Support

 I just got to my computer and saw I have over 1000 emails from WAF telling me that an IP was automatically blocked on my website. The emails were sent approximately every 6 seconds. Why was that IP able to continue to access the website after being blocked?

My settings say to block an IP after three failed attempts in one hour, and block them for one day.

I have log security exceptions on.

I went in an manually added that IP to the blacklist, however, why were they still able to access the website after being blocked?

For an admin login attempt, the attempt is logged before Admin Tools blocks the user. You will get a security exception even though the attempt was blocked.

I don't understand. All 1000+ attempts came from the same IP.

My understanding is that they should have been blocked from all website access once WAF auto-banned them, so why were they able to continue to attack the site?

They still access the website, sort of. Admin Tools can't block access until the spammer's request gets to Joomla! At that point, AT checks the IP address and sees that it is an address that should be denied access to the site. It throws the "You are a spammer or a bad person, do away!" message. But the request from the spammer has to get to Joomla! before we know to block them.

When you take the site offline, you are taking Joomla! out of the picture, the request is blocked by Apache in the .htaccess file. But the spammer is still working your server, sending requsets that Apache is now denying.