Support

Admin Tools

#25628 task=login locks me out from administrator too

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 18 August 2016 17:20 CDT

depika
 I have added at WAF blacklist the following tasks
login
user.login

At the frontend it works perfectly but at also at the backend. I had to hack the database in order to be able to login.

What am I doing wrong?

Thanks

Despoina

nicholas
Akeeba Staff
Manager
You should NEVER add these tasks to the WAF blacklist. Login pages must be protected by Admin Tools, otherwise you're setting up yourself for a world of hurt. So, first, remove these entries from the WAF blacklist.

I'll go on a limp here and assume that you did that because you were being blocked from logging in to the front-end of your site as a Super User. Go to Admin Tools, Web Application Firewall, Configure WAF, Joomla! Feature Hardening Options and set "Forbid frontend Super Administrator login" to No (hover over it to see what it does and you'll understand). This will fix the front-end login issue.

Now, regarding the back-end. Go to Admin Tools, Web Application Firewall, Configure WAF, Basic Protection Features and check the "Administrator secret URL parameter". If it's not empty you must use it when accessing the administrator login page, e.g. http://www.example.com/administrator/index.php?yourSecret where www.example.com is your site and yourSecret is the secret URL parameter. It is possible that misbehaving plugins may be trying to access the administrator login page for any reason (usually because their developer is a complete moron who doesn't understand the concept of security), blocking you out of your site. Furthermore, several browsers (Safari most notably) try to stupidly prefetch partial URLs as you type them. I just got blocked out of my dev site when Safari tried to access /administrator and /administrator/index.php five times while I was typing the /administrator/index.php?mysecret URL. Ugh.

Finally, on the same page, there's an "Away Schedule" and a "Change administrator login directory to" option. I'd recommend leaving them both blank while you're trying to figure out why you get blocked. Of course, when you do get blocked there's a log entry which tells us why you got blocked: Admin Tools, Web Application Firewall, Security Exceptions Log. Sort by date descending and the top entry should have your IP, a reason and a target URL. If you don't understand the reason paste it here and I'll tell you why you keep getting blocked.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

depika
I followed this post

https://www.akeebabackup.com/support/admin-tools/24996-disable-front-end-login-page-entirely.html

I added to task : login and user.login because I saw the spammers were trying to do user.login

I have enabled the secret word for admin and I have forbidden the super admins to login from the frontend. The is no login option at the site and I would like to disable the login entirely at the site because bots try to login and they enter dummy user names and passwords.

nicholas
Akeeba Staff
Manager
I believe you can't really do that in Joomla. You can disable registration in Users (backend, click Users, click Options). You can remove all users except admins. And you can also forbid front end admin login. Effectively this DOES prevent people from logging in but not from trying to logi anyway. Is that helpful in your case?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

depika
It is fine I guess although I have to admit that from the other posts I have found at your site it gives the idea to the readers that you can totally prevent users from logging in at the frontend. That if I enter login at the task at the WAF blacklist it will prevent users from accessing the login page at the frontend.
But unfortunately it prevents the super admins also to login at the backend.

nicholas
Akeeba Staff
Manager
The idea was to totally prevent users with administrative rights from logging into the front-end while allowing regular users to log in just fine. This is what makes security sense: don't let hackers brute-force your administrators' passwords but not disrupt the workflow of your regular site users either.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!