automatically blocked. For example, such a list can be 127.0.0.1, 123.124.125.126 Moreover, since Admin Tools 2.2.a3 you can use IP ranges (e.g. 127.0.0.1-127.0.0.10), implied IP range notation (127.0.0. for the entire 127.0.0.1 to 127.0.0.255 block) and CIDR block notation (e.g. 127.0.0.0/8) on top of plain old IP addresses.

[Tip]Tip

If you are using the whitelist feature to allow access to the administrator section of your site only to specific IPs, these IPs are automatically added to the safe list of IPs which should never be automatically blocked.

[Important]Important

Since Admin Tools 2.1.7, IPs added to this list are fully white-listed. This means that no security measure will be applied against them. Please place only very well trusted IPs in this list! If an attack is launched from this IP, it will not be blocked by Admin Tools!

Whitelisted domains

If the IP address of the visitor who raised a security exception resolves to a domain name ending in what you enter here they will not be blocked. Effectively, these domain names have a free pass on your site.

[Warning]Warning

Malicious URLs from these domain names WILL be blocked but a. this will not be logged and b. their IP address will not be automatically blocked by the "Auto-ban Repeat Offenders" feature below. This is done to protect your site against reflected search engine attacks. Let us explain this.

Some hackers try to exploit search engines' eagerness to scan URLs, crafting malicious URLs to your site and putting them on their own sites. Search engines will see them and try to visit them on your site. You are whitelisting these search engines as you don't want to lock them out of your site. If the malicious URL wasn't blocked just because the request comes from a seemingly innocent source your site would be instantly hacked. That's why the malicious URLs are still blocked, just not logged or cause IP addresses to be automatically banned.

Enter a comma separated list of the domain names you want to whitelist. The default value is .googlebot.com,.search.msn.com which whitelists the search engine indexers Google Bot (used by Google Search) and MSN Bot (used by Bing).

You can easily Auto-ban Repeat Offenders. This feature allows you to automatically ban IPs triggering security exceptions. This can be prove to be an effective measure against malicious users who try to probe your site for vulnerabilities. You MUST enable logging of security exceptions for this feature to work. You can set the following options to define how Admin Tools will behave in those cases:

IP blocking of repeat offenders

When set to yes, the IP address of repeat offenders will be automatically banned based on the rest of the settings

Email this address if an IP is auto banned

Admin Tools can optionally send you an email when an IP is automatically banned, to the email address entered in this field. This will allow you, for example, to determine if some IP is being regularly blocked, in which case it may be a good idea to place it in the permanent IP black list. Leave this field empty (default) to disable this feature.

[Note]Note

In order for the country and continent to show up in your email, you must download the GeoIP plugin as instructed in the Control Panel page.

Block after

Chose how many attacks have to happen within how much time. For example, if you set it to 3 attacks in 1 hour, Admin Tools will ban a IP address from which at least 3 attacks have been blocked within the last hour.

Block for this long

How long the block will last. For example, setting it to 1 day will block all access from this IP address for a whole day.

Show this message to blocked IPs

Allows you to show a specific message to blocked IP addresses. You may want to explain to the user that his IP was blocked because suspicious activity was detected as originating from his IP address.

You can use the special text [IP] in all capital letters, without spaces between the brackets and IP, to display the user's IP in the message. This may be useful if someone gets accidentally blocked and asks you to help them.

The Security exception message customisation section allows you to change the way Admin Tools presents the error message to people who are denied access to the site.

Customise Security Exceptions message

By default, Admin Tools uses a generic message ("Are you feeling lucky?") when a security exception occurs. Considering that this may not be exactly the kind of message you want your visitors to see, we allow you to customise it. Just type in the message to be shown to site visitors when a security exceptions occurs, e.g. "We have detected a possible security violation caused by your request. Please go back to the previous page and try again."

Show errors using a customisable HTML template

By default, the Security Exceptions Message will be shown using Joomla!'s standard error message page. This is not always desirable, as that page lacks proper styling and admittedly looks very cheesy. When this option is enabled, however, Admin Tools will use a customisable HTML template.

The default HTML template file is located in the components/com_admintools/views/blocks/tmpl/default.php file. DO NOT MODIFY THIS FILE DIRECTLY! It will be overwritten on each upgrade. Instead, you will have to do a template override, as per the following instructions.

Locate the directory of your front-end template. For example, this could be templates/beez_20 if you are using the default template in Joomla! 1.7/2.5. Inside it there's a directory called html. Create a new directory named com_admintools and inside it yet another new directory called blocks. In our example, you should now have a directory templates/beez_20/html/com_admintools/blocks. Copy the default.php file from components/com_admintools/views/blocks/tmpl to templates/beez_20/html/com_admintools/blocks. Edit that file and customise it to your heart's desire. Do note that unlike other Joomla! template files this is a full HTML page, including the opening and closing <html> tags.

For more information regarding template overrides, please consult Joomla!'s documentation wiki page on the subject.

In the Logging and reporting section you can change the way Admin Tools logs and reports various activity items and security exceptions happening on your site.

Save user sign-up IP in User Notes

When enabled, the IP new users signed up from will be stored as User Notes.

[Important]Important

This feature is guaranteed to work only when a user registers to your site using the front-end user registration form provided by Joomla!. Users created through the back-end will not have their IP saved as a User Note because it makes no sense to do so (it's an administrator registering the user account on their behalf). Third party components creating new user accounts may also not trigger the plugin event.

IP Lookup Service

Admin Tools will provide you with a link to look up the owner of an IP address in the emails it sends you, as well as the Security Exceptions Log and Auto IP Blocking Administrator pages. By default, it uses the ip-lookup.net service. This option allows you to use a different IP lookup service if you so wish.

Enter the URL of the IP lookup service you want to use in this text box. The {ip} part of the URL will be replaced with the IP address to look up. For example, the default URL (for ip-lookup.net) is http://ip-lookup.net/index.php?ip={ip}

Email this address on successful back-end login

Enter an email address which will get notified whenever someone successfully logs in to your site's administrator back-end. If you do not wish to use this feature, leave this field blank. If you enter an email address, every time someone logs in to the administrator area an email will be sent out to this email address stating the username and site name. This allows you to get instant notification of unexpected administrator area logins which are a tell-tale sign of a hacked site. In that unlikely event, immediately log in to your site's back-end area, go to Extensions, Admin Tools and click on the Emergency Off-Line Mode button. This will cut off the attacker's access to the entirety of your site and gives you ample time to upgrade your site and its extensions, as well as change the password (and maybe the username) of the compromised Super Administrator account. For maximum security, after taking your site back on-line, log out, clear your browser's cookies and cache and log in again.

[Note]Note

In order for the country and continent to show up in your email, you must download the GeoIP plugin as instructed in the Control Panel page.

Email this address on failed administrator login

Enter an email address which will get notified whenever someone tries to log in to your site's administrator back-end but is denied access. If you do not wish to use this feature, leave this field blank. If you enter an email address, every time someone unsuccessfully tries to log in to the administrator area an email will be sent out to this email address stating the username and site name. This allows you to get instant notification of unexpected administrator area login attempts which are a tell-tale sign of a hacked site. In that unlikely event, immediately log in to your site's back-end area, go to Extensions, Admin Tools and click on the Emergency Off-Line Mode button. This will cut off the attacker's access to the entirety of your site and gives you ample time to upgrade your site and its extensions, as well as change the password (and maybe the username) of a potentially compromised Super Administrator account. For maximum security, after taking your site back on-line, log out, clear your browser's cookies and cache and log in again.

[Note]Note

In order for the country and continent to show up in your email, you must download the GeoIP plugin as instructed in the Control Panel page.

Log security exceptions

It is suggested to keep this option enabled. When enabled, all potential security breaches —blocked by Admin Tools— will be logged in the database and made available under the Security Exceptions Log tool.

Turning on this option will also create a file named admintools_breaches.log in your site's logs directory. This contains all the debugging details of what Admin Tools detected whenever it issues a 403 error. When asking for support, please include this log or at least the portion relevant to the 403 error page you are receiving in order for us to better serve you. Do note that your logs directory MUST be writeable for the log file to be produced.

Email this address on security exceptions

Enter an email address which will get notified whenever a security exception happens on your site. A "security exception" is anything which triggers Web Application Firewall. This is useful to get an ahead warning in the event of a bot trying to perform a series of attacks on your site.

[Note]Note

In order for the country and continent to show up in your email, you must download the GeoIP plugin as instructed in the Control Panel page.

Do not log these reasons

Security exceptions caused by these blocking reasons will not be logged. As a result, IPs triggering this exception repeatedly will not be automatically banned from your site. Moreover, as there is no log, it will be impossible to tell why someone is being blocked from accessing your site when they trigger one of those reasons. For a list of the reason codes you can use please consult the list of WAF log reasons. You need to enter a comma separated list with the values you see in the Code line below each entry.

The default setting is geoblocking (Geographic IP blocking)

Do not send email notifications for these reasons

Security exceptions caused by these blocking reasons will not result in an email being sent to the email address specified in "Email this address on security exceptions". For a list of the reason codes you can use please consult the list of WAF log reasons. You need to enter a comma separated list with the values you see in the Code line below each entry.

The default setting is geoblocking (Geographic IP blocking)

[Warning]Warning

Blacklisting makes no discriminations. If, for example, you try to access your administrator area without a secret word it will block your IP address and you won't be able to access your own site. In that case, follow the manual override procedure to disable Admin Tools' plugin and regain access to your site, then proceed to disable the auto-ban feature.

Help, I have been locked out of my site's administrator area!

It's possible to accidentally lock yourself out of the administrator area, especially when using the IP whitelisting or IP blacklisting options of the Web Application Firewall. The easiest way to work around this issue is using an FTP application or your hosting control panel's File Manager to rename a file.

Go inside the plugins/system/admintools/admintools directory on your site. You will see a file named main.php. Rename it to main-disable.php. This will turn disable the Web Application Firewall from executing and you can access your site's back-end again. After you have fixed the cause of your issue remember to rename main-disable.php back to main.php, otherwise your site will remain unprotected!