Support

The short answer is yes.

The long answer is more nuanced as it depends on the versions of the software you are using, which features of Admin Tools you are using and how you've configured them.

XAttacker launches automated scans for known vulnerable versions of some popular extensions (if you search for XAttacker you will see a list of them). These are mostly old versions so if you keep your site up to date you are safe by definition.

In the off chance that you have a vulnerable version -- which would be a surprise since vulnerable versions of nearly all of the affected extensions don't run on Joomla! 3.9 -- there are two classes of attacks.

The first class is attacks to the component or plugin proper, going through Joomla itself to access it. You are thoroughly protected against them using the default settings of the Web Application Firewall with one exception: attacks which simulate legitimate traffic and use a legitimate feature but due to a bug in the extension they cause an unexpected result. The only such attack in the last five years was with VirtueMart not filtering the user groups for newly created customer records which could lead to Super User accounts being created. Even that is something Admin Tools can and does protect you from, as long as you have the Monitor Super User Accounts feature turned on.

The second class of attacks is when the attacker is trying to access a vulnerable .php file of the extension over the web. By default, the .htaccess Maker's Frontend and Backend Protection features block these attacks. You'd have to manually allow these files to be accessed, using the exceptions in the .htaccess Maker configuration. If you have not done that; or if you have done that BUT also keep everything up to date: you are perfectly safe.

Moreover, the Frontend and Backend Protection features in Admin Tools prevent direct access to non-code resources which can be used to identify vulnerable versions of extensions. This means that the extensions' XML manifest files and their INI language strings are not accessible over the web. As a result most attacks are abandoned at the discovery stage. If the attacker tries to "spray shoot" you (run the attacks regardless of whether the discovery stage tells them you have a vulnerable version of the extension installed) then you are still protected by Admin Tools as explained above.

So, as long as you keep all features enabled, are aware of the holes you are punching through the firewall with exemptions (in .htaccess Maker, in Web Application Firewall, with the IP White List and with the WAF Exceptions features) and keep everything reasonably up-to-date you are safe. Remember that hacking is not magic. It's not like the movies where a white, black hoodie-donning kid on a laptop in a basement hacks the Pentagon in 10 seconds flat with a semi-excited, semi-bored expression on his face. In the real world people are prodding your site for potential bugs and security issues and try to worm their way through your defenses. As long as you apply security best practices such as keeping everything up to date, using very long random passwords managed by a secure password manager and keep the attack surface small by using security tools you are pretty safe. You are making the real world hacker's job much more difficult and it's all too likely that they'll stop bothering with your high-cost-to-penetrate, low-potential-profit target for someone with much less protection and security issues ripe for exploitation.