Support

After locking myself out of the backend of Joomla, I believe I'm beginning to understand WAF a bit better, but am wondering what might be the best configuration, assuming there is one.

Initially I thought adding IP addresses to the Admin IP Whitelist and Exceptions from Blocking (within WAF) would be a nice way to secure a website. I have noticed that the secret URL parameter gets ignored if my own IP address is whitelisted. I now understand that is by design.

I'm wondering what, if anything, I'm missing in terms of securing a website and what might be considered "best practices". For several years, the secret URL phrase worked quite well, but now I'm wondering if it makes more sense to begin configuring IP addresses for admins. If I were to take my laptop into town and obtain a new IP address, I'd still be able to login to the backend via secret URL parameter, assuming it's set. True statement or would there need to be another configuration? I guess if a site had 50 admins, the secret URL might be more efficient.

I'm also interested in knowing if there's a way to auto-delete some of the entries under Security Exceptions Log or if it's a good idea to hang onto that log.

So I really don't have an issue per se, but want to understand AT better...............and, in the end, prevent locking myself out of the admin interface. BTW, I do appreciate the documentation on how to regain access. Lifesaver!

If you figure out how to quit locking yourself out, please let me know.

You have it pretty well figured out. The IP whitelist disables most of the Admin Tools protections. The problem with it is that many of us have dynamic IP addresses, so when the IP changes, you're not whitelisted any more. You should be able to log in just fine from a strange IP address when you use the secret parameter. There is a setting to allow only whitelisted admins to log in, that is a little too secure for anyone with a dynamic IP address or variable location.

The setting to trim the exceptions log is in the Admin Tools plugin. Note that it will not trim the log in one operation because that would probably cause a PHP timeout. It will purge a few records at a time until it gets the log size down to your trim setting.

Sadly there is no one "right" answer. You have to balance your security with how you need to access your site and in some cases who is accessing your site.

Thanks Dale! You provided some excellent help/support. I had looked at the plugin settings and wondered if that's where I could remove some of the logs, but didn't make any changes. I also read about having the System - Admin Tools plugin run first, which I was struggling to do. I'll check those settings again.

Didn't think about dynamic IP addresses, as I work from home now. That was helpful to consider. Didn't connect the dots on using the secret URL when away from my set IP address, so that was great info as well.

Thanks again!

You're welcome!

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.